EQL query to alert 1 alert per each user

yzaritskyi · July 28, 2023, 11:30am

Hello all!

I'd like to create a Rule based on the EQL query that will trigger an alert only once per user.

For example:
The input list of logs is
user1 ip1
user1 ip1
user2 ip2
user5 ip5
user4 ip4
user4 ip4
user20 ip20
user1 ip1
user20 ip20

And I want to create alerts based on that logs to see results like this:
alert1: user1 ip1
alert2: user2 ip2
alert3: user4 ip4
alert4: user5 ip5
alert5: user20 ip20

I try to detect the user's connection to some websites through DNS logs. This Rule runs every 24 hours, but a user can connect to the service I'm interested in more than 1 time, so I usually get more than 1 alert for the same user.

I tried to implement it using sequence by, but it doesn't work:

sequence by user.name, ?process.name
  [ network where network.protocol == "dns" and dns.question.name : ("***", "***") ]
  [ network where true ]

I would be really glad to hear any suggestions or the entire resolution. Thank you!

spong · August 1, 2023, 10:11pm

Hey there @yzaritskyi !

So if you only want one per grouping of user.name / process.name, you might want to try using a Threshold Rule ala:

You may want to include the dns name in the Group by depending on how you want your alerts broken apart.

Let me know if that works for you!

Cheers!
Garrett

yzaritskyi · August 8, 2023, 1:15pm

Thank you! You helped me a lot! It works exactly how I wanted.

system · September 5, 2023, 1:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.