Hi Mohd, Not exactly replicating the use-case you're developing here,
but, below are examples of similar AV focused EPL Rules which you may
find useful to consider: Watchlist ESA RuleE.g. Device flagged in a
virus event during the last 20 mins, conne...
This example EPL Rule will alert on successful logon activity between
Mon - Fri, outside of 9-5 UTC - leveraging the time ESA ingests the data
(noted by 'esa_time').
************************************************************************************...
Not a silly question at all, sometimes it's not trivial to kick off
"slicing and dicing" these sets of data - but after sampling the data a
few times, you'll get the hang of it.In addition to 'Top 10' values,
'Bottom 10' (rare) values are interesting...
Sounds like you are wanting to group / thread a specific alert criteria
by a variable, in this case - source IP addresses in a certain window of
time.Perhaps using 'GROUP BY' will meet your requirement, rather than
the "unique" or "distinct" paramete...
A bit late here, but for future reference - one can fulfill similar
"business hours" use-cases, by modifying the EPL rule below. This
example EPL Rule will alert on successful logon activity between Mon -
Fri, outside of 9-5 UTC - leveraging the time...
