Help creating rule
#1258
-
|
I need to create a rule that triggers an alert when a X value of "suricata.eve.event.kind: flow" is reached in a given timeframe. The catch here is that the alert must trigger in relation to a certain destination.ip that may not always be the same. Example, if i have 400 flows to destination IP x.x.x.x in 2 space of 2 minutes i want to trigger the alert. Thanks in advance |
Beta Was this translation helpful? Give feedback.
Answered by
jertel
Aug 30, 2023
Replies: 1 comment
-
|
Sounds like you need a frequency rule with a |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
jertel
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Sounds like you need a frequency rule with a
query_key: dest.ipsetting: https://elastalert2.readthedocs.io/en/latest/ruletypes.html#frequency