Kibana alerts with cusotm fields

Marek_Galbavy · July 22, 2024, 6:53am

Hi i try to create custom rule which find communication for more than 250 destination.ports. My problem is when the alert is created i dont have information which ports was in this communication.

this is my ESQL
from logs-network_traffic.*

| where CIDR_MATCH(source.ip,"10.0.0.0/8") or CIDR_MATCH(source.ip, "172.16.0.0/12") OR CIDR_MATCH(source.ip, "192.168.0.0/16")

| stats unique_ports = count_distinct(destination.port), ports = values(destination.port) by source.ip

| where unique_ports > 250

i have in alert field unique_ports with total count thats great but i cant see particular ports. funkction values doestn work .

The same problem i have in other alerts. How can i write query/alert with information which i wont?

nikitaindik · August 5, 2024, 1:36pm

Hi @Marek_Galbavy! I have tried your ES|QL query locally and it seems to work fine for me. I was able to find the port values in the "ports" field of the generated alert. Which version of Kibana are you using?

Topic		Replies	Views
[Elastic Security/SIEM] - Detect if a source IP contacts more destination IPs or more destination ports Elastic Security	2	185	August 21, 2024
Threshold confusion (detecting a burst of connections on a specific port) Elastic Security	2	169	June 26, 2024
Kibana, unique or distinct count alerting Kibana elastic-stack-alerting	6	1848	March 20, 2021
Adding a custom field in alerts Kibana detection-rules	1	524	September 11, 2024
EQL - Network Port scan - Watcher to EQL Elastic Security eql-elastic-query-language	3	1631	June 15, 2021

Kibana alerts with cusotm fields

Related topics