EQL match event A only if event B does not occur within maxspan

jyoung15 · November 23, 2022, 9:17pm

Hi,

My question is similar to https://discuss.elastic.co/t/creating-alert-when-event-didnt-occur/282195, which was never really resolved. I'm looking to see if there are any other suggestions how to handle this. Basically we need something like this:

sequence with maxspan=5m
  [ event A ]
  [ maxspan expires ]
until [ event B ]

For those familiar with SEC, this would be like the PairWithWindow rule where the first action is executed if the second event is not seen within the time window.

Is this possible?

system · December 21, 2022, 9:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
EQL - Alert when Follow up event doesn't occur Elastic Security	3	562	June 20, 2023
EQL query help SIEM eql-elastic-query-language	1	407	November 15, 2021
Eql with time range Elasticsearch eql-elastic-query-language	1	202	December 10, 2023
Aggregate on a sequence item in EQL Elasticsearch	2	347	January 18, 2021
Custom EQL Query where one event happened and another didnt SIEM eql-elastic-query-language	1	437	March 7, 2022

EQL match event A only if event B does not occur within maxspan

Related topics