For example, i have infected PC in my network, and it sends many requests to C2 malware domain. So, i setup detection rule for this C2C domain and now i have got 100500 alerts from only 1 IP of infected PC. How to combine all this alerts to one (by client IP address)?

How to combine alerts in one?

peter_luo (peter luo | DTonomy) March 3, 2021, 7:33pm 2

Is this something addressing your questions shorturl.at/tySTZ
Not an out of box solution though.
It is consolidating alerts, discovering patterns and grouping related alerts to cases.
For your question: it extracts ip and groups 100500 alerts to one case and write to ELK case page.

Topic		Replies	Views
How to create a complex detection rule (indicator + correlation)? Elastic Security	8	654	August 31, 2023
Single behavior generates several alerts SIEM	4	1235	October 19, 2021
Group identical alerts in Elastic Security [7.14.2] Elastic Security detection-rules	1	439	December 2, 2021
1 alert for all detections & suppress repeat detections Elastic Security	4	680	November 4, 2022
SIEM custom rule to generate an alert if multiple users attempts with same source IP or same mac address Elastic Security elastic-stack-alerting	3	1014	December 30, 2021

How to combine alerts in one?

Related topics