You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Elastic Security does now know the severity Informational.
It only understands Low, Medium, High, Critical.
Since Sigma does allow Informational (as it is designed to) there will be the possibility of getting Informational Severity (Level in Sigma)
I propose to add code to bump Severity of Informational to Low, but for example setting the riskScore to 0.
"riskScore": (
0 if rule.level is not None and str(rule.level.name).lower() == "informational"
else self.severity_risk_mapping[rule.level.name] if rule.level is not None
else 21
),
"riskScoreMapping": [],
"severity": (
"low" if rule.level is None or str(rule.level.name).lower() == "informational" else str(rule.level.name).lower()
),
The text was updated successfully, but these errors were encountered:
Elastic Security does now know the severity Informational.
It only understands Low, Medium, High, Critical.
Since Sigma does allow Informational (as it is designed to) there will be the possibility of getting Informational Severity (Level in Sigma)
I propose to add code to bump Severity of Informational to Low, but for example setting the riskScore to 0.
for Example in the finalize_query_siem_rule_ndjson and finalize_query_siem_rule functions
https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/main/sigma/backends/elasticsearch/elasticsearch_eql.py#L379
https://github.com/SigmaHQ/pySigma-backend-elasticsearch/blob/main/sigma/backends/elasticsearch/elasticsearch_eql.py#L450
The text was updated successfully, but these errors were encountered: