The first part of executing EQL sequences and joins is to map the elements of the sequence/join to ES Search DSL. Each element of the EQL sequence/join will become a separate search request.
Example
Given the rule:
sequence by pid
[process where process_name = "evil.exe"]
[network where destination_port = 8080]
We would generate two ES Search requests, one for the process events and one for the network events similar to the following (for illustrative purposes, the actual request may be different):
GET index/_search
{
size: 1000,
query: {
bool: {
must: [
{
match: {
event.type: process
}
},
{
match: {
process_name: evil.exe
}
}
]
}
},
sort: [{ pid: asc }, { timestamp: asc }, { _seq_no: asc}]
}
GET index/_search
{
size: 1000,
query: {
bool: {
must: [
{
match: {
event.type: network
}
},
{
match: {
destination_port: 8080
}
}
]
}
},
sort: [{ pid: asc }, { timestamp: asc }, { _seq_no: asc}]
}
The first part of executing EQL sequences and joins is to map the elements of the sequence/join to ES Search DSL. Each element of the EQL sequence/join will become a separate search request.
Example
Given the rule:
We would generate two ES Search requests, one for the process events and one for the network events similar to the following (for illustrative purposes, the actual request may be different):