How to receive different alerts using the same “mysearch” of the watch. For example, the main idea is to receive an email alert every time a source IP changes. In other words, how to receive an email alert for every event that matches the query executed on the “mysearch” of the watch. Right now I have a watch running every 30 seconds, but in the case of firewall logs, I am missing events on the email alerts because there are a lot matching the condition of the query. I’m trying to receive an alert every time the source IP address changes. Any help is welcome.
@cmosnocsoc
Can you provide example of the logs being received? Is there various sources/ips or just the one that needs to be monitored and alerted on change?
Greetings, as you will observe in the attached query/log result below, even with the signal running every 1 second, I will miss events that happened in the same second. I am looking for a way to receive an alert every time the source IP (attacker) changes. Any information is welcome.
Signal query:
{
“query”: {
“bool”: {
“must”: [
{
“match”: {
“fortinet.firewall.subtype”: “ips”
}
},
{
“match”: {
“tags”: “Mytag”
}
},
{
“range”: {
“@timestamp”: {
“gte”: “now-1s”
}
}
}
]
}
}
}
Log Alert Result:
| IPS Events Observed: | 5 |
|---|---|
| Alert Timestamp: | 2021-11-18T00:00:55.000-04:00 |
| Firewall IPS Action: | detected |
| Event Severity: | medium |
| Event Reference: | Threat Encyclopedia | FortiGuard |
| Source IP: | 66.30.255.205 |
| Destination IP: | xx.xx.xx.xx |
| Destination Port/Service: | 80 |
| Event Message: | a-ipdf: TCP.Split.Handshake, TCP split handshake at state: ESTABLISHED |
| GeoIP Country: | United States |
| Log Source Address: |
@cmosnocsoc there is nothing like this built in to signals, however the workaround might be to run a query every second for last (for example) 20 seconds and count the number of unique IPs, if the result is higher than 1 - send out alert. I have not tested this myself, but would this work for your use case?