Fault trees?

randomuserid · December 19, 2018, 6:00pm

Is there a way to do this logic either in lucene - in Kibana - or in elastic search natively?

Where there are n or more events, in the blue index, where the value of field f is the same?
Where there are n or more events, in both the blue and the green index, where the value of field f is the same?

e.g. multiple events from the same source IP; or targeting the same destination IP; or events from different indexes with the same sort of field agreement.

Also what about this?

Where event one has a destination address "d" that is equal to the source address "s" in another event, in the same index, or in a different index.

The use case is for making certain kinds of correlated security alerts.

rashmi · December 19, 2018, 8:17pm

Am tagging a dev engineer here whoo is more comfortable with Lucene Kibana queries than I'am. Response may be delayed due to holiday season. @timroes can you please help here when you get time.

Thanks
Rashmi

system · January 16, 2019, 8:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana search events where value of a field matches another fields value in the same event? Kibana kql-kibana-query-language	3	3584	November 17, 2021
Kibana Aggregation between types Kibana	6	710	December 21, 2017
Kibana Saved Search Kibana	4	560	July 12, 2017
Kibana - list an event which is happened after another event based on time stamp Kibana	3	2120	November 1, 2017
Correlate Across Events without Re-indexing/Enriching each Event Kibana	1	249	July 24, 2019

Fault trees?

Related topics