Event correlation in 7.7

Hi all,

Following on from the release of 7.7.0 and the new "Alerting and Actions" feature, I'm wondering what the best method of alerting based on correlated events would be.

Loking to implement Alerting using the stack as a SIEM and require events to be correlated and alerts triggered on a match. I can't see an easy way of implementing said correlation.

As a very basic example, it would be good to understand how event correlation would work in the following scenario:

  • 5 login failures for user account on server from IP address 1.1.1.1 then,
  • A successful login from same user account on server from IP address 1.1.1.1

Cheers,
Kev

Hi Kev, thanks for the post.

The type of correlation-based detection you describe is not currently possible using the SIEM app detection rules or Kibana Alerts and Actions.

We are currently working on adding a new SIEM rule type, based on a new query language called EQL, that will allow for detecting sequences of events like your example.

We can't say exactly when it will become available, but you can read about EQL this blog post or in this Elasticsearch preliminary documentation for a future release.

Thanks again, and please continue to provide us with additional feedback.

-Mike P.