Correlation analysis in elasticsearch

I am collecting suricata events with elasticsearch.
I want to create an alert through correlation analysis for suricata event.

For example, when the following events are saved

{
    rule.event: "event a"
    src.ip: "10.0.0.1"
    dst.ip: "10.0.0.2"
},
{
    rule.event: "event b"
    src.ip: "10.0.0.2"
    dst.ip: "10.0.0.1"
}

I want to create an alert by combining events with the same src.ip and dst.ip.
Are these queries possible with DQL?

I want to make correlation rules for logs of devices other than suricata.
Are all of these operations possible with query in elasticsearch?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.