pySigma-backend-elasticsearch icon indicating copy to clipboard operation
pySigma-backend-elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Transform current output formats to postprocessing

Open andurin opened this issue 1 year ago • 2 comments

The pySigma (>=0.10.0) post-processing feature allows a much more dynamic way to create different output formats.

ES Backend should be rewritten including the current output formats as templates.

andurin avatar Oct 08 '23 16:10 andurin

Does this mean we can have many detection types (other types than query), such as new_terms or threshold?

Lucaazel avatar Oct 25 '23 21:10 Lucaazel

It depends what detection type means. If it embeds a Lucene or EQL query that is already generated by the backend then this is possible. If that are independent query languages then they have to be implemented as custom backend.

thomaspatzke avatar Oct 27 '23 23:10 thomaspatzke