Fault trees?

randomuserid · December 19, 2018, 6:00pm

Is there a way to do this logic either in lucene - in Kibana - or in elastic search natively?

Where there are n or more events, in the blue index, where the value of field f is the same?
Where there are n or more events, in both the blue and the green index, where the value of field f is the same?

e.g. multiple events from the same source IP; or targeting the same destination IP; or events from different indexes with the same sort of field agreement.

Also what about this?

Where event one has a destination address "d" that is equal to the source address "s" in another event, in the same index, or in a different index.

The use case is for making certain kinds of correlated security alerts.

rashmi · December 19, 2018, 8:17pm

Am tagging a dev engineer here whoo is more comfortable with Lucene Kibana queries than I'am. Response may be delayed due to holiday season. @timroes can you please help here when you get time.

Thanks
Rashmi

system · January 16, 2019, 8:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.