I am in a process of migrating correlation rules from a McAfee SIEM to Elastic Security and I am checking if it is possible to build the following use case in EQL:
I am looking at events generated by a security solution. The use case is about detecting specific file related activity on a fleet of machines, which may be malicious of nature and if this activity is happening on more than one machine.
Each event contains 2 specific fields I want to monitor on. One is the filename and the other one is the host name of the machine.
My goal is to generate an alert when the same filename is found on more than one hostname in a time window of 10 minutes.
so my idea would be something like this:
event 1 file.name = random_value host.name = random_value event 2 file.name = random_value host.name = random_value Sequence by file.name with maxspan 10m [ file where host.name == "somevalue" ] [ file where host.name != "othervalue" ]
So none of these values are pre defined, but in this use case the value of file.name is the same value and the value of host.name is different.
Remember, my end goal is to be alerted of the same file activity occurring on more than one machine.
My problem is that I am not sure how to define this use case properly in EQL. I don't find any good pointer in the documentation. Maybe it is not possible/supported or I am looking at it from the wrong angle.
Any feedback would be much appreciated.