SigmaHQ
Backend definitions in various config files do not match new sigmac backend list
Was trying to convert convert to elastic-zeek and crate elasticsearch-rules. I found that the backend definitions in the ecs-zeek-corelight and as a matter of fact a few others in the config folder have outdate backend definitions.
I think in this section elasticsearch-rule should be es-rule. I am not sure what else needs changing as i couldn't find any documentation or when these changed in the tool.
https://github.com/SigmaHQ/sigma/blob/7298225cbeea4a17fe32bc523be71394e98e0764/tools/config/ecs-zeek-corelight.yml#L4-L17
Hi, I make a quick check tools
Valid : 212 Invalid : 7 No Backend : 7
Valid backend name: ['ala', 'ala-rule', 'arcsight', 'arcsight-esm', 'carbonblack', 'chronicle', 'crowdstrike', 'csharp', 'devo', 'ee-outliers', 'elastalert', 'elastalert-dsl', 'es-dsl', 'es-eql', 'es-qs', 'es-qs-lr', 'es-rule', 'es-rule-eql', 'fieldlist', 'fireeye-helix', 'graylog', 'grep', 'humio', 'kibana', 'kibana-ndjson', 'lacework', 'limacharlie', 'logiq', 'logpoint', 'mdatp', 'netwitness', 'netwitness-epl', 'opensearch-monitor', 'powershell', 'qradar', 'qualys', 'sentinel-rule', 'splunk', 'splunkdm', 'splunkxml', 'sql', 'sqlite', 'stix', 'sumologic', 'sumologic-cse', 'sumologic-cse-rule', 'sysmon', 'uberagent', 'xpack-watcher']
| file | Configuration | check |
|---|---|---|
| ecs-proxy.yml | corelight_elasticsearch-rule | NOK |
| ecs-zeek-corelight.yml | corelight_es-qs | NOK |
| ecs-zeek-corelight.yml | corelight_elasticsearch-rule | NOK |
| ecs-zeek-corelight.yml | corelight_kibana | NOK |
| ecs-zeek-corelight.yml | corelight_xpack-watcher | NOK |
| splunk-zeek.yml | corelight_splunk | NOK |
| thor.yml | thor | NOK |
