stix-shifter icon indicating copy to clipboard operation
stix-shifter copied to clipboard
verified publisher icon opencybersecurityalliance

Elastic ECS translation and LIKE operator

Open barvhaim opened this issue 5 years ago • 2 comments

Describe the bug A query translation for elastic_ecs datasource that contains LIKE operator with a wildcard is behaving incorrectly when there is whitespace between the terms, for example the query "[(x-event:action LIKE 'Registry %')]" which should look for an event action that starts with Registry , will look for matching Registry OR % individually instead - "event.action : Registry * AND (@timestamp:[\"2020-08-23T13:02:04.184Z\" TO \"2020-08-23T13:07:04.184Z\"])", and then you'll get many unrelated results.

the fix would be wrapping with quotes when doing LIKE query, "event.action : \"Registry *\" AND (@timestamp:[\"2020-08-23T13:03:08.041Z\" TO \"2020-08-23T13:08:08.041Z\"])"

query should result in event.aciton : "Registry *" and not event.aciton : Registry *

I am attaching a pull request to fix the issue #414

barvhaim avatar Aug 23 '20 13:08 barvhaim

@mdazam1942 I encountered different behavior of the Elastic ECS LIKE, here's the summary,
let's say the key is network.protocol and value is ssh

in there current state of STIX-Shifter, the query [network-traffic:protocols[*] LIKE 's%'] translated into network.transport : s* which is working correctly and return results.

However, if there are spaces between the terms for example [network-traffic:protocols[*] LIKE 's %'], it will be translated to network.transport : s * and return all the results ever exists in the ECS, which is wrong..

in order to solve it we can add " around the query's value, for example for document with process.command_line value of taskhostw.exe Logon, if do the query [process:command_line LIKE 'taskhostw.exe %'] will translate to process.command_line : \"taskhostw.exe *\" which is also OK.

there problem is that this following fix won't return result now [network-traffic:protocols[*] LIKE 's %'] to network.transport : \"s*\" returns zero results and doesn't catch ssh value.

so if we fix one place, we cause an issue on the other. what do you think?

barvhaim avatar Sep 21 '20 12:09 barvhaim

@barvhaim so there's another wildcard character _ that can be used with LIKE operator. just need to handle the space. I wonder using underscore could be useful. never tried it though. pattern may look like this [network-traffic:protocols[*] LIKE 's_%']

mdazam1942 avatar Sep 23 '20 18:09 mdazam1942