Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Map EQL sequence/join parts to ES requests #49590

Closed
colings86 opened this issue Nov 26, 2019 · 2 comments
Closed

Map EQL sequence/join parts to ES requests #49590

colings86 opened this issue Nov 26, 2019 · 2 comments
Labels
:Analytics/EQL EQL querying Team:QL (Deprecated) Meta label for query languages team

Comments

@colings86
Copy link
Contributor

colings86 commented Nov 26, 2019
edited
Loading

The first part of executing EQL sequences and joins is to map the elements of the sequence/join to ES Search DSL. Each element of the EQL sequence/join will become a separate search request.

Example

Given the rule:

sequence by pid
[process where process_name = "evil.exe"]
[network where destination_port = 8080]

We would generate two ES Search requests, one for the process events and one for the network events similar to the following (for illustrative purposes, the actual request may be different):

GET index/_search
{
  size: 1000,
  query: {
    bool: {
      must: [
        {
          match: {
            event.type: process
          }
        },
        {
          match: {
            process_name: evil.exe
          }
        }
      ]
    }
  },
  sort: [{ pid: asc }, { timestamp: asc }, { _seq_no: asc}]
}

GET index/_search
{
  size: 1000,
  query: {
    bool: {
      must: [
        {
          match: {
            event.type: network
          }
        },
        {
          match: {
            destination_port: 8080
          }
        }
      ]
    }
  },
  sort: [{ pid: asc }, { timestamp: asc }, { _seq_no: asc}]
}
@colings86 colings86 added the :Analytics/EQL EQL querying label Nov 26, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-search (:Search/EQL)

This was referenced Nov 26, 2019
Closed
Closed
@rjernst rjernst added the Team:QL (Deprecated) Meta label for query languages team label May 4, 2020
@costin
Copy link
Member

costin commented May 15, 2020

Initial support for sequence has been introduced through #56300

@costin costin closed this as completed May 15, 2020
@costin costin mentioned this issue Jul 16, 2020
Closed
18 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Analytics/EQL EQL querying Team:QL (Deprecated) Meta label for query languages team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@costin @colings86 @rjernst @elasticmachine