Sigma translation to ElastAlert problem #9344

ben-sec · 2022-12-09T08:16:03Z

ben-sec
Dec 9, 2022

Hi!
I try to trigger an alert via Playbook whenever a new alert of my EDR is comming in. The Sigma condition in my Play is

detection:
  selection:
    event.module: "Apex Central"
  condition: selection

and it gets translated to the following ElastAlert query: event.module.security:"Apex\ Central"

Where is the "\" comming from? This breaks the query. Or what is wrong with my Sigma condition?

Cheerss, Ben

Answered by ben-sec

Hmm, now it's suddenly working. Ahh, it's working in Lucene syntax, but not in KQL (where I tried it before manually)!

ben-sec · 2022-12-09T12:44:47Z

Hmm, now it's suddenly working. Ahh, it's working in Lucene syntax, but not in KQL (where I tried it before manually)!

0 replies