How do I create an alert to for a specific behavior of a unique field value

Hi,

I am new to ELK and have been doing a lot of reading lately. Now I have downloaded xpack and all is set. I have written some simple alerts which have worked.

However, I want to write an alert that will notify an analyst when a particular IP address visits a virus or C & C site at least 10 times within 30 minutes. The objective is to quickly identify any compromised device for further investigation.

The field that I use to query all access to virus sites is the "subtype" field whose value is "virus", that is, "subtype = virus". That is how it is categorized within the UTM.

The IP address field contains thousands of different (unique) IP addresses. My interest is in the IP address which when I run the query "subtype = virus" for a time range of 30 minutes, I see the IP featuring more than 10 times.

Can you help me with the outline of the watch query to achieve this?

Thank you.

hey,

whenever you create a watch, the first question you have to ask yourself is, whether you can gather the data correctly, to decide if you want to trigger an alert. This is also the case here. This is all about writing a good query and not about writing a watch.

In this example it looks to me, as if you need a time range filter for the last 30 minutes and then have a terms aggregation on the ip address, using the min_doc_count parameter as well.

hope this helps!

--Alex

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.