-
Apologies if this isn't the right place, but I'm curious if anyone has built a table of first/last seen IPs/Domains in SecurityOnion? It's something I've done w/Splunk in the past, and can be very useful as raw events age out, etc... If no one has, I can start trying to figure out how difficult it would be, but wanted to check before duplicating efforts. Thank you! |
Beta Was this translation helpful? Give feedback.
Answered by
dougburks
Dec 28, 2020
Replies: 1 comment
-
You might start with an ElastAlert new_term rule as described in Issue #846. |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
dougburks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You might start with an ElastAlert new_term rule as described in Issue #846.