How well we can have a correlation using the Elastic-SIEM application?
A sample use case would be
I want to know, in the last 15minutes, for the events tagged that were tagged as "attack", whether the source IPs are equal to the destination IPs.
Also,I would like to know,if this is not possible in the current Elastic-SIEM, what would be a good approach to get near good results for this scenario?.
The type of correlation-based detection you describe is not currently possible using the SIEM app detection rules. We are investigating methods for enabling these kinds of correlations in the future.
One idea in the interim is to use Kibana scripted fields. These fields can be used in limited situations, such as Kibana visualizations and Kibana Discover. For example you could create a boolean scripted field such as "source_equals_destination" and then use a query such as my_tag:"attack" and source_equals_destination:true to identify the relevant events.
Thanks again, and please continue to provide us with additional feedback.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.