Getting the following erro when trying to filter by the threat enrcihements matched field

Elastic Stack Kibana
1

I am trying to filter by the following KQL query in the GUI:
"threat.enrichments.matched.field: source.ip"
However I get the following error:

"threat.enrichments.matched.field is a nested field, but is not in a nested group in the KQL expression."

But when I try the following:

threat.enrichments: { matched.field: source.ip }

[layeredXyVis] > [esaggs] > threat.enrichments.matched.field is not a nested field but is in nested group "threat.enrichments" in the KQL expression.

The problem seems to be that there are two objects within threat.enrichments:

{
  "_index": ".internal.alerts-security.alerts-default-000002",
  "_id": "ef1c4b308b17fdea75c73ed2164ad32ba408ada0e8c3f1a023f06e8962d8df5f",
  "_score": 1,
  "fields": {    
    ....
    "threat.enrichments": [
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2713742/"
        ],
        "indicator.url.original.text": [
          "http://45.88.90.113/sdxkzX_UXA229x.mpsl"
        ],
        "matched.index": [
          ".ds-logs-ti_abusech.url-default-2023.09.11-000001"
        ],
        "indicator.url.extension": [
          "mpsl"
        ],
        "indicator.url.full.text": [
          "http://45.88.90.113/sdxkzX_UXA229x.mpsl"
        ],
        "indicator.url.domain": [
          "45.88.90.113"
        ],
        "indicator.url.original": [
          "http://45.88.90.113/sdxkzX_UXA229x.mpsl"
        ],
        "indicator.first_seen": [
          "2023-09-24T16:47:04.000Z"
        ],
        "indicator.ip": [
          "45.88.90.113"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "geenensp"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/sdxkzX_UXA229x.mpsl"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "Nv44h/gtRRVg9W/7Yd0p13YrBkA="
        ],
        "indicator.url.full": [
          "http://45.88.90.113/sdxkzX_UXA229x.mpsl"
        ],
        "matched.atomic": [
          "45.88.90.113"
        ]
      },
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2713742/"
        ],
        "indicator.url.original.text": [
          "http://45.88.90.113/sdxkzX_UXA229x.mpsl"
        ],
        "matched.index": [
          ".ds-filebeat-8.9.0-2023.09.14-000002"
        ],
        "indicator.url.extension": [
          "mpsl"
        ],
        "indicator.url.full.text": [
          "http://45.88.90.113/sdxkzX_UXA229x.mpsl"
        ],
        "indicator.url.domain": [
          "45.88.90.113"
        ],
        "indicator.url.original": [
          "http://45.88.90.113/sdxkzX_UXA229x.mpsl"
        ],
        "indicator.first_seen": [
          "2023-09-24T16:47:04.000Z"
        ],
        "indicator.ip": [
          "45.88.90.113"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "geenensp"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/sdxkzX_UXA229x.mpsl"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "Nv44h/gtRRVg9W/7Yd0p13YrBkA="
        ],
        "indicator.url.full": [
          "http://45.88.90.113/sdxkzX_UXA229x.mpsl"
        ],
        "matched.atomic": [
          "45.88.90.113"
        ]
      }
    ],
    ....
  }
}

Does anyone know how to accommodate for this in the KQL query.

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.