Hello,
I want to implement a threshold detection rule that aggregates more than 3 fields in the "Group by" section of rule definition. But there seems to be a limitation of 3 fields as i get an error message "Number of fields must be 3 or less." Is there any workaround? E.g I want to detect multiple failed logins from same source same user same destination and customername.
Hi Poukim0m. Thanks for reaching out.
I think that what you are looking for is an EQL sequence, rather than a threshold query. By using a sequence, you can use the by join keyword to look for matching documents. An example would look something like the following:
sequence by source.ip, user.name, destination.ip, customer.name with maxspan=5s
[ process where ... ] with runs = 10
Thanks,
Ruben
Hello @Ruben_Groenewoud.
Thank you for your answer!
I suppose that this works if customer.name is present in all indexes that the rule applies on. Otherwise it is applicable only when the customer name value is present. Correct?
Also, i tested it and found that same logic in threshold rule provides one single alert and in EQL correlation rule 19 alerts. runs = 10 is applied on the rule
Hi @Poukim0m, regarding your first question - that is correct. By default, when sequencing by a specific field, the EQL rule will indeed require that field to be present in the index/document. However, it is possible to specify optional fields by using the ? symbol. So in your usecase, it would be possible to write a sequence similar to this, which will also run if the customer.name field is not present:
sequence by source.ip, user.name, destination.ip, ?customer.name with maxspan=5s
[ process where ... ] with runs = 10
Be aware of potential performance drops when using this feature.
With regards to your last comment, yes that makes sense. When for example creating sequence with runs=10, it will generate multiple signals. You can choose to turn the rule into a building block rule so it doesn't flood your detection rules dashboard. EQL sequence rule alerts do generate much more useful alerts than threshold rules, as they contain more data.
Ruben
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.