How should I write Elastic rule that detect if more than 10 unique destinations were accessed from same source IP within 1 minutes.
Best Regards
Hi @Gurban , this would be a very straightforward threshold rule. It would look something like this:
Let me know if you need help with anything else.
if I want to convert this rule to a port scan rule then I have to change destination.ip to destination.port in the count field?
That's right! You might also want to exclude some IPs in the query bar, such as 127.0.0.1/localhost etc.
Last question. What if I want to write these rules with EQL ? I need example.
It's not possible at the moment. We cannot perform unique aggregations with EQL.