I am trying to build a sequence, as an example to look for multiple different user.names from the same host over a period of time. How would i go about this condition 2 user.name != condition 1 user.name. There a number of scenarios this would be useful for, i have looked through the documentation but cannot find what i am looking for.
sequence by source.ip with maxspan=30s
[ authentication where event.action:"logon-failed" and source.ip != "127.0.0.1" ]
[ authentication where event.action:"logon-failed" and source.ip != "127.0.0.1" ]
With the EQL as of 7.10, there's no way to do the != check, but you can use by for the == check. What you're looking for will depend on the filter pipe, which is not yet implemented in Elasticsearch.
If you want to see some examples of how the filter pipe works for Elastic Endgame, here is its documentation.
I think at this point, it's best to treat Endgame EQL as separate, and not a roadmap for Elasticsearch EQL.
We are exploring options to see if there's a better way to address this use case within our outside of EQL.
One feature that's under development is adding a concept of cardinality to threshold rules within the detection engine. Within that you'll be able to say this:
Group by source.ip
Limit to groups with at least 2 documents
Make sure there are at least 2 unique values for user.name
I think when that functionality is available, it'll be the best way to solve your current use case.
Cardinality would be very nice to have, i used it with ElastAlert in the past. At the moment ive been trying to look at using ML and the high_distinct_count to do something similar.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.