Clarification on using "timestamp_override: event.ingested" with EQL sequence rules

iremtoru · March 9, 2026, 11:22am

Hello,

I’m looking for clarification and guidance around the use of timestamp_override: event.ingested in EQL sequence rules.

From my understanding and search of official docs:

timestamp_override: event.ingested is recommended for many detection rules to handle delayed or backfilled data.
However, it seems not recommended (or intentionally avoided) for EQL sequence rules, as sequences rely on correct event ordering and maxspan semantics based on event time, not ingest time.

My questions are:

Why exactly is timestamp_override: event.ingested discouraged for EQL sequence queries?
Is it mainly due to ordering issues, maxspan misalignment, or risk of false positives?
Does this restriction depend on log source characteristics?
For example, would data sources with near‑real‑time ingestion still be unsafe, or is the recommendation universal?
What is the preferred approach for EQL sequence rules when dealing with delayed ingestion?
- Rely solely on @timestamp / event time?
- Use timestamp_field instead?
- Increase look‑back windows or model sequences differently?

Any explanation or best‑practice guidance for designing better EQL sequence rules across different data sources would be very helpful.

Thanks in advance!

Topic		Replies	Views
EQL Sequence doesn't correlate events having same exact timestamp? Elastic Security	5	835	June 9, 2021
Run detetion rules backwards Elastic Security	5	747	September 6, 2022
Timeline template change timefilter to @timestamp instead of event.ingested? Elastic Security	3	414	June 9, 2023
The following indices are missing the timestamp override field "event.ingested" Elastic Security	1	598	May 5, 2021
The following indices are missing the timestamp override field "event.ingested": Elastic Security	1	567	July 4, 2022