GET winlogbeat*,logs-system*/_eql/search
{
"query": """sequence with maxspan=60s
[ any where true ]
![ any where event.action : "user_channel_join"]"""
}
The EQL search API returns the missing event as
{
"_index": "",
"_id": "",
"_source": {},
"missing": true
}
which we didn't account for in the EQL rule. The EQL rule type includes fields that are common across all events in the sequence in the final alert, but this missing event has no fields at all so it finds no fields that are common across all events.
We should probably look for common fields only from events in the sequence that are actually present. We should also consider only making building block alerts for events that are actually present in the sequence.
In timeline, the building block alerts and shell alert for the sequence
sequence by user.email, slack.audit.entity.name with maxspan=60s
[ any where event.action : "public_channel_preview" ]
![ any where event.action : "user_channel_join"]
For an EQL search like
The EQL search API returns the missing event as { "_index": "", "_id": "", "_source": {}, "missing": true } which we didn't account for in the EQL rule. The EQL rule type includes fields that are common across all events in the sequence in the final alert, but this missing event has no fields at all so it finds no fields that are common across all events.
We should probably look for common fields only from events in the sequence that are actually present. We should also consider only making building block alerts for events that are actually present in the sequence.
In timeline, the building block alerts and shell alert for the sequence
ends up looking like this:![image](https://github.com/elastic/kibana/assets/55718608/d2cba175-8fe3-4213-8969-c442a1484ac7)