Reducing the number of Alerts

praveen_siem · February 17, 2016, 12:01pm

We are creating rule "Brute force Attack" in ELK with the condition as mentioned below:

if "Invalid" in [tags] {
throttle {
before_count => 5
after_count => 5
period => 86400
key => "%{src_ip}"
add_tag => "throttled"
}
}

what does the parameter "period=>86400" indicate here, it is that if there are 5 events from the same source IP, the rule will not trigger for the next 24 hours

OR

if 5 events occur in a time frame of 2 mins, the rule will trigger.

Which one holds true.? We are looking for second one...with no repititions in the next 24 hours.

Thanks
/Praveen

warkolm · February 18, 2016, 6:27am

As long as the count is less than the before_count or greater than the after_count, the event will be "throttled" which means the filter will be considered successful and any tags or fields will be added.

Period being the time that it looks for the events, so it's the first one.

praveen_siem · February 18, 2016, 7:03am

Thanks Mark,

Consider, the second case - "if 5 events occur in a time frame of 2 mins, the rule will trigger", how do you write the condition for this case in ELK.

Thanks
/Praveen

Topic		Replies	Views
Logstash Throttle logic Logstash	1	774	July 6, 2017
Throttle filter: Notify on throttle Logstash	9	1073	February 21, 2021
Logstash tag events if it occurs more than certain limit Logstash	2	698	July 6, 2017
Pipeline throttle not working properly Logstash	1	432	March 5, 2020
Use threshold to trigger email sending Logstash	6	2178	July 6, 2017

Reducing the number of Alerts

Related topics