Reducing the number of Alerts

praveen_siem · February 17, 2016, 12:01pm

We are creating rule "Brute force Attack" in ELK with the condition as mentioned below:

if "Invalid" in [tags] {
throttle {
before_count => 5
after_count => 5
period => 86400
key => "%{src_ip}"
add_tag => "throttled"
}
}

what does the parameter "period=>86400" indicate here, it is that if there are 5 events from the same source IP, the rule will not trigger for the next 24 hours

OR

if 5 events occur in a time frame of 2 mins, the rule will trigger.

Which one holds true.? We are looking for second one...with no repititions in the next 24 hours.

Thanks
/Praveen

warkolm · February 18, 2016, 6:27am

As long as the count is less than the before_count or greater than the after_count, the event will be "throttled" which means the filter will be considered successful and any tags or fields will be added.

Period being the time that it looks for the events, so it's the first one.

praveen_siem · February 18, 2016, 7:03am

Thanks Mark,

Consider, the second case - "if 5 events occur in a time frame of 2 mins, the rule will trigger", how do you write the condition for this case in ELK.

Thanks
/Praveen