Fields missing in EQL sequence detection rule with building block alert as source

Hi everyone,

I am implementing a set of Detection Rules to correlate events from different sources.

I created a Threshold Rule and marked it as "building block" since I plan to use the alerts it generates as the source event for an EQL Secuence rule.

The sequence is defined as follows:

 sequence with maxspan=1s
    [ threat where network.protocol == "tcp"] by source.ip, destination.ip
    [ any where event.kind == "signal" and signal.rule.description == "building-block-count-source-ip-destination-ip" ] by source.ip, destination.ip

Thats the only way I found to include a building block alert in the EQL Sequence Detection Alert query.

Alerts are being fired, but they do not contain source.ip or destination.ip fields.

Analyzing the results by manually running the EQL query, I found out that for the first event, the ip fields are included as:

...
      "source" : {
        "geo" : { },
        "ip" : "192.168.1.10",
        "port" : "xxxx",
        "host" : {
          "name" : "xxxxx"
        }
...

but for the second event, the alert generated with the threshold rule, they are included as:

...
 "source.ip" : "192.168.1.10",
...

Should not the generated alert contain both source.ip and destination.ip, since these fields are present in both events matched by the EQL Sequence?

Cheers,

Manuel

4 Likes