Are there any complete examples of using 'change_logsource' in a pipeline rule? #192

BCall-BT · 2024-01-22T13:27:38Z

BCall-BT
Jan 22, 2024

I'm trying to use pipelines with sigma-cli or https://sigconverter.io/ to replace the default index patterns used when converting to an elastic siem rule. Any attempt I make either errors out or does nothing. Below is the only reference I can find, but it does not work
name: transformation_demo priority: 100 transformations: - id: prefix_source_and_index_for_puppy_logs type: change_logsource mapping:

Answered by joshnck

Mar 24, 2024

transformations:
- id: change_logsource
  type: change_logsource
  category: security
  rule_conditions:
  - type: logsource
    category: process_creation

That should do it for you!

View full answer

joshnck · 2024-03-24T17:11:24Z

joshnck
Mar 24, 2024

transformations:
- id: change_logsource
  type: change_logsource
  category: security
  rule_conditions:
  - type: logsource
    category: process_creation

That should do it for you!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Are there any complete examples of using 'change_logsource' in a pipeline rule? #192

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Are there any complete examples of using 'change_logsource' in a pipeline rule? #192

Uh oh!

BCall-BT Jan 22, 2024

Replies: 1 comment

Uh oh!

joshnck Mar 24, 2024

BCall-BT
Jan 22, 2024

joshnck
Mar 24, 2024