Elastic SIEM - Detection Rules - Multiple Thresholds in a Rule

tushar.bansal · February 5, 2021, 3:11pm

Is there a way to apply multiple Thresholds in a single rule?

example:

More than 10 Identical event.actions on more than 10 destination.hostnames in a span of 10 minutes

Threshold 1: Results aggregated by event.action >=10
AND
Threshold 2: Results aggregated by destination.hostname >=10
AND
Threshold 3: Results aggregated by @timestamp <= 10 minutes

system · March 5, 2021, 3:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SIEM feature request SIEM	5	517	October 29, 2020
Threshold Rule type - not able to send more than three field values in email action SIEM elastic-stack-alerting , detection-rules	1	408	August 31, 2021
Suppression of repeated alerts Elastic Security	2	674	August 13, 2021
SIEM Threshold Based Rules - Show several fields value SIEM	1	382	November 24, 2020
Threshold detection not working with group by SIEM elastic-stack-alerting	3	783	June 28, 2021

Elastic SIEM - Detection Rules - Multiple Thresholds in a Rule

Related Topics