Hi All
I have been trying out SIEM functionalities in ELK 7.8.I have a use case
I need to detect and alert 'No logs received for last 6 hours' from a particular host
Is it possible using SIEM detection?
Hi @amalchandran thanks for the question. We think such a Zero-detector rule would be a good addition to the current capabilities, but there is not currently direct support for that.
In addition to the suggestion above, if you're running in Elastic Cloud, or have a license that includes the Elastic Stack machine learning features, you can use the SIEM's machine-learning rule type to create an excellent detection for no/unusually-low log volumes.
Think of this as an advanced option that takes a bit of work. You'd first create an Elasticsearch machine learning anomaly detection job to detect low_count anomalies in your data, usually based on some field like event.dataset:apache.access or as you say host.name:myhost. You could pick a bucket span that corresponds to your desired 6-hour timeframe, or select another period. Save the job with a group/tag of "siem". See https://www.elastic.co/guide/en/machine-learning/7.8/create-jobs.html for more details on how to configure machine learning jobs.
Then go SIEM detections, and create a new detection rule of type "machine learning", and choose the ML job you just created. Pick an interval over which you'd like to rule to run. When the rule runs, it will create a signal (alert) each time it finds that the anomaly detection job has detected an unusually low count of logs from your desired sources.
If you wouldn't mind sharing, what's the use case for this "no-log" detector?
Have you looked at a monitoring solution like Elastic Uptime ?https://www.elastic.co/guide/en/uptime/current/uptime-overview.html
Thanks again for your post, and please keep 'em coming!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.