You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
hi @foxalfabravo ,
with " rule fail,
So I try simply this
filter:
- query:
query_string:
query: {{ query }}
It's works , I think it is more an elastalert trouble than a backend one as the output lucene query is valid.
In a yaml the double quote are for escape sequences.
Converted rule not accepted by elastalert
Pipeline configuration: -t lucene -p sysmon -p ecs_windows
For instance : posh_ps_amsi_null_bits_bypass.yml, result is
The following rules have the problem (r2024-01-29):
posh_pm_susp_invocation_specific.yml
posh_ps_amsi_null_bits_bypass.yml
posh_ps_import_module_susp_dirs.yml
posh_ps_set_acl_susp_location.yml
posh_ps_set_policies_to_unsecure_level.yml
posh_ps_susp_invocation_specific.yml
posh_ps_user_profile_tampering.yml
proc_creation_win_cmd_redirection_susp_folder.yml
proc_creation_win_curl_download_direct_ip_exec.yml
proc_creation_win_curl_download_direct_ip_susp_extensions.yml
proc_creation_win_curl_download_susp_file_sharing_domains.yml
proc_creation_win_findstr_lnk.yml
proc_creation_win_findstr_recon_everyone.yml
proc_creation_win_hktl_crackmapexec_execution.yml
proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml
proc_creation_win_net_default_accounts_manipulation.yml
proc_creation_win_powershell_amsi_null_bits_bypass.yml
proc_creation_win_powershell_import_module_susp_dirs.yml
proc_creation_win_powershell_invocation_specific.yml
proc_creation_win_powershell_set_acl_susp_location.yml
proc_creation_win_powershell_xor_commandline.yml
proc_creation_win_regsvr32_susp_exec_path_2.yml
proc_creation_win_rundll32_uncommon_dll_extension.yml
proc_creation_win_schtasks_guid_task_name.yml
proc_creation_win_susp_office_token_search.yml
proc_creation_win_susp_privilege_escalation_cli_patterns.yml
proc_creation_win_wget_download_direct_ip.yml
proc_creation_win_wget_download_susp_file_sharing_domains.yml
The text was updated successfully, but these errors were encountered: