I am pushing a log that has numeric data in it into OpenSearch. I would like to create an alert when one of the values exceeds a certain number. I tried creating an alert in Security Analytics, but it looks like the ability to use “greater than” when writing Sigma rules is not implemented yet. Can someone suggest a way to do this? Thank you!
Describe the issue:
Configuration:
Relevant Logs or Screenshots:
I’m not sure if this is what you’re looking for, but if you need to specify “greater than” in Lucene syntax it’s something like field_name:[100 TO *], which will return documents with values of field_name greater than or equal to 100.
Thank you so much for the reply. I am still new to OpenSearch. Can you tell me how I can generate an alert from that syntax? I am able to generate an alert using a Monitor in the Alerting plugin using the syntax below, but I don’t know how to get that alert into the Security Analytics plugin or to an opensearch dashboard. Any help at all would be greatly appreciated! Thanks!
Monitor
{
“size”: 0,
“query”: {
“bool”: {
“filter”: [{
“range”: {
“C1_SPD_OUT”: {
“gte”: 1,
“lt”: 8
}
}
}],
“adjust_pure_negative”: true,
“boost”: 1
}
},
“aggregations”: {}
}