How to deploy alert on incoming events

_omar · March 21, 2021, 10:06pm

Hi
I'm a new user of 'elastic', and need to deploy an alert that notify each event with 'geoip.country_name' tag value distinct than 'peru'. The alert have to be in real time, like the mostly siem solutions do, so far i got:

> PUT _watcher/watch/alert_geoip_watch
> {
> 	"trigger" : { "schedule" : { "interval" : "3m" }},
> 	"input" : {
> 		"search" : {
> 			"request" : {
> 				"indices" : [ "logstash*" ],
> 				"body" : {
> 					"query" : {
> 						"bool" : {
> 							"must" : { "exists": { "field": "geoip.country_name" } },
> 							"filter": { "range": { "@timestamp": { "gte": "now-3m" } } },
> 							"must_not": { "term": { "geoip.country_name": "peru" } }
> 						}
> 					}
> 				}
> 			}
> 		}
> 	},
> 	"condition" : {
> 		"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
> 	},
> 	"actions": { }
> }

That 'Watcher' rule works, but I'm not sure that is a real time, because its trigger every 3 min and look on "now-3m" period. Any suggest?

Felix_Roessel · March 22, 2021, 5:44am

To get it near real time you can reduce the interval between each execution of course.
But if you would like to use this rule as part of your Elastic based SIEM I would recommend doing that kind of job with the detection engine in Kibana.

system · April 19, 2021, 5:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Tracking Containment Alerts Kibana elastic-stack-alerting	5	416	January 14, 2022
Kibana SIEM "External Alert" SIEM	4	1740	April 16, 2020
Calling Alerts from Watchers to detection Signals SIEM	15	838	October 29, 2020
Unable to forward watcher alert to index with all details SIEM elastic-stack-alerting	3	380	April 21, 2021
Tunning Watcher Elasticsearch elastic-stack-alerting	6	1494	July 6, 2017

How to deploy alert on incoming events

Related topics