SIEM capability Questions

[Rennilon]

We are working to explore and demo some SecurityOnion capabilities. We pulled in a log source into SO and created a pipeline to map the fields in Kibana. We want to figure out if we can create a "SIEM rule" such as, alert us if there are 20 auth failures in 10 minutes, and then be able to review alerts.

Is this something that we can do in SecurityOnion or is that not a capability?

Thanks!

[reyesj2]

You might be able to use elastalert and create a frequency rule to match what you're looking for to generate an alert.

https://docs.securityonion.net/en/2.4/elastalert.html#elastalert
https://elastalert2.readthedocs.io/en/latest/ruletypes.html#frequency
https://github.com/jertel/elastalert2/blob/master/examples/rules/example_frequency.yaml