Hi,
I am wondering if it is possible to query ES for matches on values in 2 fields from 2 indexes, so that I can use resulting values from both events in visualizations.
I've set up indicator match rules via Kibana and I know this will generate alerts when there is a match between values in the target index and the threat intel index Create a detection rule | Elastic Security Solution [8.3] | Elastic.
I also have set up ingest pipelines using the enrich processor and I know this will do what I am looking for at ingest time. Set up an enrich processor | Elasticsearch Guide [8.3] | Elastic
Similarly, Logstash has the Elasticsearch filter plugin, and this works similarly to the enrich processor, albeit with generally worse performance Elasticsearch filter plugin | Logstash Reference [8.3] | Elastic
However, what I am asking is, can I construct an Elasticsearch query to find matches between values in 2 fields from 2 indexes, and yield 1 event for each match, containing the values from both matching events?
I have seen posts like this, but they are old (this one is from 2017) and I know Elasticsearch is changing rapidly How to fetch data from multiple index using join like sql
Thank you