Help me writing watcher Query

Hello,

We are defining an activity of user to be suspicious if he logs in after very long period (1 month).

So, I need to find if there exists a log entry or request with some username whose last request was >= 1 month ago.

My log looks like this

10.0.0.10 - username [21/Sep/2020:04:27:18 +0000] "GET /svn/repos HTTP/1.1" 200 289

Please help me with watcher query.

Why not creating a threshold based rule in the detection engine?

Hello @Felix_Roessel
I'm very much new to alerts & detections,

Can you please tell me the difference between a watcher query & threshold based rule in the detection engine?

If this is the better solution, can you please help me creating one, as per my requirement?

The detection engine is the inbuild feature to detect security related threats. There are many advantages using this type of detection, e.g. that you can follow up immediatly and put the created alert in an investigation status.
Watcher is a very generic way of doing alerting. Thats powerful but comes with complexity in setting it up.

To build your requirement in the detection engine navigate to Detections under Elastic Security (>v7.9) and click on manage detection rules.
There you are able to create a new rule. Choose threshold rule.
In the query bar you filter for every log in events thats older than 30d (now-30d) .. don't have the exact query by hand but you will get it. Its easy.
Now you just need to add the group by field which is your user.name and threshold > 0 .

After creating that rule you will get an alert everytime someone was active one month ago. Is that want you want to achieve?

Thinking more about it you probably want to observe the durartion between two logs of the same user.
For that you need to use a transform first to calculate time between two events of the same user.

Hello @Felix_Roessel

You are right & I need to alert if that duration exceeds a month.

How to write & use transforms?

Thank you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.