Hi all,
I'm new to Elastic and I need to make a detection rule that detects if more than 200 unique destination IPs were accessed from same source IP
and if more that 400 unique destination ports are accessed from same source IP.
Is it possible in Kibana with a single rule? From Threshold rule documentation: "Nested fields are not supported for use with Group by."
A workaround was creating two different threshold rules:
1st rule:
Custom Query:
source.ip: x.x.x.x/y and event.category : "network"
Group by:
source.ip destination.ip >= 200
2nd rule:
Custom Query:
source.ip: x.x.x.x/y and event.category : "network"
Group by:
source.ip destination.port >= 400
Is there any other workaround?
If not, we need to work with 2 rules.
Thanks in advance.