How to Correlate three events in EQL based on process and parent-process id?

Sheharyar_Khalid · October 18, 2022, 1:22pm

I have log data in the following format on elasticsearch:

1- ["process_name":"nginx", "process_id":"1", "parent_process_id":"0", "syscall":"execv"]
2- ["process_name":"python", "process_id":"2", "parent_process_id":"1","syscall":"execv"]
3- ["process_name":"chrome", "process_id":"3", "parent_process_id":"2","syscall":"execv"]

The three events are related based on their process_id's and parent_process_id's. I am trying to write an EQL query to capture this chain of events. I have tried the following query:
"event_category_field" : "process_name" "query": """ sequence ["nginx" where syscall == "execv"] ["python" where syscall == "execv"] ["chrome" where syscall == "execv"] """

My goal is to join the first process i.e. "nginx" with "python" based on process_id/parent_process_id (nginx-python) and join the second process ("python") with the third process ("chrome") based on process_id/parent_process_id of (python-chrome).

Is this possible to achieve using one query? Also, is there a way to aggregate two queries in one?

Is there any other way in elastic to capture this chain of events spanning three or more than three events?

vitaliidm · October 20, 2022, 8:57am

Hey @Sheharyar_Khalid, welcome to the community!

According to documentation:

You cannot use EQL comparison operators to compare a field to another field. This applies even if the fields are changed using a function.

It's not possible to reference values from a previous sequence result in the next one.

Is there any other way in elastic to capture this chain of events spanning three or more than three events?

Do you mean 3 or more event of the same type?

If it so, with runs syntax should help:

{
"event_category_field" : "process_name",
"query": """
sequence by syscall
[nginx where syscall == "execv"]
[python where true] with runs=3
[chrome where true]
"""
}

Thanks, Vitalii

Sheharyar_Khalid · October 20, 2022, 6:04pm

Thank you for clarifying. As you mentioned I was trying to do this

It's not possible to reference values from a previous sequence result in the next one.

Apparently it cannot be done.
Thanks!

system · November 17, 2022, 6:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What is the point of using EQL to correlate log? Elasticsearch eql-elastic-query-language	2	619	February 15, 2022
Analyze Event Tool - Subgraph Extraction? Elastic Security eql-elastic-query-language	2	433	November 30, 2022
Event correlation (with EQL) Elastic Observability eql-elastic-query-language	1	703	August 9, 2023
Best way to analyze Event Correlation Sequence detections SIEM elastic-stack-alerting , eql-elastic-query-language	6	1691	January 4, 2023
Sequence Independent Correlation with EQL Elasticsearch eql-elastic-query-language	1	304	January 20, 2023

How to Correlate three events in EQL based on process and parent-process id?

Related topics