EQL correlation rule is timing out...sometimes

gweiss76 · October 14, 2022, 1:21pm

Hi fellow log analysts

We have a simple EQL correlation rule which we use to identify password changes on critical accounts (eventlog based). It looks like this:

[ any where event.code == "4624" ] by winlog.event_data.TargetLogonId
[ any where (event.code == "4724" or event.code == "4723") and (ad_account_source != null) and (winlog.event_data.TargetDomainName == "REDACTED") ] by winlog.event_data.SubjectLogonId
until [ any where event.code == "4720" ] by winlog.event_data.SubjectLogonId

This generally works fine, but sometimes the EQL rule fails with a "Request timed out".
The index is pretty huge approx 100m docs. We already had to increase memory of our nodes to have elastic process the correlation. (3 nodes a 128GB RAM)

Any hints on this?

system · November 11, 2022, 1:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is Kibana EQL Rule Using Async Search? Elastic Security eql-elastic-query-language	5	510	January 4, 2023
Event correlation rule for new user creation Elastic Agent elastic-stack-security	1	243	October 3, 2022
Threat Intel Indicator Rule: Request timed out Elastic Security	3	493	March 7, 2022
Event correlation (with EQL) Elastic Observability eql-elastic-query-language	1	703	August 9, 2023
Security rules failing (timed out) all the time SIEM detection-rules	6	2379	November 29, 2021

EQL correlation rule is timing out...sometimes

Related topics