pySigma-backend-elasticsearch
pySigma-backend-elasticsearch copied to clipboard
SigmaHQ
pySigma Elasticsearch backend
On the following Correlation rule, I noticed that the ES|QL output has the index name twice, such that Elastic complains about running out of memory, probably because it's loading the...
The below code shows the opposite check for the field existence check for sigma rules https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/43fb3ba3945c143fb5912bb02e8f35bf5bcd22c5/sigma/backends/elasticsearch/elasticsearch_esql.py#L98-L100 When parsing below rule to ESQL, the condition for existence check is opposite ```...
Hi, I love this project and especially like the recent introduction of correlations. I wanted to try out different formats for the ESQL backend, and I think I found a...
Fixes https://github.com/SigmaHQ/pySigma-backend-elasticsearch/issues/72 Fixes https://github.com/SigmaHQ/pySigma-backend-elasticsearch/issues/73 This PR aims to simplify what was implemented in https://github.com/SigmaHQ/pySigma-backend-elasticsearch/pull/67 by using a global index state and passing it down the conversion tree while accounting for...
Hi. @kurisukun and myself drafted a backend converting Sigma rules into Elastalert rules, inheriting from `LuceneBackend`. It currently supports simple rules as well as the `event_count` and `value_count` correlation rules....
## Description Hello, when converting to a non-aggregating query in ES|QL the rule search isn't ready for an alert rule. In fact Elastic [requires](https://www.elastic.co/guide/en/security/8.15/rules-ui-create.html#esql-non-agg-query-dedupe) to have the `METADATA _id, _index,...
