How to deploy alert on incoming events

_omar · March 21, 2021, 10:06pm

Hi
I'm a new user of 'elastic', and need to deploy an alert that notify each event with 'geoip.country_name' tag value distinct than 'peru'. The alert have to be in real time, like the mostly siem solutions do, so far i got:

> PUT _watcher/watch/alert_geoip_watch
> {
> 	"trigger" : { "schedule" : { "interval" : "3m" }},
> 	"input" : {
> 		"search" : {
> 			"request" : {
> 				"indices" : [ "logstash*" ],
> 				"body" : {
> 					"query" : {
> 						"bool" : {
> 							"must" : { "exists": { "field": "geoip.country_name" } },
> 							"filter": { "range": { "@timestamp": { "gte": "now-3m" } } },
> 							"must_not": { "term": { "geoip.country_name": "peru" } }
> 						}
> 					}
> 				}
> 			}
> 		}
> 	},
> 	"condition" : {
> 		"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
> 	},
> 	"actions": { }
> }

That 'Watcher' rule works, but I'm not sure that is a real time, because its trigger every 3 min and look on "now-3m" period. Any suggest?

Felix_Roessel · March 22, 2021, 5:44am

To get it near real time you can reduce the interval between each execution of course.
But if you would like to use this rule as part of your Elastic based SIEM I would recommend doing that kind of job with the detection engine in Kibana.

system · April 19, 2021, 5:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using Alert in Elasticsearch? Elasticsearch	2	638	July 6, 2017
Near real time alerts for syslogs Elasticsearch	8	1207	July 6, 2017
Spike detection in elasticsearch Elasticsearch elastic-stack-alerting	5	3728	July 6, 2017
Writing watcher alerts back to elastic Elasticsearch	2	572	October 18, 2017
How to do Real Time Alerting in ELK Elasticsearch	1	743	August 13, 2018

How to deploy alert on incoming events

Related topics