hello everyone, i wanna create alert ssh bruteforce but using "index" connector. because i dunno what index i will use and i dunno how to test it.
Hey there @alipujaistopo 
I'm not sure I fully understand what you mean by i dunno what index i will use? Do you mean that you want to programmatically pick what index you write to based on data within the action context itself? If so, that is not currently possible, and you must specify the destination index when setting up the action, but please feel free to open a feature request detailing your use case so we can capture it.
If you do know the index you want to write data to, you can check out the Index Action documentation for details on configuring and testing the connector/action. And here's the pull request where this functionality was added for additional details.
Please note that there is currently a limitation with the Index Action in that it cannot index multiple documents per action firing, so it's mostly useful at this moment for writing aggregate alert data instead of forwarding raw alerts to another index. Often times though you should be able to just reference the raw alerts in the .siem-signals index directly.
Hope this help, and let us know if you have any additional questions -- cheers!
Garrett
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.