Good day to you all.
Hope the below example can give you more context to the request,
Let us consider the below,
- we have a three document doc1, doc2 and doc3.
- doc1 and doc2 were indexed into a index name A (firewall index)
- doc 3 was indexed into a index name B (threat feed index)
doc1 in JSON
{
"_index": "A",
"_type": "firewall",
"_id": "1",
"domain": "test.com",
"dstport": "80",
"srcport": "22000"
}
doc2 in JSON
{
"_index": "A",
"_type": "firewall",
"_id": "2",
"domain": "test1.com",
"dstport": "443",
"srcport": "11000"
}
doc3 in JSON
{
"_index": "B",
"_type": "threatfeed",
"_id": "3",
"ioc": "test1.com"
}
We wanted to create a rule/query to trigger an alert or to create visualization using "not match" condition by correlating Index A (Field - domain) and Index B (Field - ioc), i.e., from the above example we expect the result as "domain: test.com" - doc1 to be triggered as an alert or to be called in a visualization, as it does not match the condition.
We tried to achieve this using the rule type "Indicator match" but, it has the "match" option but "not match" option is not available. -Attached the screenshot for reference.
Do we have the feature available in elastic or any other work around to achieve this usecase?