-
Auditbeat combines the raw audit events into a single event, and in particular events of
The value of To include the Assuming The only way I've managed to get these rules into a usable state with Auditbeat is as follows below. This seems quite suboptimal, so am wondering if there are better approaches or not? I've suggested one potential improvement at the end of this post, "Value Modifiers field in config file". Auditbeat ConfigSet: Rule ChangesChange all
Sigmac Configuration File requirementsSet a default field of
Conversion
Elastalert RuleFunctional ElastAlert rule
Possible Sigma ImprovementsValue Modifiers field in config fileAllow the use of value modifiers in config files. Given the example above, using conditional field mappings, where the value of the field is known, but may not be available in a well parsed structure, allowing a value modifier could be quite useful.
ReferencesExample Auditbeat events, speifically with
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
This should be resolved by pySigma processing pipelines https://github.com/SigmaHQ/pySigma |
Beta Was this translation helpful? Give feedback.
This should be resolved by pySigma processing pipelines https://github.com/SigmaHQ/pySigma