Custom Sigma rules fail due to EQL conversion #14244
-
Version2.4.120 Installation MethodSecurity Onion ISO image Descriptionconfiguration Installation TypeDistributed Locationon-prem with Internet access Hardware SpecsExceeds minimum requirements CPU8 RAM32 Storage for /lots Storage for /nsmlots Network Traffic Collectionother (please provide detail below) Network Traffic Speeds1Gbps to 10Gbps StatusYes, all services on all nodes are running OK Salt StatusNo, there are no failures LogsNo, there are no additional clues DetailI have been working extensively over a period of days with Copilot, ChatGPT, and Grok to get a simple Sigma detection rule created and working and to educate myself on how these things work. After a lot of testing I've determined that Sigma rules are being auto converted to EQL language, and fail due to EQL's limitations. KQL on the other hand works fine. This also seems to apply to many of the pre-loaded Emerging Threats sigma rules. If I 'Convert' and 'Test in Kibana' they fail in the Kibana 'Dev Tools> Console' because it's using EQL. But if I test from a Kibana dashboard using KQL I get lots of results. Here's Grok's Summary of the issue. I have 2 questions:
Guidelines
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
hey there! Please share one of the custom sigma rules that you are having issues with so that I can troubleshoot further. Also, it is not possible to convert to KQL - Sigma does not support that backend. |
Beta Was this translation helpful? Give feedback.
-
|
I've abandoned the Sigma workflow for my specific needs on this issue, and tried to do it with Suricata rules instead. I've had success with that. |
Beta Was this translation helpful? Give feedback.
hey there!
Please share one of the custom sigma rules that you are having issues with so that I can troubleshoot further.
Also, it is not possible to convert to KQL - Sigma does not support that backend.