Question on log search

Hello! I am looking for a way in a log search to limit the source ip address, this is for an alert
I am creating.

here is an example:

if windows event XXX happens X amount of time within a certain time period and
the source ip is the same

anyone have any ideas how I would be able to do this?

Hello @pete_jacob,

Great question!
You can build your query in log search. Once you are getting the results you want you can save it.
Then, on Step 3 when creating your custom pattern detection alert, you can choose a saved query.

Next, to set the X amount of times before it alerts, you can do this on step 4 by clicking the custom match settings.
image

Let me know if this helps!

Regards,
Felipe

Hello! but how would I say “limit to the same source ip”. I want to know if certain windows events are coming from the same source ip.

This is possible via an InsightConnect workflow built from a custom alert trigger today see here, or by writing a custom script against our query API to essentially query for the data you desire on a regular interval, running a groupby(source_ip) for example, and then in the script you would check if the IP address appears more than X times. If so, trigger a log message to log search.

I have an example working script if this would be something you wish to explore, written in Python.

Also, if you wish to learn more about InsightConnect, see here https://www.rapid7.com/info/soc-automation/