Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.6
Describe the issue:
I am trying to compare Threat Intelligence information I receive via a filebeat with my Windows logs. Is there a way to do this via a monitor even if the data is in two different indices?
If not, is there a better way or should the threat hunting take place outside the cluster?
Thanks for your help and tips!
One option is to put the Threat Intelligence info into an OpenSearch index, maybe via a custom Windows log event. You could then compare threat intelligence in that index with Windows logs in another index. You could do this via a monitor trigger written in Painless: Monitors - OpenSearch documentation
Elasticsearch has a good set of Painless docs here: A Brief Painless Walkthrough | Painless Scripting Language [8.7] | Elastic
Painless lets you put custom code in a query or monitor trigger, so you could use it to compare data in two indices. If you want to look at different indices in your monitor, simply add multiple index filters (or multiple index filters) for the monitor to look at, like “windows-logs-*” or however you have them named.
Here’s a sample monitor trigger I wrote once, which fires when over 20 EventID 4728 events have occurred in the monitor query results:
int total = 0;
for (int i = 0; i < ctx.results[0].hits.total.value; i++) {
if (ctx.results[0].hits.hits[i]._source.EventID == 4728) {
total += 1;
}
}
if (total > 20) {
return true;
}
else {
return false;
}
This might not be pretty in the end but you could get it working I think.