Playbook Sigma to Elastalert field mappings are wrong? #5015
-
|
I was trying to add some exclusion to some of the playbooks, and during my testing I found that at least the sigma ParentCommandLine field is being translated to process.parent.command_line.security which was not working. But, if i remove the ".security" from the field then it works is this expected behavior? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
https://docs.securityonion.net/en/2.3/playbook.html#security-subfield "Playbook uses the .security subfield that is generated by a special analyzer (https://github.com/neu5ron/es_stk). This analyzer allows case insensitive wildcard searches and is designed specifically for security logs." Can you share more details about what is not working? |
Beta Was this translation helpful? Give feedback.
https://docs.securityonion.net/en/2.3/playbook.html#security-subfield
"Playbook uses the .security subfield that is generated by a special analyzer (https://github.com/neu5ron/es_stk). This analyzer allows case insensitive wildcard searches and is designed specifically for security logs."
Can you share more details about what is not working?