Event correlation in 7.7

KevSex · May 20, 2020, 9:24pm

Hi all,

Following on from the release of 7.7.0 and the new "Alerting and Actions" feature, I'm wondering what the best method of alerting based on correlated events would be.

Loking to implement Alerting using the stack as a SIEM and require events to be correlated and alerts triggered on a match. I can't see an easy way of implementing said correlation.

As a very basic example, it would be good to understand how event correlation would work in the following scenario:

5 login failures for user account on server from IP address 1.1.1.1 then,
A successful login from same user account on server from IP address 1.1.1.1

Cheers,
Kev

Mike_Paquette · May 21, 2020, 12:02pm

Hi Kev, thanks for the post.

The type of correlation-based detection you describe is not currently possible using the SIEM app detection rules or Kibana Alerts and Actions.

We are currently working on adding a new SIEM rule type, based on a new query language called EQL, that will allow for detecting sequences of events like your example.

We can't say exactly when it will become available, but you can read about EQL this blog post or in this Elasticsearch preliminary documentation for a future release.

Thanks again, and please continue to provide us with additional feedback.

-Mike P.

Topic		Replies	Views
SIEM feature request SIEM	5	597	October 29, 2020
Best way to analyze Event Correlation Sequence detections SIEM elastic-stack-alerting , eql-elastic-query-language	6	2333	January 4, 2023
Correlation in Elastic-SIEM SIEM	2	489	July 2, 2020
Elk stack Kibana	4	303	May 4, 2021
KQL Comprehensive Tutorial on Event Correlation Rules SIEM docker	4	1172	December 26, 2022

Event correlation in 7.7

Related topics