Hello, I'm trying to build an alert that matches 2 fields - an event_id and a keyword. I need to trigger an action (which is working) if there are 4 counts in 5 minutes of: event_id = 4776 AND keyword = "Audit Failure" but I'm struggling with the syntax (Just noob things :grinning:) Could anyo…

I fixed it, in case anyone is interested. My use case here is to grab Kerberos authentications logs from our DC and alert on potential brute force attacks. This search will match documents from the last 5 minutes with the following criteria: Keyword field matching "Audit Failure" The name of t…

Alerting on documents with 2 conditions

Elastic Stack Elasticsearch

Chris_Meyer December 27, 2018, 8:26pm 6

Update: Looks like filter doesn't exist how I was using it anymore, according to this post:

So I guess I have to fix that.

Topic		Replies	Views
Watchers: querying for multiple strings in timeframe Elasticsearch elastic-stack-alerting	2	987	August 20, 2020
Advancing alert using watcher Elasticsearch elastic-stack-alerting	10	1455	October 25, 2018
Unable to get a field match watcher to work properly Elasticsearch elastic-stack-alerting	2	507	August 20, 2020
Watcher Kibana : How can i use double condition in a "compare" Elasticsearch elastic-stack-alerting	7	6111	April 4, 2019
Setup Elastic Watcher Alert to match two message strings in a log Elasticsearch elastic-stack-alerting	4	499	April 3, 2023

Alerting on documents with 2 conditions

Related topics