I am trying to run an EQL search where the first item must occur X amount of times or more before the second item in the sequence will be ran. Anyone know how I can do this?
AKA for the example below, I want to see if a new session was started to a device and a successful log in occurs, but I would like to see if a sessions was started 5 or more times before a successful log in.
GET /OMITTEDINDEX/_eql/search
{
"query": """
sequence by client.ip with maxspan=30s
[any where event.record_type == "SSL_HANDSHAKE_SUCCESS" and service.type == "Session New" and client.ip == "OMITTEDIP"]
[any where event.record_type == "LOGIN"]
"""
}
There is no syntactic sugar to do this, you need to define the first matching query 5 times:
sequence by client.ip with maxspan=30s
[any where event.record_type == "SSL_HANDSHAKE_SUCCESS" and service.type == "Session New" and client.ip == "OMITTEDIP"]
[any where event.record_type == "SSL_HANDSHAKE_SUCCESS" and service.type == "Session New" and client.ip == "OMITTEDIP"]
[any where event.record_type == "SSL_HANDSHAKE_SUCCESS" and service.type == "Session New" and client.ip == "OMITTEDIP"]
[any where event.record_type == "SSL_HANDSHAKE_SUCCESS" and service.type == "Session New" and client.ip == "OMITTEDIP"]
[any where event.record_type == "SSL_HANDSHAKE_SUCCESS" and service.type == "Session New" and client.ip == "OMITTEDIP"]
[any where event.record_type == "LOGIN"]
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
