Hi,
Within a indicator match detection, for the indicator index query are we able to modify how far that looks back within that index?
going to give @timestamp >= "now-35m" a whirl and see if it does what i require
That should work out for you. If you update your lists you should update your @timestamp along with your data.
I spent a little time yesterday and it seemed to the do the trick. Both of the indexes are live, rather than 1 main index comparing against a threat intel source. Using this to help corrolate events from 1 alert source against a windows event log index.
2 Likes