AnsweredAssumed Answered

ESA Alert Suppression MultiEvent Alerts

Question asked by Sean Koniarz on Mar 20, 2019
Latest reply on Aug 13, 2019 by Lee Kirkpatrick

We cannot figure this out as the ESPER command of 'output every n' does not work for what we are looking for.  Not sure if we are going to need to create a persistent table that keeps rewriting itself.  

 

Issue:

We have a few alerts that will trigger on multiple events and want to be alerted on it.  An example would be if a single source IP is attempting to login with multiple usernames over a short period of time.  We want to be able to alert on this but if it is a high velocity attack or a bad scan we could potentially be alerted 1000s of times if the attacker/tool is trying that many user.  We want to be able to limit the alerts coming out of ESA based on that source IP for N period of time.  

 

Using the output suppression built into ESA appears to stop ALL alerts from triggering which is not what we want.  The reasoning of course being we want to be able to see if a new source IP starts doing the same activity with in the same time frame.  We also have a unique case with the clients we host on our SIEM that if each of their sites had the same activity happening(different source IP) we would need to see those as well, yet we do not want to make hundreds of the same alerts so this needs to happening in one alert, if possible.  

 

Example Data:

ip: 10.1.1.1 user: x1

ip: 10.1.1.1 user: x2

ip: 10.1.1.1 user: x3

ALERT on 10.1.1.1 and suppress with all 3 events shown to script/respond/email

ip: 10.1.1.1 user: x4

ip: 10.1.1.2 user: x1

ip: 10.1.1.2 user: x2

ip: 10.1.1.2 user: x3

ALERT on 10.1.1.2 and suppress with all 3 events shown to script/respond/email

 

Summary:

Alert on unique source IPs with multiple events and suppress unique source IP for N period of time. 

 

Any thoughts?  

Outcomes