Integrating Elastic Backend #5
Closed
WildDogOne
started this conversation in
Ideas
Replies: 1 comment 1 reply
-
Hello @WildDogOne! I believe we should go down this path. Having two exporters for elastic could make sense: |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I have been looking into the code a bit, and it seems like it would be easy to either integrate EQL (Event Query Language) or ES|QL.
But I have some logistical questions before I start going too deep into this.
EQL has a pysigma parse which can convert the Sigma rules to a fully described Elastic Security rule, with all parameters needed.
However EQL does not support correlations.
ES|QL does support correlations but not security rules.
So my idea would be to actually only use ESQL and then write an exporter that can handle all attributed needed by the elastic security component to run the query.
Does this make sense?
Or would it make more sense to have both backends?
Thoughts and ideas welcome :)
Beta Was this translation helpful? Give feedback.
All reactions