How can I throttle the alerts by multiple field?
For example, I would like to throttle the alerts if and only if both "src_ip" "dst_IP" "msg" are matched in log1 and log3
log1. src_ip=22.214.171.124 dst_ip=126.96.36.199 msg=attack1
log2. src_ip=188.8.131.52 dst_ip=184.108.40.206 msg=attack1
log3. src_ip=220.127.116.11 dst_ip=18.104.22.168 msg=attack1
log4. src_ip=22.214.171.124 dst_ip=126.96.36.199 msg=attack2
My expected alert results are
alert1. src_ip=188.8.131.52 dst_ip=184.108.40.206 msg=attack1
alert2. src_ip=220.127.116.11 dst_ip=18.104.22.168 msg=attack1
alert3. src_ip=22.214.171.124 dst_ip=126.96.36.199 msg=attack2
What I did to accomplish my variant of the starting question was to output an eval-field from the search that I used as throttle field.
| eval throttleId = a_field_from_the_search + "_" + another_field_in_the_search
Throttle expression was then: throttleId
The eval-field could use just about any logic, the threadstarter would possibly use the replace(X,Y,Z) function to strip out the log number.
When you create your alert, you should use an AND operator in your search string, for example I would use an IF statement to set a field, e.g. SendAlert, to a boolean value of 0 or 1, then from the results trigger an alert if SendAlert is equal to 1.
I hope this helps, if not, let me know and I'll come up with something else.
Could you please elaborate more, as per my understanding you could make use of logical operator OR as per the following query:
(source=log1 src_ip=188.8.131.52) OR (source=log3 dst_ip="184.108.40.206")