Can i write elastic query using KQL or Lucene

Saurabh_Singh1 · April 9, 2020, 1:57pm

I was trying to replicate watcher functionality using SIEM detection rule. In watcher i can write elastic query, but can i perform that using detection rule ? Please help.

Frank_Hassanabad · April 10, 2020, 2:02pm

I gave a more thorough answer to you in your previous post:

But yes, you should also be able to use plain lucene if you really want to by sliding off KQL:

I would recommend you trying to keep it to KQL and filters before utilizing lucene as it's a better experience and more readable and it translated to Elastic Search filters which are better performance wise than Lucene.

For example, this shows what a Lucene query would translate to:

github.com

elastic/kibana/blob/7.6/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/get_filter.test.ts#L76-L94


      
          test('it should work with an empty filter as lucene', () => {
            const esQuery = getQueryFilter('host.name: linux', 'lucene', [], ['auditbeat-*']);
            expect(esQuery).toEqual({
              bool: {
                must: [
                  {
                    query_string: {
                      query: 'host.name: linux',
                      analyze_wildcard: true,
                      time_zone: 'Zulu',
                    },
                  },
                ],
                filter: [],
                should: [],
                must_not: [],
              },
            });
          });

And that's not the same as what the KQL translates to:

github.com

elastic/kibana/blob/7.6/x-pack/legacy/plugins/siem/server/lib/detection_engine/signals/get_filter.test.ts#L52-L74


      
          const esQuery = getQueryFilter('host.name: linux', 'kuery', [], ['auditbeat-*']);
          expect(esQuery).toEqual({
            bool: {
              must: [],
              filter: [
                {
                  bool: {
                    should: [
                      {
                        match: {
                          'host.name': 'linux',
                        },
                      },
                    ],
                    minimum_should_match: 1,
                  },
                },
              ],
              should: [],
              must_not: [],

This file has been truncated. show original

Which at the time of this writing is using filters which should be cached:

Saurabh_Singh1 · April 21, 2020, 4:19am

Thank you @Frank_Hassanabad that helped me .

system · May 19, 2020, 4:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.