EQL correlation rule is timing out...sometimes

Hi fellow log analysts

We have a simple EQL correlation rule which we use to identify password changes on critical accounts (eventlog based). It looks like this:

[ any where event.code == "4624" ] by winlog.event_data.TargetLogonId
[ any where (event.code == "4724" or event.code == "4723") and (ad_account_source != null) and (winlog.event_data.TargetDomainName == "REDACTED") ] by winlog.event_data.SubjectLogonId
until [ any where event.code == "4720" ] by winlog.event_data.SubjectLogonId

This generally works fine, but sometimes the EQL rule fails with a "Request timed out".
The index is pretty huge approx 100m docs. We already had to increase memory of our nodes to have elastic process the correlation. (3 nodes a 128GB RAM)

Any hints on this?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.