EQL library where

Hello,

Just noticed an EQL query in Suspicious RDP ActiveX Client Loaded | Elastic Security Solution [7.13] | Elastic where a "library where" clause is used. What kind of events contain library? I always though the first word in the EQL queries pointed to the ECS event categories (ECS Categorization Field: event.category | Elastic Common Schema (ECS) Reference [1.10] | Elastic), but those do not contain library.

Grtz

Willem

Library is like an unofficial event category. Libraries .dll are usually affected via a process being executed or running. It is only included in rules when you want to to look when a library is being loaded.

Like the following:

library where process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and
  event.action : "load" and
  event.category : "library" and
  dll.name : "wmiutils.dll"

And they probably didn't make it official, because it would probably been difficult to make a category library to work the same for MacOS, Linux, and Windows

1 Like