I'm trying to set up a custom detection rule based in EQL sequence matching, with the trouble that the field that I chose for custom event.category in ECS It's really the ECS tags field in my indexed documents
I'm in the situation where, my EQL works in context of API-EQL queries where I can specify the field: "event_category_field": "tags"
This works:
But when trying to create the rule in security features:
If there isn't another solution how can I rename the field over the index ?
I run into the same issue and use the "workarround" of using "any" as the event category filter and then filter in the where statement. Maybe something like this does the trick for you:
any where tcp.srcport == "3389"
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.