Hi,
I want to trigger an alarm if two fields have the same value. is it possible or I have to use watcher?
Are you currently using our detections/alerts yet?
Yes, currently I'm using the trial license. but I still couldn't produce any signal by creating a rule like: fieldx : fieldy
I think I might be seeing what you're asking for maybe?
Right now you can do something like this with detection rules and a KQL rule to find a specific value:
host.name: "my_specific_host_value"
But you're wanting to use an index and its fields as dynamic input like so:
host.name: "my_index.host.name"
And then if "my_index.host.name" has 1 or more values it will find any signals based on those values dynamically each time the rule is run by querying against each of those my_index.host.name's.
Is that it?
No, it's much simpler.
I want to compare to fields of the same doc. for example if in any doc, user.name = host.name then trigger a signal.
Hey @borna_talebi ! We don't currently have that functionality, but that's interesting. If you don't mind sharing, what's your particular use case?
Hi Yara,
My use case is to detect zerologon exploit using winlogbeat events. I'm not sure if this functionality is or will be available in EQL but I'm hoping it'll be added.
I needed something similar for source.ip = destination.ip
Sometimes events trigger on a host to themselves.
My solution so far was to use logstash
If [event][code] == 3 {
If [source][ip] == [destination][ip] {
To then tag the event and the alert is based on the tag.
Have to use a condition before this to make sure destination or source exists. Otherwise I found it tagged all events without the fields and worked correctly when source and destination present.
1 Like
Tnx Philip, I'll check this out. But I still think a faster and easier way to achieve this without the need to edit data and add tags would be great!
No problem, not the best solution. However with the new corrolation rules in 7.10 with EQL it maybe possible, something else to now learn.
According to docs it's not possible:
You also cannot use comparison operators to compare a field to another field. This applies even if the fields are changed using a function.
I really hope they add this feature.
Isnt this what you were after?
Example
The following EQL query compares the process.parent_name field value to a static value, foo . This comparison is supported.
However, the query also compares the process.parent.name field value to the process.name field. This comparison is not supported and will return an error for the entire query.
process where process.parent.name == "foo" and process.parent.name == process.name
Instead, you can rewrite the query to compare both the process.parent.name and process.name fields to static values.
This is what I want but as you can see it's not supported.
Sorry i didnt notice that bit, typical. I thought i had used it last week but i used 2 sequences, one tracks process.pid and the other the process.parent.pid. Wires crossed.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.