as the title already suggests, I am looking for a way in Kibana to generate an Seucurity-Alert, if one event ouccures x times within a given timespan.
Example: Five Failed logins on a system within 5 Minutes
I´ve tried it with a Threshold-Rule, but as far as I can see, it is not pissible to define a timerange. My second attempt was to create a Correlation-Rule, as this rules type can have a "maxspan" which defines the timerange to look at. Unfortunatally "maxspan" can only be used in conjuction with "sequence". And I don´t have a sequence
If I have understood it correctly, "logs threshold rules" are for log monitoring (or something like that). Or is it possible to create alerts from Securirity-app based on logs trhreshold rules?
The Use case seems to be an easy one (exampel):
A Firewall sends event and traffic informations via filebeat to elastic
Somebody enters a wrong password on the Firewall five times within 5 minutes
But I don't think you need to change anything in this case.
For example, if you set your rule schedule to run every 5 minutes, it will always look for the data in the past 5 minutes, basically it will look into now -5m and since it also has a per default additional look back time of 1m, it will in fact look into now -6m
For example, if you set a rule to run every 5 minutes with an additional look-back time of 1 minute, the rule runs every 5 minutes but analyzes the documents added to indices during the last 6 minutes.
And also
It is recommended to set the Additional look-back time to at least 1 minute. This ensures there are no missing alerts when a rule does not run exactly at its scheduled time.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
