Threshold rule : how to?

Maybe stupid newbie question here.

I want to create a rule that triggers an alert when "count(distinct(source.ip))" is above a certain threshold.

Hard time figuring out how the 'Group by" and "Count" fields must be associated for that.

Hello,

I believe what you are looking for is the below:

This will trigger when there are 10 (or more) unique source.ip values if there are more then 200 events in total for my query.

  1. Create a query which will match the relevant events.
  2. Determine how manay events there should be in total before triggering.
  3. Determine your cardinality (unique) field and how many different values there should be.

You can for example set threshold to 1 and unique values to 10 to make sure it will trigger.

I'm under the impression that the query preview result are not reliable, which can be misleading.

Using that example, I expect to have one alert showing up 6 days ago with the settings where the graph seems to indicate hundreds of detections.

I just did a test with threshold=200 and Unique Values=6700 : this is roughly the value that doesn't trigger anything in the last hour.

Kibana UI folks should think about the effectiveness of this "quick query preview" feature : it would be much easier to have a count of would-be alerts on a specific time frame. I.e. I known this rule should have triggered 6 days ago : let's see how this rule would have behaved on that timeframe.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.