Hi,
My question is similar to https://discuss.elastic.co/t/creating-alert-when-event-didnt-occur/282195, which was never really resolved. I'm looking to see if there are any other suggestions how to handle this. Basically we need something like this:
sequence with maxspan=5m
[ event A ]
[ maxspan expires ]
until [ event B ]
For those familiar with SEC, this would be like the PairWithWindow rule where the first action is executed if the second event is not seen within the time window.
Is this possible?