[Elastic Security/SIEM] - Detect if a source IP contacts more destination IPs or more destination ports

vowag · July 10, 2024, 8:00am

Hi all,

I'm new to Elastic and I need to make a detection rule that detects if more than 200 unique destination IPs were accessed from same source IP
and if more that 400 unique destination ports are accessed from same source IP.
Is it possible in Kibana with a single rule? From Threshold rule documentation: "Nested fields are not supported for use with Group by."

A workaround was creating two different threshold rules:

1st rule:
Custom Query:
source.ip: x.x.x.x/y and event.category : "network"

Group by:
source.ip destination.ip >= 200

2nd rule:
Custom Query:
source.ip: x.x.x.x/y and event.category : "network"
Group by:
source.ip destination.port >= 400

Is there any other workaround?
If not, we need to work with 2 rules.

Thanks in advance.

isorokopud · July 24, 2024, 11:15am

Hey @vowag, thanks for reaching out!

You can try ES|QL rule type. Where you can build a query similar to this one

FROM source_index
| STATS ip_count = COUNT_DISTINCT(destination.ip), port_count = COUNT_DISTINCT(destination.port) BY host.name
| WHERE event.category == "network" AND ip_count > 200 AND port_count > 400

Here you can also find useful references to the ES|QL syntax, commands and examples.

Let us know if that helps!

system · August 21, 2024, 11:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.