Creating an indicator match Watcher Alert

Has anyone been able to replicate an indicator match alert like what is provided in Kibana security as an Elasticsearch Watcher alert?

I have a deployment where we do not have access to Kibana Security, so I need to create an indicator match alert using Watcher instead. I found resources saying I should look into chain input, but there aren't a whole lot of examples available to go off of and learn syntax.

Rough logic is:

If source.ip in "Checkpoint.index" matches malicious.ip in "Malicious.ips.index", alert.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.