Hello,
Today I would like to ask about DDoS and ELK security.
I replicated a (modest) DDoS attack on my systems, and I got the correspondent logs and views.
In Packetbeat Flows Dashboard it can be seen the moment where the huge DDoS test started:
But what now I would like to do is set a rule to monitor this kind of things and have some alerts when it happened. My idea was, using Packetbeat data, to replicate in some way the dashboard in the image, so, when I get a huge amount of flow.id in a short period, for example, 5 minutes, to get the alert.
I've been playing with the rule creator, but I'm not achieving what I want.
Any ideas about this? Or any ideas about how can I monitor this kind of attack?
I'm really new to ELK so I'm a bit lost yet, any ideas and points of view would be very good received.
Thanks!