I’m trying to create the following rule:
A windows event log is received in one data stream, it is necessary to take the value of one of the lines (subject name), and compare this value with the value of another document in another index.
Sigma has a very good example using aliases
I tried to do the same in detection rules, but when I try to save the “name” line in the rule, it is not saved and does not give any errors.
Can you tell me which plugin can I use to implement this request?
P.S. What is all this for?
For example, when powershell is launched on a PC, I want to check that the user who launched it is in a certain group in active directory or has a certain position. I unload the active directory structure (memberOf and title) using a python script into a separate index.
@Kin0sh I don’t think this is a use case for correlation rules. Seems more like monitor rules. However as far as I know the cross-index joins are not currently supported.
This would need to be implemented using external script to either update the original log line with relevant field that you can use to create monitor alert from. Or alert externally after checking the second index.
There is a way to configure a monitor based on details from another index, using something like this: