Threshold confusion (detecting a burst of connections on a specific port)

Hi Team!

I am confused about threshold rules types, where I can't really understand the count and cardinality fields.

I want to get an alert when a specific destination.port is frequently used (like a burst). Instead of have an alert everytime a port is used (to many alerts.

I googled a lot and can't find exactly how to work with threshold alerts.

PS : I am using the UI only.

Thanks

Hey @beginthread! Welcome to Elastic community!

I am not an expert in detection rules, but I have experimented with rule settings a bit and I think you can do it in one of two ways:

Option 1
Using a Threshold rule. Set "Group by" to destination.port and "Threshold" value to 10. This should only generate an alert if 10 or more events are matched within the rule execution.

As for "Count" and "Unique values" fields, my understanding is that they work as an additional condition. Let's say you only want an alert if requests to a port come from 3 different machines. Then you would also set "Count" to source.ip and "Unique values" to 3.

Also, here is the docs page with a succinct description of the Threshold rule settings.

Option 2
Using a Custom Query rule with alert suppression. Set "Suppress alerts by" to destination.port. Then only a single alert will be generated if multiple events are matched during rule execution.

Hope this helps!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.