Hello,
I recently configured an Indicator Matching Rule that creates alarms if any indicator is found. The issue with this is that the indicator are matched partially. For instance if I have the indicator something.q77.eu and a log entry of ecsc2025.eu it results in a match bc "eu" of the indicator is found in the logentry.
Any way to get an exact match?
Best Regards.
This is due to the way you save the fields in Elasticsearch, they should be saved as a keyword field instead of text. Text analyzes the field and spits it by usual separators like spaces or dots.
Elasticsearch is also creating keyword fields for every field in the index. Is it enough to just select they Keyword variant or do I have to keep something else in mind?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.