Using:
Elasticsearch 8.16.1
pysigma-pipeline-sysmon==1.0.4
Winlogbeat 8.16.1 on Windows 10
I converted all the rules from sigma/rules/windows in the SigmaHQ repository to EQL like so:
pipeline = sigma.pipelines.elasticsearch.ecs_windows()
backend = es.EqlBackend(pipeline)
for root, dirs, files in os.walk(args.indir):
for filename in files:
if filename.endswith(".yml"):
with open(os.path.join(root, filename), 'r') as f:
try:
rule = sigma.rule.SigmaRule.from_yaml(f)
eql_query = backend.convert_rule(rule)
with open(os.path.join(args.outdir, filename.rsplit('.', 1)[0]), 'w') as o:
o.write(json.dumps({
"query" : eql_query[0]
}))
Now when I run the 2277 resulting rules against my Elasticsearch index (coming from Winlogbeat on Windows 10), a total of 787 rules fail.
A frequent error I get for these is:
[:] cannot operate on first argument field of data type [text]: No keyword/multi-field defined exact matches for [script_block_text]; define one or use MATCH/QUERY instead
For example for:
- posh_ps_xml_iex.yml
- posh_ps_invoke_obfuscation_via_use_rundll32.yml
Am I doing something wrong in the conversion code?
Using:
Elasticsearch 8.16.1
pysigma-pipeline-sysmon==1.0.4
Winlogbeat 8.16.1 on Windows 10
I converted all the rules from sigma/rules/windows in the SigmaHQ repository to EQL like so:
Now when I run the 2277 resulting rules against my Elasticsearch index (coming from Winlogbeat on Windows 10), a total of 787 rules fail.
A frequent error I get for these is:
[:] cannot operate on first argument field of data type [text]: No keyword/multi-field defined exact matches for [script_block_text]; define one or use MATCH/QUERY insteadFor example for:
Am I doing something wrong in the conversion code?