Hi everyone!
Trying to migrate from other SIEM platforms. One question is, is it possible to define some lists and refer to them across different rules? Like WHERE source.ip IN ${some_defined_list}?
I tried to use value list for rule exceptions and yes it worked, but I want to directly use value list in the query for more complex logics. Should I use other kinds of rules like KQL, EQL, etc.? I’m a bit confused when seeing so many query languages in Elastic…
Thanks!