Write to index

The data obtained as a result of a search query can be written an index for subsequent processing and analysis.

For more details on creating active actions and the parameters to be filled in them, please refer to the corresponding article. The search job from the article Creating an Incident is used as an example.

After filling in the settings for the search job, add the active action Event Indexing. Specify the index name for storing the processed data.

Save this job and wait for it to work. When an event is detected, the result of the search job will be written to the correlation-results index. To see the result of executing job, open Main Menu - Core - Search and run the request:

source correlation-results

To view the detected events, you can also use the Dev Console tool and execute the query:

GET correlation-results/_search
{
  "sort": [
  {
    "@timestamp": {
    "order": "desc"
    }
  }
  ]
}

The query will sort and display the latest recorded events. Fields from the search job result are stored in the _source system field.

Example event:

{
  "_index": "correlation-results",
  "_id": "GB__UY4Bf1-RmY8XiFCE",
  "_score": 1,
  "_source": {
  "parent_process_id": "522699",
  "image": """C:\Windows\net.exe""",
  "process_id": 961130,
  "parent_command_line": "net.exe",
  "process_guid": "9b31b0c2-0e10-645a-797c-040000001300",
  "@timestamp": "2024-03-18T14:33:55.000000Z",
  "host": {
    "ip": "192.168.16.29",
    "name": "JM-CAN-026"
  },
  "parent_image": """C:\Windows\cmd.exe""",
  "mitre_technique_id": "T1124",
  "original_file_name": "",
  "event": {
    "action": "Process Create (rule: ProcessCreate)"
  },
  "user": "AndersonChristopher",
  "command_line": """C:\Windows\net.exe time"""
  }
}