Create alert with more parametrs

rwsbnk

Hi,
Please tell me how to implement this required alert.
For example, in Discover there is an index pattern vazuh-alerts* in which we filter data by the following fields: "data.win.system.severityValue:AUDIT_FAILURE" and "data.win.eventdata.targetUserName:?????". It is necessary that the alert comes to the mail if the same values/names are found in the field "data.win.eventdata.targetUserName" for example more than 100.

SzymonC

Hi,

Certainly, easy:

rwsbnk

SzymonC
Hi,

No, this type of rule is not suitable. This "Rule Type:Frequency" selects only the total number, for example 1000 and it contains the following names: comp1, comp2, comp3, comp4 ... and we need an alert to come from this total number (1000) when one name occurs 100 times comp3.

thank you.

SzymonC

Yeah, that's what query_key option does in the definition. 🙂
So what this alert does is:

Looking at the number of events based on the query in the filter section.
From that pool it's dividing the documents based on the values of the field data.win.eventdata.tagetUserName. That's thanks to using option query_key.
It looks if the amount of documents PER VALUE of the field data.win.eventdata.targetUserName is greater than 100 (num_events option) in 15 minutes timeframe (timeframe option).
If the number of documents is greater than the condition above (still - PER VALUE of the query_key field) then alerts get triggered.

If I understood correctly - that's what you're looking for, but if not, please let me know and I'm more than happy to help. 🙂