[EventLog] make use of EQL in event log query #68641
Labels
discuss
Feature:EventLog
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
While working on PR #57446, I noticed in the weekly ES updates a note about EQL, and decided to take a look:
I think we can take advantage of this in some follow-on work to the PR referenced above. That PR is adding a new API to get alert "status", but is consuming a potentially large number of event log documents from a flat time-based query. It seems likely we could create an EQL query to do some of this work for us, cutting down on the amount of data transferred and perhaps making the semantics a bit clearer (in EQL instead of TS).
One particular example that would be nice to "solve", is when a missing
resolved-instance
message would get lost, the referenced PR will end up reporting that instance as active. You can "see" looking at the documents that it's not really active, if there have been multipleexecute
documents since the lastactive-instance
message, but that's difficult to precisely describe in JS whereas might be pretty easy to describe as an EQL sequenceThe text was updated successfully, but these errors were encountered: