I'm trying to inspect the results of an EQL query (based on the built-in hosts modification rule). However when I run the EQL query :
file where event.type in ("change", "creation") and
file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts")
I get an error : "verification_exception: Found 1 problem line 2:7: Unknown column [file.path], did you mean any of [log.file.path, dll.path, url.path, osquery.path, package.path]?"
The EQL query looks at the mappings in the index patterns to determine what fields are available.
It looks like none of the index patterns that were searched contain file.path in the mapping. Sounds like your data that you currently have doesn't populate this field
This index / mapping is created by elastic-agent in security solution. Additionally the EQL is a built-in rule provided by Elastic so there should be no mismatch here.
Thirdly this EQL query has already run and matched events as I have 150 matches and hence I'm trying to manually run the query to figure out what is going on - does that make sense?
Hilton
The indexes that the rule checks are index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]. You can search those mappings for file.path by running this in Dev Tools in Kibana:
GET auditbeat-*,winlogbeat-*,logs-endpoint.events.*,logs-windows.*/_mapping/field/file.path
This is the output I'm getting on my stack when I run this. Note that this will depend on what integrations you have and what indexes they've created. If you're using Elastic Endpoint, you can expect .ds-logs-endpoint.events.file-default-* to exist, which is the backing index for the data stream logs-endpoint.events.file-default-*.
{
".ds-logs-endpoint.events.process-default-2021.06.10-000001" : {
"mappings" : { }
},
".ds-logs-endpoint.events.file-default-2021.06.10-000001" : {
"mappings" : {
"file.path" : {
"full_name" : "file.path",
"mapping" : {
"path" : {
"type" : "keyword",
"ignore_above" : 1024,
"fields" : {
"caseless" : {
"type" : "keyword",
"ignore_above" : 1024,
"normalizer" : "lowercase"
},
"text" : {
"type" : "text"
}
}
}
}
}
}
},
"auditbeat-7.8.0" : {
"mappings" : { }
},
".ds-logs-endpoint.events.network-default-2021.06.10-000001" : {
"mappings" : { }
},
".ds-logs-endpoint.events.library-default-2021.06.10-000001" : {
"mappings" : {
"file.path" : {
"full_name" : "file.path",
"mapping" : {
"path" : {
"type" : "keyword",
"ignore_above" : 1024,
"fields" : {
"caseless" : {
"type" : "keyword",
"ignore_above" : 1024,
"normalizer" : "lowercase"
},
"text" : {
"type" : "text"
}
}
}
}
}
}
},
".ds-logs-endpoint.events.registry-default-2021.06.10-000001" : {
"mappings" : { }
},
"auditbeat-7.13.2-2021.06.22-000001" : {
"mappings" : {
"file.path" : {
"full_name" : "file.path",
"mapping" : {
"path" : {
"type" : "keyword",
"ignore_above" : 1024,
"fields" : {
"text" : {
"type" : "text",
"norms" : false
}
}
}
}
}
}
},
".ds-logs-endpoint.events.security-default-2021.06.10-000001" : {
"mappings" : { }
},
"auditbeat-7.14.0-2021.06.09-000001" : {
"mappings" : {
"file.path" : {
"full_name" : "file.path",
"mapping" : {
"path" : {
"type" : "keyword",
"ignore_above" : 1024,
"fields" : {
"text" : {
"type" : "text",
"norms" : false
}
}
}
}
}
}
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.