Hello,
I have a rule in Kibana that counts the number of packets received for a given wlan-src every second. This is the current setup:
- Custom query:
event.wlan-src: *
- Runs every 1 second
- Threshold: 63 packets
However, I would like to modify this rule so that it execute the rule only when a new packet with the field event.wlan-src arrives, rather than continuously counting the packets. Is it technically possible to set up such a rule in Kibana without requiring a paid license?
Any help or guidance would be appreciated!
Thank you!
Hello!
I think what you are looking for is a New Terms rule
Thanks for your answer!
But I'm not sure that's what I want, as the description of a ‘new Term rule’ is that we want to detect new packets.
Here, I want the rule to run each time a new packet meets the conditions. Basically, if I don't receive a matching packet for 10 hours, I don't want the rule to run.
Thanks for the explanation!
Our security rules, can't run on demand at the moment.
Rules will always run depending on the interval you configured.
Also, I noticed that you run the rule every 1s + plus 1 minute lookback time.
Like rule executed:
- Rule executed at 12:30:00 - will search data from 12:28:59-12:30:00
- Next rule executed 12:30:01 - will search data from 12:29:00-12:30:01
- Next rule executed 12:30:02 - will search data from 12:29:01-12:30:02
Depends on your cluster and amount of rules, but this configuration can cause performance problems in the future if you have a lot of rules like that.
But maybe you will give us more context about your use case, and we will try to find a better solution with our rules.
1 Like
Thanks for your reply. I just wanted to know if it was possible for my project.
It would be nice to implement it 
