Re: How to create an alert to trigger when a user ...

janderson19 · ‎07-20-2016

Hello,

I'm trying to create an alert that will go out every time a single user visits 5 blocked websites in 1 minute, but I'm having some trouble with it. I've included a sample event.

Jul 20 11:09:04 xx.xx.xx.xx Jul 20 11:11:41 xx.xx.xx.xx vendor=Websense product=Security product_version=7.8.4 action=blocked severity=7 category=115 user=LDAP://xx.xx.xx.xx OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx/$username src_host=xx.xx.xx.xx src_port=0 dst_host=thepiratebay.se dst_ip=xx.xx.xx.xx dst_port=80 bytes_out=0 bytes_in=0 http_response=0 http_method=- http_content_type=- http_user_agent=- http_proxy_status_code=0 reason=- disposition=1025 policy=- role=0 duration=0 url=http://thepiratebay.se/

sundareshr · ‎07-20-2016

Or,if you want to check a large window of time. try this

 index=foo action="blocked" | bin _time span=1m | stats values(dst_host) as dst_host dc(dst_host) as siteCount by _time user | where siteCount > 4 | table user dst_host

richgalloway · ‎07-20-2016

Something like this should get you started. Enter it as a scheduled search that triggers an alert when the row count is greater than zero.

index=foo action="blocked" earliest=-1m latest=now | stats values(dst_host) as dst_host dc(dst_host) as siteCount by user | where siteCount > 4 | table user dst_host

---
If this reply helps you, Karma would be appreciated.

How to create an alert to trigger when a user visits 5 blocked websites in 1 minute?

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud