I want to compare 2 fields from 2 different indexes to create alert.
the 2 indexes , one for apache access logs and the other one is my IOCs.
All what I want to do is to compare between the vulnerable IPs in my IOCs with the apache logs and if there is any match, I want to create alert .
so, can anyone help me?
Doesn't look like there is a way to compare between two indices.
This is less then ideal, but I guess you could create an Elasticsearch query rule and put your known ips into the query. Then you could automate updating the rule with the new ips via alerting rest API.
Thanks, It worked for me.