Detection Rule - Output of a aggregation bucket should match with other types of logs in the same index

Hi,

Can someone please help to create a detection rule based on logic mentioned below.

All unique mac.address field name with common.role:rogue should be aggregated and matched againewith the mac.address field name with common.role:* in same index and if any same mac.address comes without common.role:rogue value, it should be alerted.

Here the attempt is to detect the permitted rogue devices.

Looks like this can be achieved by taking the output of below aggregation and matching with the same index again with field common.role:* . Can some one please help me understand using which rule type i can create this cross correlation.

GET A/_search
{
"query": {
"term":{
"common.role":{
"value": "rogue"
}
}
}
"size":0,
"aggs":{
"unique_macaddress":{
"term":{
"field": "mac.address":
}
}

}
}

output of unique_macaccress aggregation should match again with same index A by keeping common.role:*

Please help me to resolve this.

Thanks in advance

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.