I have an index that contain security evevts from endpoints.
In the index there is event 4688 (process creation) and 4689 (process termination).
There are the fields : event_id, process_name.
I want to find all of the 4689 events that occurred at the 20 seconds after the creation of event 4688 with process_name :"XXXX" on the same computer.
Is it possible to do this?
Depending on your kibana version, view surrounding documents may be able to help. You can find it by expanding a document on the discover tab:
It goes by document count instead of time range. If you need exactly 20 seconds you'll probably have to update the date picker exactly.
But I want to find all of them, not only a specific one.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
