The 'near' aggregation operator is not yet implemented for this backend

Open aaminahassan opened this issue 3 years ago • 1 comments

How to avoid the error of bypass while converting sigma to elastalert?

./sigmac  -t elastalert  -r /home/det/sigma/rules/windows/process_creation   -o /home/det/sigma/converted_windows/ -e yml -c elk-winlogbeat
An unsupported feature is required for this Sigma rule (/home/det/sigma/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml): None : The 'near' aggregation operator is not yet implemented for this backend

Aug 30 '22 06:08 aaminahassan

You can use --ignore-backend-errors or -I option

$frack113 avatar$ Aug 30 '22 15:08 frack113