Hey,
I'm trying to implement a rule with eql where I only want to get an alert when a follow up event doesn't occur within a certain time frame. Unfortunately it's not really doing what I'm hoping.
Is there any way how to fix this?
sequence by host.name with maxspan=5m
[process where event.code == xxxx]
[process where event.code != yyyy]
Thanks a lot in advance!
Hey there @lilow! 
Welcome to the community! 
So unfortunately it looks like there is no easy way to do this at the moment. There was a similar thread over here that mentions there is work underway to support this though.
Though as mentioned by this other user, you may be able to implement this another way depending on your configuration.
Hope this helps!
Cheers!
Garrett
edit: For reference, this looks like the public issue/PR you'll want to follow for when this feature will be available.
Just an update: support for missing events in sequences has just been merged and will be available in the 8.9 release!
Additional details here: https://github.com/elastic/eql/issues/21#issuecomment-1598724072
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.