Rate this post
Source: socprime.com – Author: Adam Swan
Within the “Advanced Options” of the “About Rule” section of Elastic hides a useful feature that gets little attention.
This feature makes the rule generate alerts that are ‘hidden’ from the alerts view.
This can be powerful. Here are some ideas to get you started!
- Threshold Rules
- Create some rules that look for distinct behaviors that by themselves are typical but when 5 or more of them happen within a time period.. is interesting.
- New Terms Rules
- Build a new terms rule to look for the first time someone does a ‘low’ behavior. For instance, if you have a threshold rule that looks for an account performing enumeration of cloud resources you can build a new terms rule on top of this rule to look for new enumerators.
Was this article helpful?
Like and share it with your peers.
Related Posts
Original Post URL: https://socprime.com/blog/making-use-of-building-block-rules-in-elastic/
Category & Tags: Blog,Knowledge Bits,Elastic,SIEM – Blog,Knowledge Bits,Elastic,SIEM
Views: 3