Alert monitor - Keep getting 1 hit every 5 minutes.. want it to change to 100 hits every five minutes

Hi, I want to be able to receive alerts for security WAF blocks for 100 hits every 5 minutes instead of 1 hit every five minutes..

Is it possible on kibana?

Hi James, I'm not an expert in these types of queries, so I can't provide you with direct help.

Since you appear to be using the Elastic Stack for alerting on security-related logs, I wonder if you've checked out the SIEM App (now called the Security App) in Kibana?

It's included in the default distribution of the Elastic Stack from Elastic, and it has a built-in detection rule type called the Threshold rule that should be able to provide just what you're looking for.

Oh, and a significant set of features in the SIEM/Security App are free for our end-users to download and use for as long as they want, on as much data as they want. Or they can try it free in our Elastic Cloud Elasticsearch Service for 14-days at https://www.elastic.co/cloud/ .

The SIEM/Security app does require that your data is normalized to Elastic Common Schema (ECS) format, (See https://www.elastic.co/guide/en/ecs/current/index.html) but depending on your data source, there may be an ECS-compatible module for that already. We have a large selection of integrations that you can view here https://www.elastic.co/integrations . If you have a data source that is not directly supported, you can create a new one. Here's a blog that shows how that is done. https://www.elastic.co/blog/getting-started-adding-new-security-data-source-in-elastic-siem

You can check out the Security product web page here: https://www.elastic.co/security

Or check out the product documentation here: https://www.elastic.co/guide/en/security/current/index.html

Good luck with your alerting!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.