Hi, So i'm having some issues with my EQL detection rules. One of the use cases im running with is a possible BF attempt on a windows host.
I currently have the following EQL in place which returns results fine in timeline...
sequence by user.name with maxspan = 2m
[any where event.code == "4625"]
[any where event.code == "4625"]
[any where event.code == "4625"]
[any where event.code == "4624"]
However, when i use this same query in a security detection rule, it never triggers despite seeing logs in Discover that match at the time and also verifying the query within timeline.
There's a recent post discussing how rule scheduling works with EQL's maxspan key; you may find your answer there. If your query works elsewhere, then it's possible that the rule cannot "see" the full sequence of events due to how it's configured. If you're able to share the rule configuration, we could make that determination.
Another common issue that could be in play here is ingestion delay. If e.g. your events are taking 4 minutes to become searchable in elasticsearch, then most of the events won't be available when your rule looks at the last 5 minutes of data (they would later be available in Discover, though).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.