pySigma-backend-elasticsearch icon indicating copy to clipboard operation
pySigma-backend-elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Enabling Index selection for SIEM NDJSON Policies

Open WildDogOne opened this issue 6 months ago • 0 comments

I have noticed that the EQL Backend does not support the usage of state variables to change the index used in the SIEM Rule. However ESQL does allow for that.

I have built a dirty hack around this, since I don't 100% understand the logic of how it should be used. It works, but I am sure there is a better way

WildDogOne avatar Aug 09 '24 09:08 WildDogOne