Creating an indicator match Watcher Alert

Banderson02 · April 7, 2023, 5:26pm

Hello,
Has anyone been able to replicate an indicator match alert like what is provided in Kibana security as an Elasticsearch Watcher alert?

I have a deployment where we do not have access to Kibana Security, so I need to create an indicator match alert using Watcher instead. I found resources saying I should look into chain input, but there aren't a whole lot of examples available to go off of and learn syntax.

Rough logic is:

If source.ip in "Checkpoint.index" matches malicious.ip in "Malicious.ips.index", alert.

system · May 5, 2023, 5:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch indexes - watcher notifications Elasticsearch elastic-stack-alerting	9	1574	September 15, 2017
Kibana watcher alert error Elasticsearch elastic-stack-alerting	2	615	August 29, 2019
Watcher on elasticsearch logs Elasticsearch elastic-stack-alerting	4	440	November 30, 2018
Watcher for nodes in elasticsearch Elasticsearch elastic-stack-alerting	9	768	March 9, 2022
Watcher matching isn't working - any help? Elasticsearch elastic-stack-alerting	3	1037	July 6, 2017

Creating an indicator match Watcher Alert

Related topics