Modify Sigma field mappings #9736
Replies: 1 comment
-
|
Unfortunately, this is not currently possible. It is on the TODO list, so please watch our release notes for updates. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
How can I restrict the Sigma mapping rules to only match on data from specific indices ?
I have an SO infra where 90% of the logs are from a network traffic capture, and the rest is syslogs and other sysmon logs.
So a lot of hewavy
so-zeek-*indices, and a fewso-beats-*How can I restrict the sigma mapping so to trigger only on the
so-beats-*indices ?|I can't find the file https://github.com/Security-Onion-Solutions/securityonion-image/blob/master/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml in my deployment.
Beta Was this translation helpful? Give feedback.
All reactions