Hi fellow log analysts
We have a simple EQL correlation rule which we use to identify password changes on critical accounts (eventlog based). It looks like this:
[ any where event.code == "4624" ] by winlog.event_data.TargetLogonId [ any where (event.code == "4724" or event.code == "4723") and (ad_account_source != null) and (winlog.event_data.TargetDomainName == "REDACTED") ] by winlog.event_data.SubjectLogonId until [ any where event.code == "4720" ] by winlog.event_data.SubjectLogonId
This generally works fine, but sometimes the EQL rule fails with a "Request timed out".
The index is pretty huge approx 100m docs. We already had to increase memory of our nodes to have elastic process the correlation. (3 nodes a 128GB RAM)
Any hints on this?