pySigma-backend-elasticsearch icon indicating copy to clipboard operation
pySigma-backend-elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Elastic Security Informational Severity

Open WildDogOne opened this issue 6 months ago • 0 comments

Elastic Security does now know the severity Informational. It only understands Low, Medium, High, Critical. Since Sigma does allow Informational (as it is designed to) there will be the possibility of getting Informational Severity (Level in Sigma)

I propose to add code to bump Severity of Informational to Low, but for example setting the riskScore to 0.

for Example in the finalize_query_siem_rule_ndjson and finalize_query_siem_rule functions https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/main/sigma/backends/elasticsearch/elasticsearch_eql.py#L379 https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/main/sigma/backends/elasticsearch/elasticsearch_eql.py#L450

"riskScore": (
    0 if rule.level is not None and str(rule.level.name).lower() == "informational"
    else self.severity_risk_mapping[rule.level.name] if rule.level is not None
    else 21
),
"riskScoreMapping": [],
"severity": (
    "low" if rule.level is None or str(rule.level.name).lower() == "informational" else str(rule.level.name).lower()
),

WildDogOne avatar Aug 09 '24 21:08 WildDogOne