elasticmachine
commented
8 months ago Pinging @elastic/security-detections-response (Team:Detections and Resp)
Open smnschneider opened 2 years ago
elasticmachine
commented
8 months ago Pinging @elastic/security-detections-response (Team:Detections and Resp)
elasticmachine
commented
8 months ago Pinging @elastic/security-solution (Team: SecuritySolution)
elasticmachine
commented
8 months ago Pinging @elastic/security-detection-engine (Team:Detection Engine)
yctercero
commented
8 months ago Thanks @smnschneider for sharing this use case! It's one we have in our sight but have not yet picked up. We can be sure to keep you updated once it is.
cc @approksiu
Describe the feature:
At the moment the "Indicator Match" rule type only creates an alarm if a value of a field matches with the indicator index field.
An example for a detection rule would be: Create an alarm if there is any ip address that is also within the indicator index.
Describe a specific use case for the feature:
There are use cases where you want to be alarmed if there is a value which is not in that list/indicator index. For example you have a specific list of users (which is frequently changing) indexed into the indicator index and you need to know if someone is trying or did actually log in into a system. By now this can only be solved with a workaround.
It would be great to extend the rule type by adding an option list for "MATCHES" and "NOT MATCHES".