Kibana alerts with cusotm fields

Marek_Galbavy · July 22, 2024, 6:53am

Hi i try to create custom rule which find communication for more than 250 destination.ports. My problem is when the alert is created i dont have information which ports was in this communication.

this is my ESQL
from logs-network_traffic.*

| where CIDR_MATCH(source.ip,"10.0.0.0/8") or CIDR_MATCH(source.ip, "172.16.0.0/12") OR CIDR_MATCH(source.ip, "192.168.0.0/16")

| stats unique_ports = count_distinct(destination.port), ports = values(destination.port) by source.ip

| where unique_ports > 250

i have in alert field unique_ports with total count thats great but i cant see particular ports. funkction values doestn work .

The same problem i have in other alerts. How can i write query/alert with information which i wont?

nikitaindik · August 5, 2024, 1:36pm

Hi @Marek_Galbavy! I have tried your ES|QL query locally and it seems to work fine for me. I was able to find the port values in the "ports" field of the generated alert. Which version of Kibana are you using?

system · September 2, 2024, 1:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.