I am confused about threshold rules types, where I can't really understand the count and cardinality fields.
I want to get an alert when a specific destination.port is frequently used (like a burst). Instead of have an alert everytime a port is used (to many alerts.
I googled a lot and can't find exactly how to work with threshold alerts.
I am not an expert in detection rules, but I have experimented with rule settings a bit and I think you can do it in one of two ways:
Option 1
Using a Threshold rule. Set "Group by" to destination.port and "Threshold" value to 10. This should only generate an alert if 10 or more events are matched within the rule execution.
As for "Count" and "Unique values" fields, my understanding is that they work as an additional condition. Let's say you only want an alert if requests to a port come from 3 different machines. Then you would also set "Count" to source.ip and "Unique values" to 3.
Also, here is the docs page with a succinct description of the Threshold rule settings.
Option 2
Using a Custom Query rule with alert suppression. Set "Suppress alerts by" to destination.port. Then only a single alert will be generated if multiple events are matched during rule execution.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.