Hi Team,
Are there any plans to add an aggregations support in the SIEM app? Maybe the ability to create a correlation rule by leveraging the Elasticsearch aggregations?
For example, a very simple use case, where you wish to identify more than 10 login failures for a single user in a short amount of time. Something that you would expect from a traditional SIEM?
Hi @NerdSec, thanks for the post. The answer is Yes, we do plan to support detection rules that can use Elasticsearch aggregations. We'll likely start with just some simple threshold-based capability, as future rule types will provide more advanced correlation capabilities.
There is a GitHub issue that covers the general idea here: https://github.com/elastic/kibana/issues/68409
Your example is a good one to help us make sure that the new rule capability meets the needs of SIEM users.
Question please: If you had this capability in the Elastic SIEM app, what are a few more simple rules that you think users might want to create?
Thanks again!
Hi Mike,
Thank you for the response! I just commented on the mentioned issue. I think it's a great implementation to leverage the Elastic SQL to enable the user to make these agg calls.
We ended up implementing a interpretation layer, that converts the users request into a elasticsearch_py_dsl query. In most of our cases, we never required anything other than terms, date_histogram, cardinality, and bucket_selector aggregations. I am actually documenting this in a blog (including some use-cases), that I hope to publish soon. Will post the link here once done! 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.