Indicator Match - Rule Type: Correlation - Not Match Result Un Available

Good day to you all.

Hope the below example can give you more context to the request,

Let us consider the below,

  1. we have a three document doc1, doc2 and doc3.
  2. doc1 and doc2 were indexed into a index name A (firewall index)
  3. doc 3 was indexed into a index name B (threat feed index)

doc1 in JSON

       {
            "_index": "A",
            "_type": "firewall",
            "_id": "1",
            "domain": "test.com",
            "dstport": "80",
            "srcport": "22000"  
        }

doc2 in JSON

       {
            "_index": "A",
            "_type": "firewall",
            "_id": "2",
            "domain": "test1.com",
            "dstport": "443",
            "srcport": "11000"  
        }

doc3 in JSON

       {
            "_index": "B",
            "_type": "threatfeed",
            "_id": "3",
            "ioc": "test1.com"
        }

We wanted to create a rule/query to trigger an alert or to create visualization using "not match" condition by correlating Index A (Field - domain) and Index B (Field - ioc), i.e., from the above example we expect the result as "domain: test.com" - doc1 to be triggered as an alert or to be called in a visualization, as it does not match the condition.

We tried to achieve this using the rule type "Indicator match" but, it has the "match" option but "not match" option is not available. -Attached the screenshot for reference.

Do we have the feature available in elastic or any other work around to achieve this usecase?

Hi Raghul,

You may have posted this in the wrong forum section. This is for Elastic Enterprise Search but I think this question may be more relevant to Elastic Security