Indicator match

ramiwashere · December 6, 2022, 11:17am

Hello,

I'm sorry if this information had already been asked but I didn't find my answer on old topic.
I'm stuck on a indicator match rule and idk if I misunderstand this type of rule:

I have 2 index, lets call them index1 and index2.
On index1, I filter on " deny event action" for exemple
On index2, I filter on " rejected event action" for exemple.

My goal is to match same source.ip between index1 & index2. As well, the source.ip field is different on both index.
Is that thing that make indicator match to not retrieve data ?

Thank you for your feedback

system · January 3, 2023, 11:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Indicator Match - Rule Type: Correlation - Not Match Result Un Available Elastic Search	2	284	November 4, 2022
Indicator matching rule recommendation Elastic Security	3	429	August 3, 2021
Creating an indicator match Watcher Alert Elasticsearch	1	259	May 5, 2023
Indicator match - limit indicator look back time Elastic Security	4	321	November 4, 2022
Indicator matching Rules Kibana	3	299	May 20, 2022

Indicator match

Related topics