search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
8k stars 1.74k forks source link

Nested aggregaations #1763

Open d-malko opened 6 years ago

d-malko commented 6 years ago

Good day! Please advice! I can not find it in the documentation or examples. I wanted to make the request with a filter or with boolean, and then make aggregation first, for example, by ip address, and then by the port and after that , if the number of these documents exceeds the limit to send an alarm. Here is an example:

GET my_index/_search
{
  "_source": ["FROM_IP", "CLIENT_INFO.contract_id"], 
  "query": {
    "bool": {
      "should": [
        {
          "term": {  "PORT_SPEED.keyword": { "value": "10Mbps" } }
        },
        {
          "term": { "PORT_SPEED.keyword": "10M"} }
      ],
      "filter": {
        "range": {
          "@timestamp": {
            "gte": "now-7d/d",
            "lt": "now/d"
          }
        }
      }
    }
  },
  "aggs": {
    "sources": {
      "terms": {
        "field": "SRC_IP.keyword",
        "size": 10
      },
      "aggs": {
        "ports": {
          "terms": {
            "field": "PORT",
            "size": 10
          }
        }
      }
    }
  }
}

I appreciate any advice!

Qmando commented 6 years ago

All you need to do is set query_key: [src_ip, port] to aggregate based on those fields. Then, num_events will be counted separately for each unique pair. So you're rule should look something like

type: frequency
num_events: some number
timeframe:
  minutes: some number
query_key: [src_ip, port]
filter:
 - query_string:
      query: "PORT_SPEED: 10Mbps OR PORT_SPEED: 10M"
rickywu commented 5 years ago

@Qmando

I config rule like this, if any SourceIP count is >10 times in 10 seconds, will I receive alert?

num_events: 10
timeframe:
  seconds: 10
query_key: SourceIP
filter:
- query:
    query_string:
      query: SessionEndReason:"aged-out" and (Application:incomplete or Application:insufficient-data)