Reference Set

gunlomboy · November 8, 2022, 1:43am

Hi,

We are using elasticsearch for alerting. Hosts are created and destroyed all the time for development purposes, but we have a core of devices which are tightly controlled. This list of devices is 100+ and are spread across various environments. We would like to alert when a specific event happens on one of these devices.

Does elasticsearch have anything similar to reference sets?

We need to be able to maintain a list of devices (the reference set), then use that in our alerting rule. Eg, if X happens on a device and the hostname is in this reference set

Many thanks.

warkolm · November 9, 2022, 1:17am

The closest I can think of is Watcher chain input | Elasticsearch Guide [8.5] | Elastic, where you could load the data from the reference index and then iterate over that for your alerts.

Maybe someone else can suggest something else though

gunlomboy · November 9, 2022, 1:31am

Thanks @warkolm

Not exactly what I'm looking for, but I could probably do something with it.

warkolm · November 9, 2022, 2:57am

Yeah I get your point

Another option might be to do this;

store your critical hosts in a new index
enrich your event using an ingest pipeline
tag these critical hosts with something
then use that for alerting

system · December 7, 2022, 2:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is there anything similar to a Reference Set in Elasticsearch Elasticsearch	1	427	May 23, 2020
Interesting Use Case - Down Stream Alerting Elastic Observability elastic-stack-alerting	1	363	November 4, 2022
Log Stoppage alert from critical server - ELK7.12 Elastic Security elastic-stack-alerting	7	1150	July 28, 2021
Dec 10th, 2018: [EN][Elastic Stack] Correlate and Alert for Security Analytics Advent Calendar elastic-stack-alerting	1	1762	December 1, 2019
Heartbeat Alerting Question Beats elastic-stack-alerting , heartbeat	5	726	May 23, 2019

Reference Set

Related topics