Hello there,
The way you are using EQL, it will give the same search result, but that's not the main purpose of it.
The EQL is an event sequence Aware, as it can correlate over the event time sequence, and you could create security related rules based on that logic, for example:
5x failed Logins followed by 1x successful Login, grouped by the same user.name
sequence by user.name with maxspan=5m
[ authentication where event.outcome == "failure"] with runs=5
[ authentication where event.outcome == "success"]
This rule logic is not supported in normal search queries.
You can have more info and testing environment for EQL based rule on this link: https://eqlplayground.io/
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.