[Elastic Security/SIEM] - Detect if a source IP contacts more destination IPs or more destination ports

vowag · July 10, 2024, 8:00am

Hi all,

I'm new to Elastic and I need to make a detection rule that detects if more than 200 unique destination IPs were accessed from same source IP
and if more that 400 unique destination ports are accessed from same source IP.
Is it possible in Kibana with a single rule? From Threshold rule documentation: "Nested fields are not supported for use with Group by."

A workaround was creating two different threshold rules:

1st rule:
Custom Query:
source.ip: x.x.x.x/y and event.category : "network"

Group by:
source.ip destination.ip >= 200

2nd rule:
Custom Query:
source.ip: x.x.x.x/y and event.category : "network"
Group by:
source.ip destination.port >= 400

Is there any other workaround?
If not, we need to work with 2 rules.

Thanks in advance.

isorokopud · July 24, 2024, 11:15am

Hey @vowag, thanks for reaching out!

You can try ES|QL rule type. Where you can build a query similar to this one

FROM source_index
| STATS ip_count = COUNT_DISTINCT(destination.ip), port_count = COUNT_DISTINCT(destination.port) BY host.name
| WHERE event.category == "network" AND ip_count > 200 AND port_count > 400

Here you can also find useful references to the ES|QL syntax, commands and examples.

Let us know if that helps!

system · August 21, 2024, 11:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Network Scan SIEM detection-rules	6	606	February 9, 2023
Threshold rule : how to? Elastic Security	3	2204	February 28, 2022
Threshold confusion (detecting a burst of connections on a specific port) Elastic Security	2	132	June 26, 2024
SIEM - Network scan SIEM	4	1864	August 19, 2022
Detect Horizontal Port Scan Elastic Security	2	3194	June 15, 2021

[Elastic Security/SIEM] - Detect if a source IP contacts more destination IPs or more destination ports

Related topics