Sigmac Output To Elastalert #2746
-
|
Hi, I have seen issue #89 and didn't understand whatever the sigmac output is elastalert or esquery now. It seems that you can't change elastalert rule type or use aggregations. Can anyone explain why? |
Beta Was this translation helpful? Give feedback.
Answered by
weslambert
Jan 29, 2021
Replies: 1 comment
-
|
The rules to which you are speaking are managed by Playbook, so it will manage them, and modifications to those rules will be overwritten. You should, however, be able to tweak those rules from Playbook, as opposed to directly in the rule itself. |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
defensivedepth
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The rules to which you are speaking are managed by Playbook, so it will manage them, and modifications to those rules will be overwritten. You should, however, be able to tweak those rules from Playbook, as opposed to directly in the rule itself.