hello im trying to create a rule where an Ip Source pings 60 different destinations ( ip destinations) and all of them return successful connection
got the following fields
protocol ping
deviceaction allow (successful connection)
ip_src
ip_dst
im new to elastalert and this is what i have done until now tried type change and cardinality but wont able to get a result that the Source is constant and 60 pings to different ips within one minute
if any one could help please
alert:
- debug
timestamp_field: "timestamp"
timestamp_type: unix_ms
filter:
- query:
query_string:
query: 'protocol: "ping" AND proto: "ICMP"'
index: all_external*
include: ["parallelenricher:enrich:begin:ts", "ip_dst_addr", "ip_src_addr", "protocol", "ahost"]
name: CC0007_Ping_Sweep_ICMP_Inbound_Scan
description: "An attempt to Scan live machines. 60 Successful connections to ICMP protocol in one minutes"
type: frequency
query_key: "ip_src_addr"
num_events: 60
timeframe:
minutes: 1
hello im trying to create a rule where an Ip Source pings 60 different destinations ( ip destinations) and all of them return successful connection got the following fields protocol ping deviceaction allow (successful connection) ip_src ip_dst
im new to elastalert and this is what i have done until now tried type change and cardinality but wont able to get a result that the Source is constant and 60 pings to different ips within one minute
if any one could help please