Hello friends
Good morning
I hope you are all well.
I recently encountered a question regarding a client's request involving the creation of a rule to detect access to certain IP addresses.
The client has some rules in Elastic SIEM to detect IP addresses of prohibited websites. Upon investigating how these rules were created, they follow a specific pattern described below:
destination.ip: "X.X.X.X" OR "X.X.X.X" OR "X.X.X.X" OR etc...
In this case, I need to create a new rule that correlates the existing rules for detecting prohibited website addresses with the following fields:
Date and Time;
Source IP of the machines;
Destination IP of the machines;
Source MAC address of the machines;
Destination MAC address of the machines;
Website URL.
At the end of creating this new rule that correlates this information, I need to create a Dashboard for this rule in Elastic SIEM that displays all this data when clicked, to facilitate searches.
I'm having trouble creating this new rule, especially regarding the correlation between the already created rules that detect restricted access sites and the new rule that displays this information.
Could you help me by telling me how I could solve this problem?
Sincerely.