Has anyone been able to replicate an indicator match alert like what is provided in Kibana security as an Elasticsearch Watcher alert?
I have a deployment where we do not have access to Kibana Security, so I need to create an indicator match alert using Watcher instead. I found resources saying I should look into chain input, but there aren't a whole lot of examples available to go off of and learn syntax.
Rough logic is:
If source.ip in "Checkpoint.index" matches malicious.ip in "Malicious.ips.index", alert.