Can anyone please explain what does it means
I have Symantec antimalware logs on index pattern logstash-sepm*. In json document I don't have event.category field but I want to create a correlation rule what if the same malware detects on multiple hosts. So I have to first select a value present in event.category like "process" or anything else. I want to declear field "type" as my event.catoegory but it deoesnot work.
Can anyone please explain me how can I define custom event.category here ^
EQL uses the @timestamp and event.category
Yes you can cusotmize fields when running the query using your custom code or from Kibana Dev Console, but from the Kibaba SIEM UI, there is a call to the endpoint :
POST https://localhost:5601/internal/search/eql
{
"params": {
"allow_no_indices": true,
"index": "my-index",
"body": {
"query": ""timestamp_field": "file.accessed" xxxxxx",
"size": 0
}
},
"options": {
"ignore": [
400
]
}
}
So you need to have @timestamp and event.category in your index
Then use only the content of the query
As far as I could understand from the documentation is, we can define custom field like "event_category_field": "file.type" as an event.category if and only if we don't have event.category in the json document.
Here I want to ask how can I define event_category_field through kibana UI. I know kibana UI objective is to run the EQL syntax only but if I am wanting to declear my custom field as event.category how will it be accomplished.
Thank you
Simply you can't from the UI
ok thank you for your reply
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.