Cross correlation between multiple index - logstash filter

Please help me to achieve the following condition.

If (SourceIP of (Winlogbeat – Login as Admin AND Winlogbeat Privilege Escalation) = Same SourceIP - say X)
AND (Output of the Denied or Allowed Outbound Malicious Traffic Source IP = X)
Then index the matching documents to a new account index.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.