Aggregation support in SIEM

Hi Team,

Are there any plans to add an aggregations support in the SIEM app? Maybe the ability to create a correlation rule by leveraging the Elasticsearch aggregations?

For example, a very simple use case, where you wish to identify more than 10 login failures for a single user in a short amount of time. Something that you would expect from a traditional SIEM?

1 Like

Hi @NerdSec, thanks for the post. The answer is Yes, we do plan to support detection rules that can use Elasticsearch aggregations. We'll likely start with just some simple threshold-based capability, as future rule types will provide more advanced correlation capabilities.

There is a GitHub issue that covers the general idea here:

Your example is a good one to help us make sure that the new rule capability meets the needs of SIEM users.

Question please: If you had this capability in the Elastic SIEM app, what are a few more simple rules that you think users might want to create?

Thanks again!

1 Like

Hi Mike,

Thank you for the response! I just commented on the mentioned issue. I think it's a great implementation to leverage the Elastic SQL to enable the user to make these agg calls.

We ended up implementing a interpretation layer, that converts the users request into a elasticsearch_py_dsl query. In most of our cases, we never required anything other than terms, date_histogram, cardinality, and bucket_selector aggregations. I am actually documenting this in a blog (including some use-cases), that I hope to publish soon. Will post the link here once done! :slight_smile: