Kibana alerts with cusotm fields

Marek_Galbavy · July 22, 2024, 6:53am

Hi i try to create custom rule which find communication for more than 250 destination.ports. My problem is when the alert is created i dont have information which ports was in this communication.

this is my ESQL
from logs-network_traffic.*

| where CIDR_MATCH(source.ip,"10.0.0.0/8") or CIDR_MATCH(source.ip, "172.16.0.0/12") OR CIDR_MATCH(source.ip, "192.168.0.0/16")

| stats unique_ports = count_distinct(destination.port), ports = values(destination.port) by source.ip

| where unique_ports > 250

i have in alert field unique_ports with total count thats great but i cant see particular ports. funkction values doestn work .

The same problem i have in other alerts. How can i write query/alert with information which i wont?

nikitaindik · August 5, 2024, 1:36pm

Hi @Marek_Galbavy! I have tried your ES|QL query locally and it seems to work fine for me. I was able to find the port values in the "ports" field of the generated alert. Which version of Kibana are you using?

system · September 2, 2024, 1:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Elastic Security/SIEM] - Detect if a source IP contacts more destination IPs or more destination ports Elastic Security	2	91	August 21, 2024
Elasticsearch query type alert in kibana alerts Kibana elastic-stack-alerting	6	611	June 24, 2021
How to create custom message info for monitors in Elastic? Kibana elastic-stack-alerting	4	1277	November 19, 2021
Threshold confusion (detecting a burst of connections on a specific port) Elastic Security	2	132	June 26, 2024
Alerts issue Kibana	2	31	September 27, 2024

Kibana alerts with cusotm fields

Related topics