Incorrect Sigma Rule to EQL Conversion in Security Onion #13293

medahalli · 2024-07-02T08:46:46Z

medahalli
Jul 2, 2024

Version

2.4.80

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

6

RAM

20 GO

Storage for /

400

Storage for /nsm

400

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello,

I've encountered an issue with the conversion of Sigma rules to EQL queries in Security Onion. The conversion does not seem to work correctly for a specific rule.

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

defensivedepth · 2024-07-05T15:06:40Z

defensivedepth
Jul 5, 2024
Maintainer

Yes, so the short version is that this is a field mapping issue with some extra complexities. We are in the middle of fixing it and some others that have popped up.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Incorrect Sigma Rule to EQL Conversion in Security Onion #13293

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Incorrect Sigma Rule to EQL Conversion in Security Onion #13293

Uh oh!

medahalli Jul 2, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment

Uh oh!

defensivedepth Jul 5, 2024 Maintainer

medahalli
Jul 2, 2024

defensivedepth
Jul 5, 2024
Maintainer