EQL library where

willemdh · June 10, 2021, 7:23am

Hello,

Just noticed an EQL query in Suspicious RDP ActiveX Client Loaded | Elastic Security Solution [7.13] | Elastic where a "library where" clause is used. What kind of events contain library? I always though the first word in the EQL queries pointed to the ECS event categories (ECS Categorization Field: event.category | Elastic Common Schema (ECS) Reference [1.10] | Elastic), but those do not contain library.

Grtz

Willem

austinsonger · June 12, 2021, 7:57pm

Library is like an unofficial event category. Libraries .dll are usually affected via a process being executed or running. It is only included in rules when you want to to look when a library is being loaded.

Like the following:

detection-rules/execution_suspicious_image_load_wmi_ms_office.toml at main · elastic/detection-rules (github.com)

library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
  event.action : "load" and
  event.category : "library" and
  dll.name : "wmiutils.dll"

And they probably didn't make it official, because it would probably been difficult to make a category library to work the same for MacOS, Linux, and Windows

system · July 10, 2021, 7:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Set custom event.category field to execute EQL in detection rules Elastic Security detection-rules	2	560	December 3, 2021
Best way to analyze Event Correlation Sequence detections SIEM elastic-stack-alerting , eql-elastic-query-language	6	1695	January 4, 2023
Syntax error shown in EQL queries for correlation Elastic Security	1	426	March 10, 2022
KQL Comprehensive Tutorial on Event Correlation Rules SIEM docker	4	991	December 26, 2022
Problem with EQL queries Elasticsearch	1	323	October 26, 2020

EQL library where

Related topics