EQL - jude-lindale/Wiki GitHub Wiki

Create a Detection Rule

Configure Basic Rule Settings

  • About rule pane
    • Name: the rules name
    • Description: what the rule does
    • Default Severity: severity level of alert created by the rule:
      • Low: Alerts that are of interest but more or less not considered to be security incidents. Sometimes a combination of low severity alerts can indicate suspicious activity.
      • Medium: Alerts that require investigation
      • High: Alerts that require immediate investigation
      • Critical: Alerts that indicate a high likelihood that a security incident occurred
    • Risk score
    • Tags

Advanced Rule Settings


Syntax

Basic Syntax

Sequence Syntax


Search

Required Fields

  • To be able to run an EQL search, the searched data stream or index must contain a timestamp and event category field. EQL by default uses the @timestamp and event.category fields from the Elastic Common Schema (ECS).
  • For EQL using ECS as the schema is recommended

Run an EQL search

  • As a default, basic EQL queries will return the 10 most recent matching events in the hits.events property.
  • the size parameter is used to get smaller or larger sets of hits

Search for a sequence of events

  • Use EQL’s sequence syntax to search for a series of ordered events. List the event items in ascending chronological order, with the most recent event listed last.
  • Like hits.event, hits.sequences by default will return the 10 most recent matching sequences.
  • with maxspan is used to constrain matching sequences to a specified timespan.
  • by keyword is used to match events that share the same field values. If a field value should be shared across all events, use the sequence by keyword. The following query is equivalent to the previous one.
  • hits.sequences.join_keys properties contain the shared field values.
  • until keyword is used to specify an expiration event for sequences. Any matching sequences must end before this event.

Search API