Hi everyone!
Trying to migrate from other SIEM platforms. One question is, is it possible to define some lists and refer to them across different rules? Like WHERE source.ip IN ${some_defined_list}?
I tried to use value list for rule exceptions and yes it worked, but I want to directly use value list in the query for more complex logics. Should I use other kinds of rules like KQL, EQL, etc.? I’m a bit confused when seeing so many query languages in Elastic…
Thanks!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
Hi @alyx !
So you want the ability to check if an IP belongs to a pre-determined list of IPs that is populated somewhere somehow and you wanna do that directly in ESQL?
Are you able to have those IPs dumped to a field in an index? If yes, then one possible way to achieve this is to use a combination of VALUES and MV_CONTAINS. Both functions support the IP type.
Example.
Assuming some_index has column ip of type IP.
FROM some_index
# dedupes the passed field into a single multi-valued list
| STATS ips = VALUES(ip)
# true if-and-only-if every element in the subset (second param) belongs to the superset (first param)
# pass any number of IPs in the subset
| EVAL found = MV_CONTAINS(ips, [some_ip_1, some_ip2, ...])
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.