For our infrastructure logs I have the same issue, because the syslog servers are locked down and that makes investigations harder.
Maybe we could add some logic:
1. If a rule is triggerd, forward the log and rule SID to elasticsearch
2. If an alert is generated, compose an elasticsearch query and add this to the alert
- When a flexbit or xbit is used, that query should contain all relevant SID's and should be scoped on the flexbit/xbit types, to filter unnecessary logs
- When a track_by is used, that query should contain the necessary scoping, timeframe could be an issue here, because we cannot determine the oldest relevant log based on the rule settings
- In other cases the elasticsearch query is quite simple
Would this be an option for your problem?
Best regards,
Stef
Op vrijdag 26 februari 2021 om 01:12:42 UTC+1 schreef Da Beave: