Solved: How to create ES correlation search that triggers ...

Sven1 · ‎02-09-2023

Thanks in advance for any assistance you can please lend.

Can someone please tell me how I can configure an Enterprise Security correlation search that triggers only when a specific action is repeated by the same user 20 times in 5 minutes?

richgalloway · ‎02-10-2023

Bin the events into 5-minute intervals and count the number of events for each user in each bucket. Keep only the results where the count is at least 20. Trigger the CS when the number of results is not zero.

<<your search for action X>>
| bin span=5m _time
| stats count by _time,user
| where count >= 20

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-10-2023

Bin the events into 5-minute intervals and count the number of events for each user in each bucket. Keep only the results where the count is at least 20. Trigger the CS when the number of results is not zero.

<<your search for action X>>
| bin span=5m _time
| stats count by _time,user
| where count >= 20

---
If this reply helps you, Karma would be appreciated.

Sven1 · ‎02-10-2023

richgalloway,

Thank you very much.

How to create ES correlation search that triggers only when action X is repeated by the same user 20 times in 5 minutes?

configuration

correlation search

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!