-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Output: Elastic ES|QL #6
Conversation
there needs to be more intelligence here, ideas welcome
…improves performance and allows for enabling and disabling rules
by switching to allow both ES|QL and EQL I introduced a new problem. Right now I just added an error |
Random nuissance, at the end of an export run I always get this error, but the run was absolutely OK...?
|
I have added a custom field for raw rule imports.
If no raw_language is set it will take the platform that is used. I am thinking if it should be mandatory to set the custom raw_language field, to avoid accidental failures |
I am not sure which SIEMs support this, but Elastic just like QRadar have a concept called building blocks. Basically a building block (BB) will not trigger an alert, but it well trigger an event. These events can then later be used to build alerts or for investigation purposes. My old implementation is to have a tag in the Sigma file called "elastic.bb" which I then use to make the rule into a BB.
|
To be tested but it's fine to delete and recreate it.
I would go for that path until we find a better way to validate the language in the process As for the |
As for the index selection, the index can be provided from the general configuration of droid and the rule level config: For instance: from a droid_config.toml : ...
[platforms.esql]
url = "foo"
...
[platforms.esql.pipelines.windows_process_access]
pipelines = ["pipelines/esql_process_access.yml"]
product = "windows"
category = "process_access"
index = "windows-sysmon*"
from a custom field in a rule : custom:
index: "windows-sysmon-special*" |
Co-authored-by: Mathieu <35560225+0xFustang@users.noreply.github.com>
About the index thing, pysigma uses the pipeline for that.
but right now I am too stupid to understand how I would use the result of the pipeline inside the elastic integration |
I am building the converter and output pipeline für Elastic.
There will be two plattforms that can be used, esql (ES|QL) or eql.
However it should always be esql prefered since it supports more sigma features.
When it comes to raw rule import, both are valid options, since both languages have their own advantages.
I will not implement KQL (Kibana Query Language) since there are no obvious benefits.
Todos:
NDJSON which already spedup the process by a lot