SIEM feature request

Hi,
As i was scrolling down the huge pile of log and then i come up with this ideal for SIEM that i really want

What i want is the ability to detect multiple event subsequently, what i mean is that for example i have a huge pile of log from some ip that trying to bruteforce an account, then after that an event show that that ip successfully logon to that account which mean that account has been compromised, so i want to have a rule to detect multiple failed event and then for some period of time if the success event appear then the signal will be raised.

3 Likes

Hi, thanks for reaching out. There is an existing feature that will get you partly there called threshold alerts. This capability of the detection engine would allow you to look for N number of events before triggering an alert. Here is the link to the docs on the feature: https://www.elastic.co/guide/en/security/current/rules-ui-create.html

We also have some prebuilt threshold rules you can use as examples to build from: https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html

As for correlating numerous events (look for this and then that) we released an amazing new capability in Elasticsearch in 7.9 called Event Query Language (EQL). EQL is a new query language that allows for correlation of events in a simple and fast way. It is not yet leverage in the Security application, but stay tuned for more on that soon. https://www.elastic.co/guide/en/elasticsearch/reference/master/eql.html

1 Like

Thanks for your replies @hmnichols
What i really want is to able to query 2 field one after another rather than query them both at once, for example, event id log
i want to query for event 4625 and then if event 4625 appear after like 5 minutes then the signal will be raised.

This is exactly the power that EQL provides. Here is a generic example:
sequence by field_foo with maxspan=30s
[ event_category_1 where condition_1 ] by field_baz
[ event_category_2 where condition_2 ] by field_bar

More specific examples can be seen here: https://www.elastic.co/guide/en/elasticsearch/reference/master/eql-ex-threat-detection.html

Indeed EQL should fit perfectly for your use case, however, in the mean time your could use a watcher with some "advanced" queries and some scripts, the situation that you described is very similar to this example:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.