EQL query help

Billz1026 · October 18, 2021, 10:35am

Hi All,

I am using EQL to write detection rues. I have a sequence of evens as follows.
Event A
Event B
Event C

I want to raise an alert if the time between Event A and Event C exceeds 30 seconds. I tried with maxspan keyword but it only gives the upper bound but here I want lower bound limitation.

Please guide me

Thanks in advance.
Billz

system · November 15, 2021, 10:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
EQL match event A only if event B does not occur within maxspan Elasticsearch eql-elastic-query-language	1	298	December 21, 2022
Eql with time range Elasticsearch eql-elastic-query-language	1	202	December 10, 2023
EQL - Alert when Follow up event doesn't occur Elastic Security	3	562	June 20, 2023
Custom EQL Query where one event happened and another didnt SIEM eql-elastic-query-language	1	437	March 7, 2022
Aggregate on a sequence item in EQL Elasticsearch	2	347	January 18, 2021

EQL query help

Related topics