Best way to analyze Event Correlation Sequence detections

Hey,

I want to analyse an Event Correlation rule detection (EQL) in Elastic SIEM. However, for sequence-type EQL queries, the alert details and SIEM app don't show me all the information I need to do my analysis. Consider the Rule Potential Lateral Tool Transfer via SMB Share. It looks for the following sequence:

sequence by host.id with maxspan=30s
  [network where event.type == "start" and process.pid == 4 and destination.port == 445 and
   network.direction : ("incoming", "ingress") and
   network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1"
  ] by process.entity_id
  /* add more executable extensions here if they are not noisy in your environment */
  [file where event.type in ("creation", "change") and process.pid == 4 and file.extension : ("exe", "dll", "bat", "cmd")] by process.entity_id

To analyze this, I want to at least know what file it was (file.name / path of the second element of the sequence) and where it came from (source.ip of the first element of the sequence).
This info is neither in the Table / JSON view of the alert, nor in the graphical Analyzer view. I usually just copy-paste the correlation rule into Dev Tools to get the raw events and make my analysis there.

This leads me to the contemplations

  • By what logic are fields from a sequence event correlation query included in the alert? Why is user.name available in the above case, but file.extension or file.name is not? Does it only show fields in the signal that were present in all elements of the sequence?
  • Is there any upcoming feature that addresses this? I would be happy with another tab in the alert details that displays the correlation rule hits:

This seems to be mostly an issue for sequences. EQL Rules like Suspicious Execution from a Mounted Device yield a signal with event.category: process which can be rendered by "Event rendered view", giving me at-a-glance access to the most important fields to quickly analyze this alert.

1 Like

Hi @nemhods does clicking the 'investigate in timeline' button for the alert not filter by kibana.alert.group.id? This should give you the exact set of events in the sequence + the alert and is the intended workflow to do what you describe. And I'm not sure on the first question exactly (will find out), it may just be fields from the first event in the sequence, or it may be fields that are the same and present in all events, but either way it can't include every unique value for every unique event in the sequence, as this could grow exponentially with every additional event in the sequence.

I'm also surprised that the events are not in the analyze event view, although that could be this particular rule looking for a sequence of events by host.name that exist in completely disjoint process trees, if you click the analyze event for each event from timeline after filtering by kibana.alert.group.id, is this the case?

Within timeline when filtered by kibana.alert.group.id, the raw events are shaded, and the alert events appear as normal:

3 Likes

Hey,

so first of all, thank you so much for pointing me to the timeline - I've never used it from this context and it does indeed show all associated events involved in the detection sequence - even in event rendered format.

The analyzer view is in fact not really usable for this signal. This is the view I get:


None of these processes seem to be related to the Potential Lateral Tool Transfer via SMB Share. None of the processes even has a file or network event.

Anyways, I'm happy now, the timeline view helps immensely here!

2 Likes

Glad timeline is working for you! Just out of curiosity, if you open the analyze event from timeline for one of the underlying network or file events, are the process trees completely separate from the one viewed from the alert? It's likely either that is the issue, or perhaps the selected time range is hiding the network and file events, and if you expand the time range on the page, the events will appear. It's not very apparent from a ux perspective that the time range from the date picker is applied to the analyze event view, and it does hide events sometimes.

So the timerange was not the issue, I had this set to "last 7 days".

I tried to view the contributing events (the signal as well as a network and a file event), and none of them render in the analyzer view from timeline, because "No Process Events Found".

Actually I'm not sure what process event the analyzer is trying to view for the alert...

@nemhods thanks for getting back to me, I would first try to expand the time range to be much larger, last 90 days or a year if possible, and then make sure that the selected data view in the timeline has both the alerts index and the logs-* index selected, some versions of kibana it will initially only have the alerts index selected.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.