pySigma-backend-elasticsearch
pySigma-backend-elasticsearch copied to clipboard
SigmaHQ
pySigma Elasticsearch backend
When using IPv6 CIDR notation, the colons are not escaped, thus creating an ElasticSearch error: ``` Cannot parse query, cause: Encountered " ":" ": "" at line 1, column 237....
The [default winlogbeat sysmon pipeline](https://github.com/elastic/beats/blob/b4ff53ce2b2d0037faa58d88afa2afbdc82d3033/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml#L691) values for the network direction are changed from true/false to egress/ingress, and winlog.event_data.Initiated is removed (changed to network.direction). This backend will output the values of...
Converted rule not accepted by elastalert Pipeline configuration: -t lucene -p sysmon -p ecs_windows For instance : posh_ps_amsi_null_bits_bypass.yml, result is ``` filter: - query: query_string: query: 'powershell.file.script_block_text:(*if\(0\)\{\{\{0\}\}\}'\ \-f\ $\(0\ \-as\...
Hi guys! Is there any chance that this backend will support pure DSL query generation in the near future?
Ok, so if I run the following with no pipelines: ``` sigma convert -t eql --without-pipeline sigma/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml Parsing Sigma rules [####################################] 100% any where Payload:"*Get-Clipboard*" ``` Then, I add the...
Hello There, I tried to convert the "[proc_creation_win_susp_remote_desktop_tunneling.yml](https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_remote_desktop_tunneling.yml)" sigma rule to elasticsearch via ecs_windows pipeline, as you can see here: `sigma convert --target elasticsearch -p ecs_windows "proc_creation_win_susp_remote_desktop_tunneling.yml" --format siem_rule` And...
### Lucene Rule Generation Quotation Mark Issue When a selection item contains a blank space, the Lucene rule will be surrounded by quotation marks, which seems like an invalid syntax....
hello. I am working on converting sigma rule to elasticsearch dsl_lucene. A strange error occurred in the rule below, and I wonder if the cause was an incorrect rule writing...
Greetings. After generating a few EQL rules I've noticed that they have set type: query and language: lucene instead of type: eql and language: eql https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/ea6ed23f340c90e834b2c1ac1b8ee17338dd4aff/sigma/backends/elasticsearch/elasticsearch_eql.py#L390
When convert a sigma rule to dsl with the following command, the generated dsl contains subfields, like "ParentImage.keyword". Is there anyone know how to remove the ".keyword" part from "ParentImage.keyword"?...
