Elastalert Rule: Alert if any pulbic IP comes in srcip(source IP) field in an index

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch

https://elastalert.readthedocs.org

Apache License 2.0

8k stars 1.73k forks source link

Open suchandbabu opened 6 years ago

suchandbabu commented 6 years ago

Hi, @Qmando

I am using elastalert and elasticsearch 5.5.3.

Can you please help me for writing a condition to alert if any public IP's comes in srcip field.

Thanks & Regards

sathishdsgithub commented 6 years ago

@suchandbabu

Not sure if this below method works. But give it a try

Create a whitelist filter and specify the RFC private IP address ranges and the other ranges that you wish not to be triggered in source IP address field.

 example :

 The below filter will whitelist the entire 10.x/8 subnet range
   - query:
        query_string:
          query: "NOT srcip: /10\\..*/"

Import the whitelist to your rule using import: and alert based on the number of events num_events

suchandbabu commented 6 years ago

Thanks for yoour reply,

I would like to get it triggered if any of the public IP comes in srcip field. There is no specific list.