I was trying to hunt for a specific behavior with EQL sequences and I have a question.
If events have the same exact timestamp EQL won't work.
Here is an example EQL Query :
sequence by winlog.event_data.TargetUserName with maxspan=10s
[iam where event.action: "added-computer-account"]
[iam where event.action: "reset-password"]
[iam where event.action: "changed-computer-account"]
[iam where event.action: "enabled-user-account"]
Ive gone through this, EQL equires the time stamps to differ
My logs had a nanosecond field which i could use as a tiebreaker. Issue is that tiebreakers are not available within a detection
I then used logstash to create a new timestamp based on the time + nanoseconds so that i had a more granular time, redid the index template to date_nanos and modified the index pattern to use the new field
Then find detections use @timestamp, not whats defined in the patteren (mine was @timestamp_nanos. I was considering flipping it so that @timestamp is nanos, then in the EQL guide it states date_nanos is not supported
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
