Aggregate alerts by a specific field and send a summary through an action for each field value encountered

Hi everyone,

I have set up a Kibana alert security detection rule which creates an alert for all my incoming third-party system alerts (Suricata) and send each one of them to my SIRP using webhook.

I have many alerts with the same event_type (eg. SSH connection attempts) but with different destination IP addresses within a same time range.

Is there a way to natively aggregate by event_type these alerts into one when the rule triggers ?

I want to end up with one alert sent via the webhook action for each event type. (eg. "SSH connection attempt"),
and have for instance an array with the different destination IP addresses concerned using mustache templates and {{#context.hits}}.
The thing is, sometimes, within a 5 minutes time range, there can be different event types triggering the elastic alert so I have to create alerts in my SIRP for each type of alert encountered.

I know some pieces of software which can do this but I would rather not rely on third-party tools and keep using a pure Elastic solution.

Tried using custom query rule with a query DSL filter (using aggregation) and some threshold Security rules with a threshold 1 on event type field, and my action frequency is set as "summary of alerts per rule run" but {{#context.hits}}{{.}}{{/context.hits}} does not yield anything.
The alerts are correctly displayed in Kibana. I run out of ideas.

Using Kibana version 8.9.1.

I hope I can get some help. Thanks in advance

Kind regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.