I was trying to replicate watcher functionality using SIEM detection rule. In watcher i can write elastic query, but can i perform that using detection rule ? Please help.
I gave a more thorough answer to you in your previous post:
But yes, you should also be able to use plain lucene if you really want to by sliding off KQL:
I would recommend you trying to keep it to KQL and filters before utilizing lucene as it's a better experience and more readable and it translated to Elastic Search filters which are better performance wise than Lucene.
For example, this shows what a Lucene query would translate to:
And that's not the same as what the KQL translates to:
Which at the time of this writing is using filters which should be cached:
Thank you @Frank_Hassanabad that helped me .
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.