Hello,
Just wondering if it's possible to write an EQL query where event x happenend and event y did not happen for the same host after 0-2 minutes?
Use case => Detecting messing with Eventlog Service
Event ID 1100 is logged when the Eventlog service shuts down. I would like to throw an alert when the Eventlog service does not generate a 7036 with param1="EventLog" and param2="running" 0 - 2 minutes after the 1100.
Willem