A doubt with ElasticSearch Integration and EQL searches (es-eql-search)

SergioPalacios — Wed, 02 Aug 2023 09:56:43 GMT

Hi everyone,

I'm currently working on how to make some EQL queries to my Elastic Instance from Cortex XSOAR. I'm using ElasticSearch integration, specifically the command "es-eql-search" which purposoe, I guess, is to make a EQL query to ElasticSearch API. However, regarding to the XSOAR documentation related to the Elastic's integrations, I can see that "Query" parameter has to be in Lucene Syntax... and that not makes sense because we "can't" transform an EQL query to a Lucene Query.

Im trying to make an EQL query like:

process where process.name == "svchost.exe"

But it seems that it not works and every parameters seems to be right.

Any suggestions?

Update: I confirm that my query runs ok. But there's a problem with the results. I cant load query hits to the context. If the output is too big, a file is returned...if not, the output is returned as a results that I can only view through another window. Is there a solution to load the output in the context? (Quiet mode: off) (I tried to ExtendContext too and it not works :S)

Re: A doubt with ElasticSearch Integration and EQL searches (es-eql-search)

Ivetto — Mon, 07 Aug 2023 02:09:14 GMT

In this case, I would recommend maybe writing something custom using our API core that would make the call and put the result in the context or maybe even a file that could be used by the playbook.

Information about our API: https://cortex.marketplace.pan.dev/marketplace/details/DemistoRESTAPI/

topic A doubt with ElasticSearch Integration and EQL searches (es-eql-search) in Cortex XSOAR Discussions

A doubt with ElasticSearch Integration and EQL searches (es-eql-search)

Re: A doubt with ElasticSearch Integration and EQL searches (es-eql-search)