Hello guys!
Is it possible to configure a suppression to a SIEM's rule on ELK SIEM module?
For example, if 5 events to the same user.id and source.ip in 5 minuts, so will be trigged just 1 alert.
Hello guys!
Is it possible to configure a suppression to a SIEM's rule on ELK SIEM module?
For example, if 5 events to the same user.id and source.ip in 5 minuts, so will be trigged just 1 alert.
Yes, using the threshold rules you should be able to. Have you tried it out yet? You can set your threshold to be >= 1
with it and then your interval and look-back will help you out with how often it fires.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.