Threshold detection rule - limitation of group by fields


I want to implement a threshold detection rule that aggregates more than 3 fields in the "Group by" section of rule definition. But there seems to be a limitation of 3 fields as i get an error message "Number of fields must be 3 or less." Is there any workaround? E.g I want to detect multiple failed logins from same source same user same destination and customername.

Hi Poukim0m. Thanks for reaching out.

I think that what you are looking for is an EQL sequence, rather than a threshold query. By using a sequence, you can use the by join keyword to look for matching documents. An example would look something like the following:

sequence by source.ip,, destination.ip, with maxspan=5s 
[ process where ... ] with runs = 10



Hello @Ruben_Groenewoud.
Thank you for your answer!
I suppose that this works if is present in all indexes that the rule applies on. Otherwise it is applicable only when the customer name value is present. Correct?
Also, i tested it and found that same logic in threshold rule provides one single alert and in EQL correlation rule 19 alerts. runs = 10 is applied on the rule

1 Like

Hi @Poukim0m, regarding your first question - that is correct. By default, when sequencing by a specific field, the EQL rule will indeed require that field to be present in the index/document. However, it is possible to specify optional fields by using the ? symbol. So in your usecase, it would be possible to write a sequence similar to this, which will also run if the field is not present:

sequence by source.ip,, destination.ip, ? with maxspan=5s 
[ process where ... ] with runs = 10

Be aware of potential performance drops when using this feature.

With regards to your last comment, yes that makes sense. When for example creating sequence with runs=10, it will generate multiple signals. You can choose to turn the rule into a building block rule so it doesn't flood your detection rules dashboard. EQL sequence rule alerts do generate much more useful alerts than threshold rules, as they contain more data.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.