You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
sequence by host.id, process.entity_id with maxspan=30s
[any where
/* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */
(event.action in ("exec", "fork", "start", "load")) or
If you were to look at a 9-minute window with just the first query part (event.action in ("exec", "fork", "start", "load")), there are a significant number of matches:
This part has an extremely high cardinality, with process.entity_id alone have ~250k unique values.
If you look at the combine host.id and process.entity_id you can better see the cardinality problem.
I think that this cardinality issue is causing excessively long running rule times.
Example Data
Timeout Errors:
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Link to rule
https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Description
In relatively large deployments (500+ hosts) this rule will never successfully run and will always timeout.
This appears to be a cardinality issue mainly with:
detection-rules/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Lines 33 to 37 in 3813a08
If you were to look at a 9-minute window with just the first query part (
event.action in ("exec", "fork", "start", "load")
), there are a significant number of matches:This part has an extremely high cardinality, with
process.entity_id
alone have ~250k unique values.If you look at the combine
host.id
andprocess.entity_id
you can better see the cardinality problem.I think that this cardinality issue is causing excessively long running rule times.
Example Data
Timeout Errors:
The text was updated successfully, but these errors were encountered: