Creating a threshold based rule in the detection engine

abhishek_s1 · April 22, 2021, 9:35am

I'm managing logs of a particular server, I'm defining an activity of a person with some username to be suspicious if there is sudden increase in their activity( i.e., user logs into server 100 times whereas on average he logs in less than half <50).

Help me creating a threshold based rule in the detection engine. If this is not possible by this, suggest me a way. My logs looks like this:

10.0.0.10 - username [21/Sep/2020:04:27:18 +0000] "GET /svn/repos HTTP/1.1" 200 289

I this task achievable by elastalert if not here?

Oliver2 · April 27, 2021, 10:18pm

machine learning might be able to achieve yhis

austinsonger · April 28, 2021, 2:51pm

Yes this would be best solved with a Machine Learning rule, because Elastic doesn't do baselining and trigger rules based on going above the baseline. So Machine learning will be your best bet. You should join the slack for a quicker response Join Elastic Stack Community on Slack - Community Inviter.

system · May 26, 2021, 2:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alerting by amount of "hits" SIEM	2	403	June 18, 2020
Help me writing watcher Query Endpoint Security	6	426	May 14, 2021
Elastic Security - Host No longer logging Alert SIEM	1	299	August 31, 2023
How to create a rule with aggregation SIEM elastic-stack-security	5	2436	May 4, 2021
Threshold rule to alert when logs stop coming in from a log source Elastic Security elastic-stack-alerting	2	329	November 4, 2022

Creating a threshold based rule in the detection engine

Related topics