Comparing Threat Intelligence Information with Windows Logs via Monitor

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.6

Describe the issue:
I am trying to compare Threat Intelligence information I receive via a filebeat with my Windows logs. Is there a way to do this via a monitor even if the data is in two different indices?

If not, is there a better way or should the threat hunting take place outside the cluster?

Thanks for your help and tips!

One option is to put the Threat Intelligence info into an OpenSearch index, maybe via a custom Windows log event. You could then compare threat intelligence in that index with Windows logs in another index. You could do this via a monitor trigger written in Painless: Monitors - OpenSearch documentation

Elasticsearch has a good set of Painless docs here: A Brief Painless Walkthrough | Painless Scripting Language [8.7] | Elastic

Painless lets you put custom code in a query or monitor trigger, so you could use it to compare data in two indices. If you want to look at different indices in your monitor, simply add multiple index filters (or multiple index filters) for the monitor to look at, like “windows-logs-*” or however you have them named.

Here’s a sample monitor trigger I wrote once, which fires when over 20 EventID 4728 events have occurred in the monitor query results:

int total = 0;
for (int i = 0; i < ctx.results[0]; i++) {
    if (ctx.results[0].hits.hits[i]._source.EventID == 4728) {
        total += 1;
if (total > 20) {
    return true;
else {
    return false;

This might not be pretty in the end but you could get it working I think.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.