sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

[Backend][Elastalert] group-field for aggregation

Open HarishHary opened this issue 5 years ago • 1 comments

Hello Sigma team,

As far as I understood, aggregation only accepts only one group-field. Is it possible to extends this to have multiple group-field ? e.g count() by field1,field2 and have query_key as a list of fields.

According to the elastalert documentation for query_key:

A list of fields may also be used, which will create a compound query key. This compound key is treated as if it were a single field whose value is the component values, or “None”, joined by commas.

Best regards,

HarishHary avatar Mar 09 '20 12:03 HarishHary

I'm also Interested into this. Several SIEM support grouping by multiple fields and this is a feature that is missing in SIGMA.

Any plan to implement this feature?

iosonogio avatar Mar 18 '21 10:03 iosonogio

Check https://github.com/SigmaHQ/sigma-specification/blob/main/wip/Sigma_Correlations.md

You can open a discution on https://github.com/SigmaHQ/sigma-specification/discussions

frack113 avatar Oct 18 '22 04:10 frack113