Browse Source

[DOCS] Fix EQL threat detection example (#61367)

James Rodewig 5 years ago
parent
commit
77bb7320dd
2 changed files with 5 additions and 11 deletions
  1. 0 6
      docs/build.gradle
  2. 5 5
      docs/reference/eql/detect-threats-with-eql.asciidoc

+ 0 - 6
docs/build.gradle

@@ -1455,12 +1455,6 @@ buildRestTests.setups['atomic_red_regsvr32'] = '''
             settings:
               number_of_shards: 5
               number_of_routing_shards: 5
-            mappings:
-              properties:
-                process:
-                  properties:
-                    "command_line":
-                      type: keyword
   - do:
         bulk:
           index: my-index-000001

+ 5 - 5
docs/reference/eql/detect-threats-with-eql.asciidoc

@@ -122,7 +122,7 @@ Update the previous EQL query as follows:
 
 * Change the `any` keyword to `process`. This limits matches to events with an
 `event.category` of `process`.
-* Add the `and process.command_line != null` condition to match only
+* Add the `and process.command_line.keyword != null` condition to match only
 events with a command line value.
 
 You'll also need to remove the `filter_path=-hits.events` query parameter. This
@@ -133,7 +133,7 @@ lets you retrieve the document source for any matching events.
 GET /my-index-000001/_eql/search
 {
   "query": """
-    process where process.name == "regsvr32.exe" and process.command_line != null
+    process where process.name == "regsvr32.exe" and process.command_line.keyword != null
   """
 }
 ----
@@ -142,8 +142,8 @@ GET /my-index-000001/_eql/search
 The query matches one process event. The event has an `event.type` of
 `creation`, indicating the start of a `regsvr32.exe` process.
 
-Based on the `process.command_line` value, `regsvr32.exe` used `scrobj.dll` to
-register a script, `RegSvr32.sct`. This fits the behavior of a
+Based on the `process.command_line` value in the response, `regsvr32.exe` used
+`scrobj.dll` to register a script, `RegSvr32.sct`. This fits the behavior of a
 https://attack.mitre.org/techniques/T1218/010/["Squiblydoo" attack], a known
 variant of `regsvr32` misuse.
 
@@ -213,7 +213,7 @@ malicious script, `RegSvr32.sct`. Next, see if `regsvr32.exe` later loads the
 Modify the previous EQL query as follows:
 
 * Change the `process` keyword to `library`.
-* Replace the `process.command_line != null` condition with
+* Replace the `process.command_line.keyword != null` condition with
 `dll.name == "scrobj.dll`.
 
 [source,console]