Replies: 1 comment
-
|
Please see the documentation for adding new sigma rules: In the future, please do not type titles in ALL CAPS as this looks like YELLING! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.70
Installation Method
Security Onion ISO image
Description
other (please provide detail below)
Installation Type
Distributed
Location
airgap
Hardware Specs
Meets minimum requirements
CPU
6
RAM
8
Storage for /
500GB
Storage for /nsm
/NSM
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
Yes, there are salt failures (please provide detail below)
Logs
No, there are no additional clues
Detail
When creat ng Sigma rules and deploying them in the new "Detections" feature, do I have to convert the rule to EQL? Based on documentation it states to paste the syntax of the Sigma rule and hit "Create" and that is it. However, there is a "conversion" option to convert to EQL. Am I supposed to use convert the rule before or after or is this optional???
I read in other documentation that after a Sigma rule is created you have to run the following command:
sigmac -t es-qs -c /path/to/config.yaml /path/to/rule.yaml
And then paste the converted query in Kabana -> Stack Management -> Kibana -> Saved Objects -> Import.
I guess my overall question is, do you have to convert the rule first in import it in the system before you create it in Detections?
Also, I am new to Security Onion so bare with me. I hope this all makes sense.
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions