web analytics

Making Use of Building Block Rules in Elastic – Source: socprime.com

Rate this post

Source: socprime.com – Author: Adam Swan

[post-views]

November 27, 2024 · 1 min read

Making Use of Building Block Rules in Elastic

Within the “Advanced Options” of the “About Rule” section of Elastic hides a useful feature that gets little attention.

This feature makes the rule generate alerts that are ‘hidden’ from the alerts view.

This can be powerful. Here are some ideas to get you started!

JOIN FOR FREE

  1. Threshold Rules
    • Create some rules that look for distinct behaviors that by themselves are typical but when 5 or more of them happen within a time period.. is interesting.
  2. New Terms Rules
    • Build a new terms rule to look for the first time someone does a ‘low’ behavior. For instance, if you have a threshold rule that looks for an account performing enumeration of cloud resources you can build a new terms rule on top of this rule to look for new enumerators.

Was this article helpful?

Like and share it with your peers.

Related Posts

Original Post URL: https://socprime.com/blog/making-use-of-building-block-rules-in-elastic/

Category & Tags: Blog,Knowledge Bits,Elastic,SIEM – Blog,Knowledge Bits,Elastic,SIEM

Views: 3

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post