Create a condition in EQL/ES|QL query for alert

Discentius_Crux · March 12, 2025, 3:32am

Hi,

Can we create a condition using EQL or ESQL query to raise an alert?

such as

if there is any failed login more than twice then followed up by success it will raise?

{
  "query": """
    sequence by user.name with maxspan=10m
      [authentication where event.outcome == "failure"]
      [authentication where event.outcome == "failure"]
      [authentication where event.outcome == "success"]
      [authentication where event.category == "logoff"]
  """
}

can we like [authentication where event.outcome == "failure"] > 2?

or to raise an IoC that truly detect without any preventation action followed up?

sequence by source.ip
  [
    any where
      event.category in ("network", "malware") and
      event.action == "Detect" and
      (IOC)
  ]
  not followed by
  [
    any where
      event.category in ("network", "malware") and
      event.action == "Prevent" and
      (IOC)
  ]

Topic		Replies	Views
EQL correlation query help look up value within a message Elastic Security	6	469	February 7, 2022
EQL - Alert when Follow up event doesn't occur Elastic Security	3	576	June 20, 2023
EQL - Alert on different values for the same field in a sequence Elastic Security	7	1041	November 4, 2022
EQL query help SIEM eql-elastic-query-language	1	407	November 15, 2021
Event correlation rule for new user creation Elastic Agent elastic-stack-security	1	255	October 3, 2022

Create a condition in EQL/ES|QL query for alert

Related topics