Hi
Let's consider that we have the following event sequence:
A, A, A, C, A, B, B, B
now I want a EQL query that matches exactly one A, B sequence, the A, B selection can be arbitrary, i.e., the following are, for instance, valid selections, but other combinations are possible:
- A, A, A, C, [A], [B], B, B
- A, [A], A, C, A, B, B, [B]
I thought I could use the until keyword, as follows:
sequence by ID
A
B
until A
However, this does not return any result. Is it possible to form a EQL query that fulfils my requirements?