Nested query

[csoc49]

Hy Team,

we try to create a nested query like this:

query: event_type: snort AND .exe

if there is any event like this

query: event_type: bro_http source_ip: {match[src_ip]} AND .exe

We want to find nids-Events for exe-downloads and then we want to find the url of this download.

Do you have an idea???

[Qmando]

This is not currently possible without writing Python code. You'd need to write an enhancement that made an additional elasticsearch query for the bro_http event. If you're not comfortable writing Python I would not recommend this route. There's a couple examples buried within some old issues, I could look for them if you want.

[csoc49]

Thank you for your quick response. We are not „super“ python programmer, but we can handle code samples already. It would be cool if you could give me some examples.

Would not that be an interesting new feature for elastalert?

[Qmando]

Here's an example which would work for very basic examples: https://github.com/Yelp/elastalert/issues/964#issuecomment-288534087

And yes, It would make a good feature. I don't have much time to work on ElastAlert these days though.

[csoc49]

Thanks for the example! If I understand correctly, is this a separate program, right? When would you have time to take care of the feature?

[Qmando]

Separate program? No. Read the link in that comment. You can have elastalert execute custom code when an alert happens, we call that an enhancement.