How to deploy alert on incoming events

Elastic Stack Elasticsearch
1

Hi
I'm a new user of 'elastic', and need to deploy an alert that notify each event with 'geoip.country_name' tag value distinct than 'peru'. The alert have to be in real time, like the mostly siem solutions do, so far i got:

> PUT _watcher/watch/alert_geoip_watch
> {
> 	"trigger" : { "schedule" : { "interval" : "3m" }},
> 	"input" : {
> 		"search" : {
> 			"request" : {
> 				"indices" : [ "logstash*" ],
> 				"body" : {
> 					"query" : {
> 						"bool" : {
> 							"must" : { "exists": { "field": "geoip.country_name" } },
> 							"filter": { "range": { "@timestamp": { "gte": "now-3m" } } },
> 							"must_not": { "term": { "geoip.country_name": "peru" } }
> 						}
> 					}
> 				}
> 			}
> 		}
> 	},
> 	"condition" : {
> 		"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
> 	},
> 	"actions": { }
> }

That 'Watcher' rule works, but I'm not sure that is a real time, because its trigger every 3 min and look on "now-3m" period. Any suggest?

2

To get it near real time you can reduce the interval between each execution of course.
But if you would like to use this rule as part of your Elastic based SIEM I would recommend doing that kind of job with the detection engine in Kibana.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.