Severity override range

Hi,

I'm running ELK stack version 7.11.2.

I want to ingest AWS GuardDuty alerts, these have severities defined:

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html

basically values between 1.0 and 8.9 mapping to different severity rules.
These I've mapped to event.severity.

Now for signal rule detection, I wanted to override the default severity,
and was wondering how to give a range in order to map the GuardDuty
severities to Kibana SIEM severities?

I could do so in Logstash, create a new field, and use that in the severity
override, but thought there might be a way to do so in Kibana?

Sebastian

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.