I want to create an Alert for a Surikata event.
What I want is to generate an alert according to correlation for multiple documents.
The problem is that elastalert, KQL, and DSL also seem impossible to query this way.
For example, in the case of arcsight, the source ip = destination ip is the same for the event rule, and multiple events with a specific event name can be made as a correlation rule.
Like this, I want to create an Alert when there is a document with the same src and dst ip in multiple documents and a specific event name.
If I know the IP and query for it myself, this problem can be easily solved, but I can't get a sense of how to do it among random events.
For example, if there is a document like the following, I want to generate an Alert when there are documents such as event-A and event-c.
Condition: dst ip = src ip and event-A, event-B exist
documents
{
"timestamp" : "1",
"event" : "event-A",
"src ip" : "10.0.0.1",
"dst ip" : "10.0.0.3",
"direction" : "inbound"
},
{
"timestamp" : "2",
"event": "event-B",
"src ip": "10.0.0.2",
"dst ip": "10.0.0.11",
"direction": "inbound"
},
{
"timestamp" : "3",
"event": "event-c",
"src ip": "10.0.0.3",
"dst ip": "10.0.0.12",
"direction": "outbound"
},
{
"timestamp" : "4",
"event": "event-D",
"src ip": "10.0.0.4",
"dst ip": "10.0.0.13",
"direction": "inbound"
},
{
"timestamp" : "5",
"event": "event-E",
"src ip": "10.0.0.5",
"dst ip": "10.0.0.14",
"direction": "outbound"
}
alerting
{
"timestamp" : "1",
"event": "event-A",
"src ip": "10.0.0.1",
"dst ip": "10.0.0.3",
"direction": "inbound"
}
{
"timestamp" : "3",
"event": "event-c",
"src ip": "10.0.0.3",
"dst ip": "10.0.0.12",
"direction": "outbound"
}
Is it possible to query this way in Elasticsearch?