I'm currently ingesting vulnerability data into elastic, including CVE ID. I would like to generate an alert whenever a vulnerabilty is ingested that shows up on a predefined list of "priority" CVEs. I'm not quite sure the best way to approach this and was hoping to get some input to point me in the right direction.
In splunk I'd set my list of priority CVEs as a lookup list and query for matches in my lookup list, but I know Elastic doesn't work that way.
Is there a way to build an alert to trigger when a value shows up in two different indexes (my vulnerability in one index and my priority CVEs in another)?
I did look at potentially using an indicator match rule but reviewing the documentation I'm not entirely clear if I could ingest the list of CVEs and set it as a indicator index pattern.
Is there a different, or perhaps more appropriate solution I may be missing?
Hey Hendry, thanks for sharing the runtime lookup - I didn't know that existed. I've been testing the sample query provided in the documentation. I can query just fine but when attempting to create a rule it errors out that runtime_mappings isn't a valid field. Not sure if I'm misunderstanding something or if this isn't support:
How did you try to use runtime_mappings? runtime_mappings can only be used in query DSL.
If it's not supported, you can always add a runtime field to your index directly or Kibana data view.
I tried to use runtime_mappings in an elasticsearch query rule. I copied the runtime query from the link you shared into the elasticsearch query rule. You had mentioned I could create a rule to trigger an alert based on the runtime field - are you saying that I'm missing a step or are you saying that it's not supported?
Appreciate the help - this seems much more difficult to accomplish in Elastic than I anticipated.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
