suchandbabu
commented
6 years ago @Qmando Requesting your help to solve the above mentioned issue.
Open suchandbabu opened 6 years ago
suchandbabu
commented
6 years ago @Qmando Requesting your help to solve the above mentioned issue.
Qmando
commented
6 years ago This is not really supported very well out of the box. One thing you could do is use cardinality rule. Let's say the field you are looking at is called "code".
type: cardinality
filter:
- terms:
code: [4618, 6273]
cardinality_field: code
max_cardinality: 1
timeframe:
hours: 1This will alert if there is at least one of each 4618 and 6273 in an hour. However, you would need to make a new alert for every combination.
suchandbabu
commented
6 years ago @Qmando Thanks for your help.
Is there any option to give OR logical condition same like this code which you have mentioned. type: cardinality filter:
Also please let me know, how can i correlate between multiple rule. For example Rule name: r1 , r2, r3 and r4. I need to write a rule to alert when r1 AND r2 AND (r3 OR r4) alerted in last 30 minutes.
sebash1992
commented
5 years ago @suchandbabu did you find a way to do that?
Regards
beaesteban01
commented
3 years ago @suchandbabu @sebash1992 did you find a way of writing a cardinality rule for correlating more than 2 rules?
Regards!
beaesteban01
commented
3 years ago I just figured out that making max_cardinality = n°rules-1 world, in case anyone is interested
Hi sir, @Qmando @sathishdsgithub Thank you so much for your support. Sorry if my below mentioned query doesn't make sense, since I am a beginner in Elastalert.
Can you please help me to write a correlation rule for querying multiple windows event ids.
Logic I have mentioned below.
[(4618 AND 6273) AND (4907 OR 4660 OR 4670) AND (4964 OR 4767 )]
I tried using "query_string but" its not allowing to query multiple events, its only querying multiple fields in a single event.