EQL Sequence doesn't correlate events having same exact timestamp?

hilo21 · May 1, 2021, 1:26am

Hello,

I was trying to hunt for a specific behavior with EQL sequences and I have a question.

If events have the same exact timestamp EQL won't work.

Here is an example EQL Query :

sequence by winlog.event_data.TargetUserName with maxspan=10s
  [iam where event.action: "added-computer-account"]
  [iam where event.action: "reset-password"] 
  [iam where event.action: "changed-computer-account"]
  [iam where event.action: "enabled-user-account"]

It doesn't give me any correlated events :

but in the discover panel i can see that it should be hence my question :

Can I look for sequences with events generated in any order ?

Thank you

probson · May 4, 2021, 8:38am

Ive gone through this, EQL equires the time stamps to differ
My logs had a nanosecond field which i could use as a tiebreaker. Issue is that tiebreakers are not available within a detection

I then used logstash to create a new timestamp based on the time + nanoseconds so that i had a more granular time, redid the index template to date_nanos and modified the index pattern to use the new field

Then find detections use @timestamp, not whats defined in the patteren (mine was @timestamp_nanos. I was considering flipping it so that @timestamp is nanos, then in the EQL guide it states date_nanos is not supported

Fun

probson · May 4, 2021, 8:40am

You can access tiebreaker settings via the settings button bottom right

hilo21 · May 9, 2021, 2:57pm

Thanks a lot

matriv · May 12, 2021, 9:02am

At @hilo21 There is an open issue for supporting date_nanos for @timestamp in EQL.
You can upvote it.

system · June 9, 2021, 9:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.