Hi
I am trying to convert SPLUNK correlation rules to ELK using watchers, anyone has any knowledgebase which can help me take references of X-Pack (watches), any blog or any website, any repository, which contains similar watches, which can help to build a SOC or build SIEM capabilities.
Have you seen some of the resources in https://www.elastic.co/solutions/security-analytics
Hey @addanuj,
Here are some good ones to get you started.
For security analytics, using thechained inputs in watcher is key. So incredibly versatile and powerful, loads you can do 
Also, if you are using logstash, the elasticsearch filter plugin is great for correlating incoming events/data with existing indices.
Hope this helps!
James
Thanks James
Hi James,
Please share some examples/blog or any article of chain inputs, the documentation has some but i am not able to understand how to take inputs from two different indexes.
Hi @addanuj,
When you define an input, you need to specify the index/indices that the query will apply to, just like in a regular watch input.
Below is an example of one I use. This compares the sha256 hash of a new/updated file (picked up by auditbeat) to a sha256 hash in another index which is storing hashes from a different source.
As per watch notation, these inputs will be followed by conditions and actions.
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"chain": {
"inputs": [
{
"first": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"auditbeat-*"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "(event.action:\"created\" OR event.action:\"updated\") AND event.module:\"file_integrity\""
}
},
{
"range": {
"@timestamp": {
"gte": "now-1m"
}
}
}
]
}
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
},
{
"second": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"rwhashes"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "sha256:{{ctx.payload.first.hits.hits.0._source.hash.sha256}}"
}
}
]
}
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
}
}
]
}
},
Thanks,
James
Hi James,
Thanks a lot. it is really helpful, i will try this,
i notice that in Dev-tools, when i try to put watcher, it does not give me any autofill/autocomplete or suggestions as it is usually available when i try to put any simple query, why auto-suggestions in watcher do not work, is their any other option which i can use to write watcher more efficiently.
thanks
anuj
Hey @addanuj,
Glad it helped!
No, unfortunately there is no autocomplete - but in dev tools you don't get autofill for query dsl either.
The watch UI does help to manage watches though, and also very useful to help simulate actions and conditions, I definitely recommend using it.
James
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.