Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement EQL Correlations #121

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Implement EQL Correlations #121

wants to merge 5 commits into from

Conversation

Mat0vu
Copy link
Contributor

@Mat0vu Mat0vu commented Feb 14, 2025

Hi everyone,

because of the issues with the case sensitiveness of ESQL (#107) and because the backend for EQL is not yet supporting correlations, although the language itself supports this kind of queries (https://www.elastic.co/guide/en/elasticsearch/reference/8.16/eql-syntax.html), I´ve started implementing this.
By the way, EQL is also supporting case-insensitive searches :D

This is still WIP as not all use cases are implemented yet and there need to be more tests. The code also depends on a newer pysigma release, but you are welcome to comment on the current status and of course help.

While working on the templates for the correlations, I´ve ran into an issue which makes a small adaption in the convert_correlation_rule_from_template method in the TextqueryBackend in the main repo necessary:

The template for correlations in EQL looks like this

default_correlation_query: ClassVar[str] = {
        "sequence": "sequence with maxspan={timespan} \n [{search}] {aggregate} {condition}",
        "sample": "sample {condition} \n [{search}] {aggregate}",
    }

The issue is the {timespan} parameter. In the current implementation, the value is inserted into the {aggregate} string, but for EQL it needs to be inserted before the {search} part, so it needs to be handled outside of the {aggregate} expression parsing.

To fix this, I´ve just added the marked line into the convert_correlation_rule_from_template method.

        return [
            template[method].format(
                search=search,
                typing=self.convert_correlation_typing(rule),
                timespan=self.convert_timespan(rule.timespan, method), # this is new
                aggregate=self.convert_correlation_aggregation_from_template(
                    rule, correlation_type, method, search
                ),
                condition=self.convert_correlation_condition_from_template(
                    rule.condition, rule.rules, correlation_type, method
                ),
            )
        ]

I think there is no other way to achieve the necessary format. But this change should not lead to undesired behavior because it won´t change the output unless there is a {timespan} in the correlation_query variable specified.

Mat0vu and others added 2 commits February 14, 2025 12:14
@Mat0vu
Start with EQL Correlations (#2)
1187b23 
* Update pysigma version

* correct compareOperator import

* fix poetry.lock

* add esql to allowed backends in pipelines

* first step for eql correlations

* first correlation unit test

---------

Co-authored-by: Mat0vu <mat0vu@protonmail.com>
delete unrelevant changes
4e67dff
@thomaspatzke
Copy link
Member

Nice one! Please submit the change to convert_correlation_rule_from_template as PR to pySigma!

@Mat0vu Mat0vu mentioned this pull request Feb 17, 2025
Merged
@Mat0vu Mat0vu mentioned this pull request Feb 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Mat0vu @thomaspatzke