Hello, I'm trying to build an alert that matches 2 fields - an event_id and a keyword. I need to trigger an action (which is working) if there are 4 counts in 5 minutes of: event_id = 4776 AND keyword = "Audit Failure" but I'm struggling with the syntax (Just noob things :grinning:) Could anyo…

I fixed it, in case anyone is interested. My use case here is to grab Kerberos authentications logs from our DC and alert on potential brute force attacks. This search will match documents from the last 5 minutes with the following criteria: Keyword field matching "Audit Failure" The name of t…

Alerting on documents with 2 conditions

Elastic Stack Elasticsearch

Chris_Meyer December 27, 2018, 8:26pm 6

Update: Looks like filter doesn't exist how I was using it anymore, according to this post:

So I guess I have to fix that.

Topic		Replies	Views
Watchers: querying for multiple strings in timeframe Elasticsearch elastic-stack-alerting	2	987	August 20, 2020
Unable to get a field match watcher to work properly Elasticsearch elastic-stack-alerting	2	506	August 20, 2020
Watcher Kibana : How can i use double condition in a "compare" Elasticsearch elastic-stack-alerting	7	6101	April 4, 2019
Setup Elastic Watcher Alert to match two message strings in a log Elasticsearch elastic-stack-alerting	4	498	April 3, 2023
Watcher matching isn't working - any help? Elasticsearch elastic-stack-alerting	3	1037	July 6, 2017

Alerting on documents with 2 conditions

Related Topics