The detection engine is the inbuild feature to detect security related threats. There are many advantages using this type of detection, e.g. that you can follow up immediatly and put the created alert in an investigation status.
Watcher is a very generic way of doing alerting. Thats powerful but comes with complexity in setting it up.
To build your requirement in the detection engine navigate to Detections under Elastic Security (>v7.9) and click on manage detection rules.
There you are able to create a new rule. Choose threshold rule.
In the query bar you filter for every log in events thats older than 30d (now-30d) .. don't have the exact query by hand but you will get it. Its easy.
Now you just need to add the group by field which is your user.name and threshold > 0 .
After creating that rule you will get an alert everytime someone was active one month ago. Is that want you want to achieve?
Thinking more about it you probably want to observe the durartion between two logs of the same user.
For that you need to use a transform first to calculate time between two events of the same user.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.