Hi, I'm new with Elastic SIEM and now I need to create a rule to detect ssh successful login with multiple IP address with the same username. I wonder how can I create a rule like this since if I using Custon Query or Threshold type, it will be stick to 1 IP only.
filebaet and auditbeat is running already on the server and I can see SSH logs in the discovery
Thank you
Hi Kambing,
What you are trying to do is not possible with the static detection rules. You might want to look into Machine Learning rules.
A similar question was asked two weeks ago, if you want to read a bit here is a link:
Hi Madduck,
Thanks for the reply
currently I'm trying to use painless script to compare if there's a login with same username but with different IP. however, I still have no clue how to do loop through all documents in that index.
I also think to create new pipeline and add script in the processors so only the new log that will do the lookup throughout current existing documents.
Ā© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.