You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While building the Elastic Pipeline I noticed "problem" in the Sigma Rule YAML.
The problem is that the raw rule does not reflect in what language it is written.
For something like Sentinel / Defender it is not a problem since there is only one possible language anyhow.
But Elastic uses at least 3 different languages, of which PySigma supports 2.
Hence I would like to be able to specify in the raw format, which language was used (eql / esql)
I think it would make sense to just use a custom field for that.
For example:
custom:
raw_language: esql/eql
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
While building the Elastic Pipeline I noticed "problem" in the Sigma Rule YAML.
The problem is that the raw rule does not reflect in what language it is written.
For something like Sentinel / Defender it is not a problem since there is only one possible language anyhow.
But Elastic uses at least 3 different languages, of which PySigma supports 2.
Hence I would like to be able to specify in the raw format, which language was used (eql / esql)
I think it would make sense to just use a custom field for that.
For example:
custom:
raw_language: esql/eql
Beta Was this translation helpful? Give feedback.
All reactions