Configuration file used for sigma rules conversion #3230
-
|
Currently I am converting zeek sigma rules to elastalert using sigmac. Configuration file used for this is Following command is used for conversion:
I want to convert all the sigma rules of type network, application, compliance, linux etc using one general configuration file. Is it possible to do? If yes, then a little guideline in this regard would be appreciated. Thank you! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
quick answer: no You would have to write a configuration file with different index. The easiest way is to make a directory (linux or network or ...) = a mapping file. Be aware that linux folder is for builtin , auditd or sysmon ... |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the opinion. I'll deep dive in to it. |
Beta Was this translation helpful? Give feedback.
-
|
Short addition: in pySigma/sigma-cli the replacement for the configurations, processing pipelines, will have the capability to define a condition per action (e.g. field mapping). This enables to convert with different configurations in one run, if the pipelines are written properly. I'm currently working on the Elastic backend and pipelines and try to keep this in mind. |
Beta Was this translation helpful? Give feedback.
quick answer: no
You would have to write a configuration file with different index.
There may be a way, but it will be a pain.
The easiest way is to make a directory (linux or network or ...) = a mapping file.
ECS mapping other than windows is not very well maintained.
If you find error you can make a PR
Be aware that linux folder is for builtin , auditd or sysmon ...