How to Correlate three events in EQL based on process and parent-process id?

Elastic Security
1

I have log data in the following format on elasticsearch:

1- ["process_name":"nginx", "process_id":"1", "parent_process_id":"0", "syscall":"execv"]
2- ["process_name":"python", "process_id":"2", "parent_process_id":"1","syscall":"execv"]
3- ["process_name":"chrome", "process_id":"3", "parent_process_id":"2","syscall":"execv"]

The three events are related based on their process_id's and parent_process_id's. I am trying to write an EQL query to capture this chain of events. I have tried the following query:
"event_category_field" : "process_name" "query": """ sequence ["nginx" where syscall == "execv"] ["python" where syscall == "execv"] ["chrome" where syscall == "execv"] """

My goal is to join the first process i.e. "nginx" with "python" based on process_id/parent_process_id (nginx-python) and join the second process ("python") with the third process ("chrome") based on process_id/parent_process_id of (python-chrome).

Is this possible to achieve using one query? Also, is there a way to aggregate two queries in one?

Is there any other way in elastic to capture this chain of events spanning three or more than three events?

2

Hey @Sheharyar_Khalid, welcome to the community!

According to documentation:

You cannot use EQL comparison operators to compare a field to another field. This applies even if the fields are changed using a function.

It's not possible to reference values from a previous sequence result in the next one.

Is there any other way in elastic to capture this chain of events spanning three or more than three events?

Do you mean 3 or more event of the same type?

If it so, with runs syntax should help:

{
"event_category_field" : "process_name",
"query": """
sequence by syscall
[nginx where syscall == "execv"]
[python where true] with runs=3
[chrome where true]
"""
}

Thanks, Vitalii

3

Thank you for clarifying. As you mentioned I was trying to do this

It's not possible to reference values from a previous sequence result in the next one.

Apparently it cannot be done.
Thanks!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.