Query for an event that happens X times within a given timerange


as the title already suggests, I am looking for a way in Kibana to generate an Seucurity-Alert, if one event ouccures x times within a given timespan.

Example: Five Failed logins on a system within 5 Minutes

I´ve tried it with a Threshold-Rule, but as far as I can see, it is not pissible to define a timerange. My second attempt was to create a Correlation-Rule, as this rules type can have a "maxspan" which defines the timerange to look at. Unfortunatally "maxspan" can only be used in conjuction with "sequence". And I don´t have a sequence :slight_smile:

Basic license, so watcher is not available.

I would be very happy about support from you.

Are you talking about the logs threshold rule? If so, you can define the range in the FOR THE LAST option, this is the lookback time.

If you set FOR THE LAST to 5 minutes, this means that when the rule is triggered it will look back 5 minutes to see if it matches.

If set this rule to run every 4 minutes and lookback 5 minutes you will always be looking into a window of 5 minutes.

If I have understood it correctly, "logs threshold rules" are for log monitoring (or something like that). Or is it possible to create alerts from Securirity-app based on logs trhreshold rules?

The Use case seems to be an easy one (exampel):

  • A Firewall sends event and traffic informations via filebeat to elastic
  • Somebody enters a wrong password on the Firewall five times within 5 minutes
  • Kibana Security Rule was triggerd

Any Ideas?

Yeah, you are right, sorry for the confusion.

But I don't think you need to change anything in this case.

For example, if you set your rule schedule to run every 5 minutes, it will always look for the data in the past 5 minutes, basically it will look into now -5m and since it also has a per default additional look back time of 1m, it will in fact look into now -6m

Per the documentation you have this:

For example, if you set a rule to run every 5 minutes with an additional look-back time of 1 minute, the rule runs every 5 minutes but analyzes the documents added to indices during the last 6 minutes.

And also

It is recommended to set the Additional look-back time to at least 1 minute. This ensures there are no missing alerts when a rule does not run exactly at its scheduled time.

So this will fit the use case you described.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.