I am new to ELK and have been doing a lot of reading lately. Now I have downloaded xpack and all is set. I have written some simple alerts which have worked.
However, I want to write an alert that will notify an analyst when a particular IP address visits a virus or C & C site at least 10 times within 30 minutes. The objective is to quickly identify any compromised device for further investigation.
The field that I use to query all access to virus sites is the "subtype" field whose value is "virus", that is, "subtype = virus". That is how it is categorized within the UTM.
The IP address field contains thousands of different (unique) IP addresses. My interest is in the IP address which when I run the query "subtype = virus" for a time range of 30 minutes, I see the IP featuring more than 10 times.
Can you help me with the outline of the watch query to achieve this?