What is the point of using EQL to correlate log?

lusynda · January 17, 2022, 7:57am

Hi all
I am trying to understand how the eql is difference from the normal search api that we are already using in elastic.
For example

GET /winlogbeat-*/_eql/search
{
  "query": """
    process where event.type == "start" and
  process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and 
  process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe")
  """
}

and this

GET /winlogbeat-*/_search
{
  "query": {
    "bool": {
      "must": [
        {"term": {"process.parent.name": "w3wp.exe"}},
        {"term": {"process.name": "cmd.exe"}}
      ]
    }
  } 
}

Basicaly give the same result so what is exacly is the point of using eql.

j0rj · January 18, 2022, 6:57am

Hello there,
The way you are using EQL, it will give the same search result, but that's not the main purpose of it.

The EQL is an event sequence Aware, as it can correlate over the event time sequence, and you could create security related rules based on that logic, for example:

5x failed Logins followed by 1x successful Login, grouped by the same user.name

sequence by user.name with maxspan=5m
[ authentication where event.outcome == "failure"] with runs=5
[ authentication where event.outcome == "success"]

This rule logic is not supported in normal search queries.

You can have more info and testing environment for EQL based rule on this link: https://eqlplayground.io/

Regards,
Jorj

system · February 15, 2022, 6:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.