Hi
I am playing with the SIEM capability and have been using it since it was released with custom queries. I am now looking at Threshold based detection in v7.9 - something I think will be very useful.
I'm not sure if this is possible at the moment or a future capability but is there a method of the threshold considering aggregations and unique values?
There are a few use cases but as an example, I would like to know if a user connects inbound over the VPN from multiple locations. So if I log in from home on IP 1.2.3.4, I would not expect my account to also log in from overseas IP 5.6.7.8 within the query timeframe.
I want to query for LOGIN_SUCCESS events and the THRESHOLD would need to be PUBLIC IP >=2. There are 2 problems here, it needs to GROUP by USER and only look at UNIQUE values for the public IP. I don't want an alert if a user logs in twice from the same IP, generating multiple log events.
I basically want to be able to use the power of visualisations and effectively build a Data Table with rows for field USER and have the aggregation based on UNIQUE VALUE for public IP. Then alert when this value is >=2.
I hope that makes sense.
I have tried to build a query in Discover using DSL and aggregations but the fact that there are unique timestamps I think means I can't aggregate everything up enough. Below shows the part of DSL I was using (I'm still fairly new to this) which almost got me there but not quite. This seems to aggregate based on user and IP ok but the unique times still show in Discover.
{ "query": { "match_phrase": { "event.action": "login" } }, "aggs": { "2": { "terms": { "field": "source.user.name.keyword", "order": { "1": "desc" }, "size": 1 } }, "3": { "terms": { "field": "client.ip", "order": { "1": "desc" }, "size": 1 } }
Thanks in advance
(code above looked a little odd in the format so also shown below using blockquote as it seemed easier - fairly new to this
{
"query": {
"match_phrase": {
"event.action": "login"
}
},
"aggs": {
"2": {
"terms": {
"field": "source.user.name.keyword",
"order": {
"1": "desc"
},
"size": 1
}
},
"3": {
"terms": {
"field": "client.ip",
"order": {
"1": "desc"
},
"size": 1
}
}