Alerting by amount of "hits"

Hi,

I want to create a detection rule that if was X unauthorized events then Alert\Create a signal... how can I do that? thanks!

Hi @Or_Biran,

Thanks for posting this question. I think a lot of readers are wondering about this topic.

The type of threshold-based detection you describe is not currently possible using the SIEM app detection rules. We are currently working on adding a new SIEM rule type, based on a set of Elasticsearch aggregations, that will allow for threshold-based detections.

We can't say exactly when it will become available, but you can get a rough idea of its functionality by checking out the beta version of Kibana "Alerts and Actions" features in the 7.7 version of the Elastic Stack (documentation here). We expect the future SIEM detection rules to offer similar functionality.

Thanks again, and please continue to provide us with additional feedback.

-Mike P.