Elasticsearch alert types

[Lucaazel]

Hi,

I'm currently looking to implement a detection-as-code pipeline with Sigma, I want to have all my elastic rules into a repo of Sigma rules, convert them to ndjson, and use detection-rules elastic’s scripts to push them to elastic.

I guess that's the way to do this and my question is when it comes to elastic alert types such as:

• New Terms
• Indicator Match
• Threshold
• ...

I have the feeling that the Elastic backend is only supporting basic queries for now. Is there a way to handle that? Would it require to modify the backend or create a new pipeline? I guess we can solve this with a pipeline, but I'm asking about the most convenient way of doing this (or if I'm missing something).

Thanks!

[scripton8]

I am not pretty familiar with Elastic, but we did "the same" for Splunk. We came up with a solution, where we added the possibility to add a custom key to a Sigma rules's yaml, which contains some Splunk specific parameters, that are not part of Sigma rules in general.
In Splunk we process everythin with pysigma and further python and everything in our custom key gets passed to the SigmaRule object in custom_keys.
We then use a post processing pipeline, to generate a template as we need it including our custom parameters and put it in a format that Splunk's Rest API can handle. Hope this hepls!

[thomaspatzke]

Just found this discussion and moved it to the Elastic repository. In the meanwhile the backend supports ES|QL with Sigma correlation rules, which enables further detection possibilities. Nevertheless, the goal of Sigma is not to support every feature of all SIEMs. E.g. new terms rules are not supported and generally I don't see much value in implementing indicator matching as Sigma rule. This should be considered in a detection as code pipeline, e.g. as stated by @jabrcks by adding custom extensions to Sigma rules that enable to create custom queries for cases where Sigma is not sufficient.