SIEM alert based on CVE

I'm currently ingesting vulnerability data into elastic, including CVE ID. I would like to generate an alert whenever a vulnerabilty is ingested that shows up on a predefined list of "priority" CVEs. I'm not quite sure the best way to approach this and was hoping to get some input to point me in the right direction.

In splunk I'd set my list of priority CVEs as a lookup list and query for matches in my lookup list, but I know Elastic doesn't work that way.

Is there a way to build an alert to trigger when a value shows up in two different indexes (my vulnerability in one index and my priority CVEs in another)?

I did look at potentially using an indicator match rule but reviewing the documentation I'm not entirely clear if I could ingest the list of CVEs and set it as a indicator index pattern.

Is there a different, or perhaps more appropriate solution I may be missing?

There is a lookup runtime field type in Elasticsearch Retrieve a runtime field | Elasticsearch Guide [8.3] | Elastic. This should give you something similar to Splunk.

And then you can create a rule to trigger an alert based on the runtime field.

Hey Hendry, thanks for sharing the runtime lookup - I didn't know that existed. I've been testing the sample query provided in the documentation. I can query just fine but when attempting to create a rule it errors out that runtime_mappings isn't a valid field. Not sure if I'm misunderstanding something or if this isn't support:

image

Which Elasticsearch version are you using?

8.3.1 in Elastic Cloud.

How did you try to use runtime_mappings? runtime_mappings can only be used in query DSL.
If it's not supported, you can always add a runtime field to your index directly or Kibana data view.

I tried to use runtime_mappings in an elasticsearch query rule. I copied the runtime query from the link you shared into the elasticsearch query rule. You had mentioned I could create a rule to trigger an alert based on the runtime field - are you saying that I'm missing a step or are you saying that it's not supported?

Appreciate the help - this seems much more difficult to accomplish in Elastic than I anticipated.

There are 3 ways to define runtime fields in Elasticsearch.

  1. Query DSL
  2. Runtime field mapping in the index
  3. Kibana data view

If the Elastic Security query rule does not support runtime field, you will have to use one of the other 2 options.