pySigma-backend-elasticsearch icon indicating copy to clipboard operation
pySigma-backend-elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

[ES|QL] Non-aggregating query

Open 0xFustang opened this issue 6 months ago • 0 comments

Description

Hello, when converting to a non-aggregating query in ES|QL the rule search isn't ready for an alert rule. In fact Elastic requires to have the METADATA _id, _index, _version after the from index*.

Is there a transformation pipeline to overcome this? If not, it could be nice to have an option to add METADATA _id, _index, _version for non aggregated queries.

EDIT:

Or adding a transformation state for the metadata, like: "from {state[index]} {state[metadata]} | where {query}"

0xFustang avatar Aug 22 '24 07:08 0xFustang