Default Severity: severity level of alert created by the rule:
Low: Alerts that are of interest but more or less not considered to be security incidents. Sometimes a combination of low severity alerts can indicate suspicious activity.
Medium: Alerts that require investigation
High: Alerts that require immediate investigation
Critical: Alerts that indicate a high likelihood that a security incident occurred
To be able to run an EQL search, the searched data stream or index must contain a timestamp and event category field. EQL by default uses the @timestamp and event.category fields from the Elastic Common Schema (ECS).
For EQL using ECS as the schema is recommended
Run an EQL search
As a default, basic EQL queries will return the 10 most recent matching events in the hits.events property.
the size parameter is used to get smaller or larger sets of hits
Search for a sequence of events
Use EQL’s sequence syntax to search for a series of ordered events. List the event items in ascending chronological order, with the most recent event listed last.
Like hits.event, hits.sequences by default will return the 10 most recent matching sequences.
with maxspan is used to constrain matching sequences to a specified timespan.
by keyword is used to match events that share the same field values. If a field value should be shared across all events, use the sequence by keyword. The following query is equivalent to the previous one.
hits.sequences.join_keys properties contain the shared field values.
until keyword is used to specify an expiration event for sequences. Any matching sequences must end before this event.