Custom EQL Query where one event happened and another didnt

willemdh · February 7, 2022, 9:29pm

Hello,

Just wondering if it's possible to write an EQL query where event x happenend and event y did not happen for the same host after 0-2 minutes?

Use case => Detecting messing with Eventlog Service

Event ID 1100 is logged when the Eventlog service shuts down. I would like to throw an alert when the Eventlog service does not generate a 7036 with param1="EventLog" and param2="running" 0 - 2 minutes after the 1100.

Willem

system · March 7, 2022, 9:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
EQL - Alert when Follow up event doesn't occur Elastic Security	3	562	June 20, 2023
Alert when an event is not followed by another SIEM detection-rules	7	809	October 24, 2022
EQL Sequence doesn't correlate events having same exact timestamp? Elastic Security	5	748	June 9, 2021
EQL match event A only if event B does not occur within maxspan Elasticsearch eql-elastic-query-language	1	298	December 21, 2022
EQL query help SIEM eql-elastic-query-language	1	407	November 15, 2021

Custom EQL Query where one event happened and another didnt

Related topics