Hi, Need some kind help.
Do i need to schedule 1 hour look back time if im using maxspan=1hour to trace sequence of events in eql?
Thank you
Hi @Esha! That's a great question. We go over some of this configuration in general in our rule scheduling docs, but it's not explicit how other features may interact with that configuration.
The answer to your question is that it depends on the situation, but yes, you probably want a longer look-back time configured if you're trying to find sequences with maxspan=1h.
The window of data on which a rule executes (all rules, not just EQL rules) is defined as: interval + lookback, so if your rule executes every hour (interval=1h) and has an additional look-back time of 5 minutes (lookback=5m), each execution will be looking at the last 65 minutes of data.
If the rule executed every 30m, and still had lookback=5m, you could still find sequences within the specified maxspan=1h, but those sequences would never have an actual span exceeding the 35 minutes.
In short: you'll need to configure the combination of interval, lookback, and maxspan to fit your use case, but hopefully the above information will help!
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.