Help with EQL Rule to Detect Unauthorized State Transitions for Traffic Lights

RylandHerrick · December 17, 2024, 11:14pm

@Kuly2Fraise this may be due to the hyphen in the field name (best practices ); try escaping the fieldname with backticks.

Regarding the "empty response:"

Can you please share the full query that you're using?
Have you eliminated any broader issues like missing/conflicting mappings? Are you able to e.g. retrieve results with sequence [any where event.light_state != null] [any where event.light_state != null]
Can you verify that the data contains the sequence that you're looking for? Remember that they have to be sequential by @timestamp, and (now) contain the same event.wlan-src key.

Topic		Replies	Views
Detection of a behavior preceded or followed by an event type Elastic Security detection-rules	2	541	September 20, 2021
How to detect network scan using EQL Elasticsearch	5	1791	April 7, 2021
EQL - Alert when Follow up event doesn't occur Elastic Security	3	566	June 20, 2023
EQL: Get only one match (no overlap) Elastic Security eql-elastic-query-language	1	278	October 21, 2022
EQL - Alert on different values for the same field in a sequence Elastic Security	7	1005	November 4, 2022