-
Notifications
You must be signed in to change notification settings - Fork 71
Advanced Features
Osmany Montero edited this page Jan 20, 2026
·
8 revisions
Take your detection and parsing to the next level with advanced correlation and expression language features.
The where field in rules and filters uses a customized version of the Common Expression Language (CEL). You can find the full list of available functional overloads in the CEL Overloads page.
where: >
exists("origin.ip") &&
!inCIDR("origin.ip", "10.0.0.0/8") &&
(startsWith("origin.user", "admin_") || equals("origin.user", "root"))Rules can correlate across multiple indices and time windows using correlation.
You can check for multiple distinct event patterns:
correlation:
- indexPattern: "v11-log-*"
count: 5
within: "now-1h"
with:
- { field: "action", operator: "filter_term", value: "failure" }
- indexPattern: "v11-log-*"
count: 1
within: "now-5m"
with:
- { field: "action", operator: "filter_term", value: "success" }Use the or field within correlation to match either of two conditions:
correlation:
- indexPattern: "v11-log-*"
within: "now-12h"
count: 1
or:
- indexPattern: "v11-alert-*"
within: "now-24h"
count: 2Filters are not limited to a single pass. You can define multiple stages for the same dataType to handle complex multi-step parsing:
pipeline:
- dataTypes: [syslog]
steps:
- grok:
source: raw
patterns:
- fieldName: log.message
pattern: '{{.greedy}}'
- dataTypes: [syslog]
steps:
- json:
source: log.messageThis modular approach allows you to reuse common parsing logic across different log variants.