Can anyone please explain what does it means
I have Symantec antimalware logs on index pattern logstash-sepm*. In json document I don't have event.category field but I want to create a correlation rule what if the same malware detects on multiple hosts. So I have to first select a value present in event.category like "process" or anything else. I want to declear field "type" as my event.catoegory but it deoesnot work.
Can anyone please explain me how can I define custom event.category here ^
EQL uses the @timestamp and event.category
Yes you can cusotmize fields when running the query using your custom code or from Kibana Dev Console, but from the Kibaba SIEM UI, there is a call to the endpoint :
POST https://localhost:5601/internal/search/eql
{
"params": {
"allow_no_indices": true,
"index": "my-index",
"body": {
"query": ""timestamp_field": "file.accessed" xxxxxx",
"size": 0
}
},
"options": {
"ignore": [
400
]
}
}
So you need to have @timestamp and event.category in your index
Then use only the content of the query
As far as I could understand from the documentation is, we can define custom field like "event_category_field": "file.type" as an event.category if and only if we don't have event.category in the json document.
Here I want to ask how can I define event_category_field through kibana UI. I know kibana UI objective is to run the EQL syntax only but if I am wanting to declear my custom field as event.category how will it be accomplished.
Thank you
Simply you can't from the UI
ok thank you for your reply
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.