Write to index

The data obtained as a result of a search query can be written an index for subsequent processing and analysis.

Подробнее о создании активных действий и заполняемых в них параметрах можно ознакомиться в соответствующей статье.

Example. We use job from the article Creating an Incident Action. Create a new job and follow the settings from the article above. In the Action section, create a new action Index Events. Specify the name of the index to store the processed data.

Save this job and wait for it to work. When an event is detected, the result of the search task will be written to the correlation-results index. To see the result of executing job, open Main menu - Core - Search and run the request:

source correlation-results

Or, use Main menu - Settings - Dev Console and run the request:

GET correlation-results/_search
{
  "sort": [
    {
      "@timestamp": {
        "order": "desc"
      }
    }
  ]
}

The query will sort and display the latest recorded events. Fields from the search job result are stored in the _source system field.

Example event:

{
    "_index": "correlation-results",
	"_id": "Xp8eFY8B3RMtDnitppKf",
	"_score": null,
	"_source": {
		"image": """C:\Windows\w32tm.exe""",
		"@timestamp": "2024-04-25T11:53:46.000000Z",
		"host": {
				"ip": "192.168.16.6",
				"name": "JM-ECO-003"
	    		},
		"parent_image": """C:\Windows\cmd.exe""",
		"mitre_technique_id": "T1124",
		"original_file_name": "",
		"event": {
				"action": "Process Create (rule: ProcessCreate)"
	},
	"user": "CollinsElizabeth"
}