Hi all
I have a question regarding the SIEM detection,
i have some windows log that are from 2019, and now when index them in to our elastic the @timestamp for it is 2019, now i want the detection engine to also search for those data to see if there is any thing need to raise signal.
So basically i want to know how to set the detection engine to search for difference time or set some specific rule to search difference time.
This is a current pain point for users that we are doing near-real time detection so far but we haven't gotten to doing specific interval rule runs. We are hoping to get to that feature.
But I do have some good news for you, you do have some work-arounds, abilities for you to utilize that can still get the job done.
The first one that is really nice is in "advanced settings" you can pick a different time stamp and use something such as event.ingested and then mark all of your documents with a timestamp that is close to the current date time.
Then the signals will pick it up and run against them and write out up to the 100 signals per rule run on anything it finds.
The second option for you, would be an incredibly long look back time that you can set and then run the rule(s) once and reset the look back time. This isn't as ideal and you can obviously get a lot of timeouts doing this as it is going to comb through a large volume of data at once, but it might help you out momentarily. If you go this route to do a large "catch up" I would recommend running only 1 or 2 rules at a time manually to get them caught up and then reset it to the standard settings.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.