Sigma rule to alert whenever a syslog message containing certain text is received

[S6T0Sa0B1v]

Good afternoon Onion community,

I am still getting the hang of Sigma detection rules and for the sake of example am trying to write a rule that alerts in Onion whenever a syslog message concerning Nmap is received from our perimeter firewalls. So far I have based my rule on an earlier one that I wrote for "ALERT" level syslog messages (mentioned in this thread) and have tried to follow the same template by looking at the corresponding message fields in Kibana. However, I haven't managed to make the rule work yet and wanted to reproduce it here for review.

This is what I have so far:

# This is a Sigma rule template, which uses YAML. Replace all template values with your own values.
# The id (UUIDv4) is pregenerated and can safely be used.
# Click "Convert" to convert the Sigma rule to use Security Onion field mappings within an EQL query
#
# Rule Creation Guide: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide
# Logsources: https://sigmahq.io/docs/basics/log-sources.html

title: '[rule name]'
id:  [UUID]
status: 'experimental'
description: |
    This rule, [UUID], is designed to trigger an alert in Onion whenever a syslog message relating to nmap is received from the network perimeter.
date: '2025/03/5'
tags:
  - detection.threat_hunting
  - attack.technique_id
logsource:
  category: firewall
  service: syslog
detection:
    selection:
        zeek.syslog.message : "*map*"
    condition: selection
level: 'high'  # info | low | medium | high | critical

In general I would like to build a template for a rule that will trigger an alert whenever syslog messages containing a certain text in the "message" field (in this case, anything related to nmap) are received. However, even though it was relatively easy to write a rule concerning the syslog.severity_label field in a similar way, I am unsure why I haven't been able to do the same with the message field in Kibana. Any suggestions for changes to the above rule to ensure the desired functionality would be very much appreciated.

Thank you as always!

[defensivedepth]

You have a log that has a fieldname of zeek.syslog.message and it contains *map*? Have you tried just querying it directly to make sure that works as expected?

As a side note you can use a modifier instead of manually specifying the asterisks:

zeek.syslog.message|contains: map