Following on from the release of 7.7.0 and the new "Alerting and Actions" feature, I'm wondering what the best method of alerting based on correlated events would be.
Loking to implement Alerting using the stack as a SIEM and require events to be correlated and alerts triggered on a match. I can't see an easy way of implementing said correlation.
As a very basic example, it would be good to understand how event correlation would work in the following scenario:
5 login failures for user account on server from IP address 1.1.1.1 then,
A successful login from same user account on server from IP address 1.1.1.1
The type of correlation-based detection you describe is not currently possible using the SIEM app detection rules or Kibana Alerts and Actions.
We are currently working on adding a new SIEM rule type, based on a new query language called EQL, that will allow for detecting sequences of events like your example.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.