Playbook Sigma to Elastalert field mappings are wrong? #5016
-
|
I was trying to add some exclusion to some of the playbooks, and during my testing I found that at least the sigma ParentCommandLine field is being translated to process.parent.command_line.security which was not working. But, if i remove the ".security" from the field then it works is this expected behavior? |
Beta Was this translation helpful? Give feedback.
Answered by
defensivedepth
Aug 2, 2021
Replies: 1 comment
-
|
Duplicate of #5015 |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
dougburks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Duplicate of #5015