EQL without pre defined field values


I am in a process of migrating correlation rules from a McAfee SIEM to Elastic Security and I am checking if it is possible to build the following use case in EQL:

I am looking at events generated by a security solution. The use case is about detecting specific file related activity on a fleet of machines, which may be malicious of nature and if this activity is happening on more than one machine.

Each event contains 2 specific fields I want to monitor on. One is the filename and the other one is the host name of the machine.

My goal is to generate an alert when the same filename is found on more than one hostname in a time window of 10 minutes.

so my idea would be something like this:

event 1
file.name = random_value
host.name = random_value

event 2
file.name = random_value
host.name = random_value

Sequence by file.name with maxspan 10m
[ file where host.name == "somevalue" ]
[ file where host.name != "othervalue" ]

So none of these values are pre defined, but in this use case the value of file.name is the same value and the value of host.name is different.

Remember, my end goal is to be alerted of the same file activity occurring on more than one machine.

My problem is that I am not sure how to define this use case properly in EQL. I don't find any good pointer in the documentation. Maybe it is not possible/supported or I am looking at it from the wrong angle.

Any feedback would be much appreciated.


1 Like

I hope someone from Elastic has a magic solution to this answer, but afaik, with my current (limited) knowledge of EQL, I don't think this is possible atm.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.