Alerting

The alerting feature notifies you when data from one or more Elasticsearch indices meets certain conditions. The alerting feature notifies you when data from one or more Elasticsearch indices meets certain conditions.

Key Terms Definition
Monitor A job that runs on a defined schedule and queries Elasticsearch. The results of these queries are then used as input for one or more triggers.
Trigger Conditions that, if met, generate alerts and can perform some action.
Alert A notification that a monitor's trigger condition has been met.
Action The information that you want the monitor to send out after being triggered. Actions have a destination, a message subject, and a message body.
Destination A reusable location for an action, such as Amazon Chime, Slack, or a webhook URL.

Login to Kibana as admin user, go to the Alerting tab, and click on Create Monitor.

Give the monitor a name and the Schedule of when you want it to run.

I named my monitor Audit Unauthorized Access Events , and set it to run Every 1 minute.

On the same page, scroll down to the Define Monitor section; this is where you define which index you want to monitor and an extraction condition for the data you will use to set a trigger for alerts. Set the index to security-auditlog-*, the destination for the security plugin's audit logs. Define the monitor condition as WHEN count() OVER all documents FOR THE LAST 5 minute(s), WHERE audit_category is FAILED_LOGIN

Click on the Create button at the bottom to create your monitor.