Let me first say, I'm sure I could write a search that essentially returns what I'm looking for, however due to the amount and nature of the data it would not be an fast running search. I'm looking to broaden my horizons using data models and acceleration to make this more efficient.
The goal: provide daily reports on activity for "flagged" accounts, only WHILE they are flagged. Ex, if an account is flagged from 5/16/2018 12:00 pm to 2:00 pm, I'd like to find authentication activity for that account during that 2 hour period for which it was flagged.
I can easily write a search to return a list of accounts which had been flagged and the time span they were flagged for, but, I'm looking for advice on efficient ways to find the authentication events related to that flagged period. We have ES, with an accelerated authentication data model, though I don't have a good sense of how to apply my query to it. Would this be a custom correlation search in ES?
Any suggestions, links, examples are highly appreciated.
Thank you.
↧