search

MHMDhub / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

Alert Conditions #129

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Hello. Not sure if there isn't already an option that allows me to do this, but 
if there isn't, this would be a good idea.

As ELSA could be a great open-source tool for detecting malicious event logs, 
it would be a good idea to implement alert conditions.

At its current state, ELSA will send alerts when an automated query generates 
any types of new hits, but it would be a good idea to have something like.. 
"Only send email if new hits are greater than X". 

This way, if I am making a scheduled query for events involving password 
guessing failures, I will not get flooded with emails every minute about how 
one person failed to enter their password once. If we have conditions, then I 
could say that if I receive 50 password guesses within a minute, I would 
receive an email and be able to investigate.

Original issue reported on code.google.com by andrew.w...@gmail.com on 29 Apr 2013 at 11:58

GoogleCodeExporter commented 8 years ago 
This is possible right now using a combination of the sum and has transforms.  
Let's say that you want to alert on the keyword "evil" if it shows up in the 
logs more than five times.  Here's the query to put in as an alert:

evil | count(timestamp) | has(5)

As long as "evil" shows up in five separate seconds within that minute, then 
you'll get an alert.  You could also make it less than a certain amount by 
setting the operator as the second parameter to has:

evil | count(timestamp) | has(5,<)

That would mean only alert if there are fewer than five distinct seconds having 
a hit for "evil."

Does that fulfill your needs?

Original comment by mchol...@gmail.com on 30 Apr 2013 at 3:13

GoogleCodeExporter commented 8 years ago 
So I would put the "evil | count(timestamp) | has(5) within the parameters in 
the "Schedule or Alert" option?

Original comment by andrew.w...@gmail.com on 30 Apr 2013 at 6:08

GoogleCodeExporter commented 8 years ago 
Yes, that's correct.  If there aren't five hits, then there are zero results 
returned and the alert won't fire.

Original comment by mchol...@gmail.com on 1 May 2013 at 2:13

GoogleCodeExporter commented 8 years ago 
Great! Thanks for the timely and helpful response.

Original comment by andrew.w...@gmail.com on 1 May 2013 at 6:30

GoogleCodeExporter commented 8 years ago

Original comment by mchol...@gmail.com on 1 May 2013 at 10:37