Correlation analysis in elasticsearch

111387 · April 16, 2021, 8:14am

I am collecting suricata events with elasticsearch.
I want to create an alert through correlation analysis for suricata event.

For example, when the following events are saved

{
    rule.event: "event a"
    src.ip: "10.0.0.1"
    dst.ip: "10.0.0.2"
},
{
    rule.event: "event b"
    src.ip: "10.0.0.2"
    dst.ip: "10.0.0.1"
}

I want to create an alert by combining events with the same src.ip and dst.ip.
Are these queries possible with DQL?

I want to make correlation rules for logs of devices other than suricata.
Are all of these operations possible with query in elasticsearch?

system · May 14, 2021, 8:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Threat hunting with suricata, ElasticSecurity SIEM	2	740	June 14, 2021
Elasticsearch Query Alert Elasticsearch elastic-stack-alerting	1	329	June 7, 2021
SIEM Event correlation with Elasticsearch and Logstash Elasticsearch elastic-stack-security	4	4607	March 14, 2019
The suricata results shown on the [filebeat dashboard] are different from the results shown in the [security -> alerts] on kibana SIEM	2	51	October 29, 2024
Event Correlation Using ELK Elasticsearch	2	1419	December 19, 2019

Correlation analysis in elasticsearch

Related topics