EQL correlation query help look up value within a message

Hello! I want to created an Okta SSO authentication alert in Elastic.co based on geo-ip information. The query in LOGIC terms should look something like this:

If client.user.id {133713371337} event.outcome == "success" with source.ip {85.145.234.50}
and if client.user.id {111122223333} event.outcome == "success" with source.ip of client.user.id {133713371337, in this example: 85.145.234.50}

How should I convert this to an EQL correlation query?

So far I have been only able to construct a simple query like this one:

I am stuck on the methodology and video's/tutorials/manuals did not help me yet. Can someone please help me in the right direction?

Cheers!

Hey @krabel1ze!

Just want to make sure I've understood - do you want to check if two different users are logging in from the same source IP?

In that case, you'll want to use threshold based alerting, rather than EQL. Something like this:

James

Hi James and others,

Thank you. I can configure a threshold alert as a more generic rule. In other words, I can alert on any user who logged in from the same IP.

However, how would I configure this rule for two specific users (please note my initial start post)? How can I alert on if user with ID/name AAA uses the same IP as user with ID/name BBB?

Hey @krabel1ze ,

Apologies, didn't realise it was specific to those users.

In that case, EQL should work well. Right now, we support looking for a specific sequence of events, adding a rolling time window if you need.

You'll want something like:

sequence by source.ip
[authentication where client.user.id:"AAAAA" and event.outcome:"success"]
[authentication where client.user.id:"BBBBB" and event.outcome:"success"]

The "by" statement acts a join key here. This will only fire/match if the source IP address is the same for both events.

James

Thank you James!

This works.

Final question though, how would this EQL query look like if I want to alert on user(s) which does not have the same IP and event.outcome : "success" (one user which doesn't match with the other)?

Reason: I want to copy paste this EQL query in "Timelines" for hunting purposes.

Cheers!

Unfortunately, we don't support negative matches across EQL sequences just yet.