Set custom event.category field to execute EQL in detection rules

I'm trying to set up a custom detection rule based in EQL sequence matching, with the trouble that the field that I chose for custom event.category in ECS It's really the ECS tags field in my indexed documents

I'm in the situation where, my EQL works in context of API-EQL queries where I can specify the field: "event_category_field": "tags"

This works:

But when trying to create the rule in security features:



If there isn't another solution how can I rename the field over the index ?

1 Like

I run into the same issue and use the "workarround" of using "any" as the event category filter and then filter in the where statement. Maybe something like this does the trick for you:

any where tcp.srcport == "3389" 

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.