Can anyone please help me setting up a simple correlation rule using EQL that detect if same source.ip attempts more than 50 destination.ip within 15 minutes.
I'm unable to write EQL.
I've fortigate logs, my correlation rule is like
sequence by source.ip maxspan=15m
[network where event.action == "deny"]
[network where true]
I know here by source.ip means same source.ip. network is value present in the event.category field. network where true is just because there must have two sequence patterns in brackets . 2nd condition is like event.category network should exists.
It looks like you have the core idea right, that by and maxspan=15m are two ways to add your conditions to the query. Currently, there's no shorthand to say "at least 50 events" within the sequence. The only way to do that today with EQL:
sequence by source.ip with maxspan=15m
[network where event.action == "deny"]
[network where event.action == "deny"]
[network where event.action == "deny"]
[network where event.action == "deny"]
[network where event.action == "deny"]
// 45 more times
There are some discussions to make this syntax more expressive and succinct. But I'm not sure what/when that will be.
Alternatively, you can play around with a threshold rule which aggregates of a lot of things that look the same. It doesn't have sliding windows like EQL, but it will most likely be more performant.
Oh, more than 50 unique destinations. I'm sorry I didn't understand that part.
There's no way to do that in EQL today. I understand that there is a feature under active development for threshold rules that should be able to satisfy these conditions:
same source IP
within a 15m bucket (not sliding window, but you can emulate on with from/to parameters combined with the scheduling interval)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.