Hi,
Can we create a condition using EQL or ESQL query to raise an alert?
such as
if there is any failed login more than twice then followed up by success it will raise?
{
"query": """
sequence by user.name with maxspan=10m
[authentication where event.outcome == "failure"]
[authentication where event.outcome == "failure"]
[authentication where event.outcome == "success"]
[authentication where event.category == "logoff"]
"""
}
can we like [authentication where event.outcome == "failure"] > 2?
or to raise an IoC that truly detect without any preventation action followed up?
sequence by source.ip
[
any where
event.category in ("network", "malware") and
event.action == "Detect" and
(IOC)
]
not followed by
[
any where
event.category in ("network", "malware") and
event.action == "Prevent" and
(IOC)
]