Is it possible to write a query for elacticsearch something like this:
If same IP and same username generates 3 different rule.id within 15 min.
That's the sort of thing we're aiming to make easier in future with EQL
Thanks Mark, what about getting the same query with given IP,username and rule.id manually?
You could use a composite aggregation to group_by using date_histogram (15m), and terms (IP, username) and aggregate via cardinality on rule.id. This would give you the results, but you still need to scan them to report if they breach 3.
More advanced would be the same as above as transform. A transform will write the results to an index and you can use alerting on it (e.g. watcher).
++ if you don't care about results <3, you can use an ingest pipeline (as part of the transform destination) to drop those.
I do not have a fully fitting example, but this might be a starting pointer. In the group_by its possible to add date_histogram regarding the 15m time window you are looking for.
Is there any simple example that I can take a look ?
I added a link after editing, sorry:
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.