Hi @Poukim0m, regarding your first question - that is correct. By default, when sequencing by a specific field, the EQL rule will indeed require that field to be present in the index/document. However, it is possible to specify optional fields by using the ? symbol. So in your usecase, it would be possible to write a sequence similar to this, which will also run if the customer.name field is not present:
sequence by source.ip, user.name, destination.ip, ?customer.name with maxspan=5s
[ process where ... ] with runs = 10
Be aware of potential performance drops when using this feature.
With regards to your last comment, yes that makes sense. When for example creating sequence with runs=10, it will generate multiple signals. You can choose to turn the rule into a building block rule so it doesn't flood your detection rules dashboard. EQL sequence rule alerts do generate much more useful alerts than threshold rules, as they contain more data.
Ruben