Elastic SIEM - Detection Rules - Multiple Thresholds in a Rule

Is there a way to apply multiple Thresholds in a single rule?


More than 10 Identical event.actions on more than 10 destination.hostnames in a span of 10 minutes

Threshold 1: Results aggregated by event.action >=10
Threshold 2: Results aggregated by destination.hostname >=10
Threshold 3: Results aggregated by @timestamp <= 10 minutes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.