pySigma-backend-elasticsearch icon indicating copy to clipboard operation
pySigma-backend-elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

How to close subfields when convert a sigma rule to dsl?

Open leexuan opened this issue 1 year ago • 0 comments

When convert a sigma rule to dsl with the following command, the generated dsl contains subfields, like "ParentImage.keyword". Is there anyone know how to remove the ".keyword" part from "ParentImage.keyword"?

 python sigmac.py -t es-dsl -c sysmon /home/kali/Downloads/proc_creation_win_java_susp_child_process.yml

The result show as follows:

{
  "query": {
    "constant_score": {
      "filter": {
        "bool": {
          "must": [
            {
              "match_phrase": {
                "EventID": "1"
              }
            },
            {
              "wildcard": {
                "ParentImage.keyword": "*\\\\java.exe"
              }
            },
            {
              "bool": {
                "should": [
                  {
                    "wildcard": {
                      "Image.keyword": "*\\\\sh.exe"
                    }
                  },
                  {
                    "wildcard": {
                      "Image.keyword": "*\\\\bash.exe"
                    }
                  }
                ]
              }
            }
          ]
        }
      }
    }
  }
}

leexuan avatar Nov 01 '23 08:11 leexuan