Hello,
I am looking for a solution to create an alert when the following happens:
An event with the field winlog.event_id: "4202" occurs. 5 minutes later, no event with the field winlog.event_id: "4204" was detected.
==> Alert
Do you think this is possible?
Thank you.
I think this is possible if you use EQL.
Check the documentation for EQL searchs.
I have tried several times with the EQL language, but I can't get what I want 
@bricevalenza I had a similar question some time ago which was never answered, see Custom EQL Query where one event happened and another didnt
No one has any ideas?
Thanks 
Hi, unfortunately there is no easy way to do this today. We're working on being able to provide this functionality though, hopefully in the short term.
James
Hi,
Thank you for your answer. I got around the problem by using an external monitoring tool (nagios plug-in).
Via a request on the API, I get the last events with my two events as filter (the OK and the NOK). If the last event is the 4202 I put the check in "critical", if it is the 4204 I put it in "OK".
on the supervision tool I can refine the check delays, and the triggering of the critical state.
Thanks.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.