Hello! I want to created an Okta SSO authentication alert in Elastic.co based on geo-ip information. The query in LOGIC terms should look something like this:
If client.user.id {133713371337} event.outcome == "success" with source.ip {85.145.234.50}
and if client.user.id {111122223333} event.outcome == "success" with source.ip of client.user.id {133713371337, in this example: 85.145.234.50}
How should I convert this to an EQL correlation query?
So far I have been only able to construct a simple query like this one:
Thank you. I can configure a threshold alert as a more generic rule. In other words, I can alert on any user who logged in from the same IP.
However, how would I configure this rule for two specific users (please note my initial start post)? How can I alert on if user with ID/name AAA uses the same IP as user with ID/name BBB?
Apologies, didn't realise it was specific to those users.
In that case, EQL should work well. Right now, we support looking for a specific sequence of events, adding a rolling time window if you need.
You'll want something like:
sequence by source.ip
[authentication where client.user.id:"AAAAA" and event.outcome:"success"]
[authentication where client.user.id:"BBBBB" and event.outcome:"success"]
The "by" statement acts a join key here. This will only fire/match if the source IP address is the same for both events.
Final question though, how would this EQL query look like if I want to alert on user(s) which does not have the same IP and event.outcome : "success" (one user which doesn't match with the other)?
Reason: I want to copy paste this EQL query in "Timelines" for hunting purposes.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
