EQL: How to get a simple query working from DEV tools?

kelk · November 15, 2020, 6:21pm

hi, I'm trying to simulate a basic EQL query via the dev tools.

Some data

POST _bulk
{ "index" : { "_index" : "win_test", "_id" : "1" } }
{ "@timestamp": "2020-11-12T02:00:00Z", "host_name" : "myhost1" , "event": {"code" : "4720", "type": "create", "kind": "account_manipulate"}, "winlog": {"event_data": {"TargetUserName": "userA"}}}
{ "index" : { "_index" : "win_test", "_id" : "2" } }
{ "@timestamp": "2020-11-12T02:02:00Z", "host_name" : "myhost1" , "event": {"code" : "4726", "type": "delete", "kind": "account_manipulate"}, "winlog": {"event_data": {"TargetUserName": "userA"}}}

Looks good
GET win_test/_search

Now Trying a basic EQL

GET /win_test/_eql/search
{
  "event_category_field": "event.kind",
  "query": """
  event where event.code == "4720"
  """
}

GET /win_test/_eql/search
{
  "event_category_field": "event.kind",
  "query": """
    sequence by winlog.event_data.TargetUserName
       [ event where event.code == "4720" ]
       [ event where event.code == "4726" ]
  """
}

Both the EQL doesn't work. Any idea what is wrong with these?

kelk · November 16, 2020, 8:19pm

Figured it out. Needs to ensure event_category_field needs to be specified like below

GET /win_test/_eql/search
{
  "event_category_field": "event.kind",
  "query": """
    sequence by winlog.event_data.TargetUserName
       [ account_manipulate where event.code == "4720" ]
       [ account_manipulate where event.code == "4726" ]
  """
}

system · December 14, 2020, 8:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.