I want to analyse an Event Correlation rule detection (EQL) in Elastic SIEM. However, for sequence-type EQL queries, the alert details and SIEM app don't show me all the information I need to do my analysis. Consider the Rule Potential Lateral Tool Transfer via SMB Share. It looks for the following sequence:
sequence by host.id with maxspan=30s
[network where event.type == "start" and process.pid == 4 and destination.port == 445 and
network.direction : ("incoming", "ingress") and
network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1"
] by process.entity_id
/* add more executable extensions here if they are not noisy in your environment */
[file where event.type in ("creation", "change") and process.pid == 4 and file.extension : ("exe", "dll", "bat", "cmd")] by process.entity_id
To analyze this, I want to at least know what file it was (file.name / path of the second element of the sequence) and where it came from (source.ip of the first element of the sequence).
This info is neither in the Table / JSON view of the alert, nor in the graphical Analyzer view. I usually just copy-paste the correlation rule into Dev Tools to get the raw events and make my analysis there.
This leads me to the contemplations
By what logic are fields from a sequence event correlation query included in the alert? Why is user.name available in the above case, but file.extension or file.name is not? Does it only show fields in the signal that were present in all elements of the sequence?
Is there any upcoming feature that addresses this? I would be happy with another tab in the alert details that displays the correlation rule hits:
This seems to be mostly an issue for sequences. EQL Rules like Suspicious Execution from a Mounted Device yield a signal with event.category: process which can be rendered by "Event rendered view", giving me at-a-glance access to the most important fields to quickly analyze this alert.
Hi @nemhods does clicking the 'investigate in timeline' button for the alert not filter by kibana.alert.group.id? This should give you the exact set of events in the sequence + the alert and is the intended workflow to do what you describe. And I'm not sure on the first question exactly (will find out), it may just be fields from the first event in the sequence, or it may be fields that are the same and present in all events, but either way it can't include every unique value for every unique event in the sequence, as this could grow exponentially with every additional event in the sequence.
I'm also surprised that the events are not in the analyze event view, although that could be this particular rule looking for a sequence of events by host.name that exist in completely disjoint process trees, if you click the analyze event for each event from timeline after filtering by kibana.alert.group.id, is this the case?
Within timeline when filtered by kibana.alert.group.id, the raw events are shaded, and the alert events appear as normal:
so first of all, thank you so much for pointing me to the timeline - I've never used it from this context and it does indeed show all associated events involved in the detection sequence - even in event rendered format.
The analyzer view is in fact not really usable for this signal. This is the view I get:
Glad timeline is working for you! Just out of curiosity, if you open the analyze event from timeline for one of the underlying network or file events, are the process trees completely separate from the one viewed from the alert? It's likely either that is the issue, or perhaps the selected time range is hiding the network and file events, and if you expand the time range on the page, the events will appear. It's not very apparent from a ux perspective that the time range from the date picker is applied to the analyze event view, and it does hide events sometimes.
@nemhods thanks for getting back to me, I would first try to expand the time range to be much larger, last 90 days or a year if possible, and then make sure that the selected data view in the timeline has both the alerts index and the logs-* index selected, some versions of kibana it will initially only have the alerts index selected.