[BUG] Importing a Sigma rule with count() aggregation returns an error #861
Comments
amsiglan
transferred this issue from opensearch-project/security-analytics-dashboards-plugin
|
@sbcd90 Feel free to close this if it's a duplicate |
* Notification security fix (opensearch-project#852) * added injecting whole user object in threadContext before calling notification APIs so that backend roles are available to notification plugin Signed-off-by: Petar Dzepina <[email protected]> * compile fix Signed-off-by: Petar Dzepina <[email protected]> * refactored user_info injection to use InjectSecurity Signed-off-by: Petar Dzepina <[email protected]> * ktlint fix Signed-off-by: Petar Dzepina <[email protected]> --------- Signed-off-by: Petar Dzepina <[email protected]> (cherry picked from commit e0b7a5a7905b977e58d80e3b9134b14893d122b0) * remove unneeded import Signed-off-by: Ashish Agrawal <[email protected]> --------- Signed-off-by: Ashish Agrawal <[email protected]> Co-authored-by: Petar Dzepina <[email protected]> Co-authored-by: Ashish Agrawal <[email protected]>
|
Hi everyone, not sure if anyone run into this issue. but when using the clause similar to this one, count(), it still fails on version 2.13. Unless I count by a field. For example, count(source.ip) > 6. |
|
hi @givilleneuve , please use |
|
Thank you @sbcd90 , I was able to create it. I will perform a few more tests. Thank you, |
|
@sbcd90, not sure if you have this answer on top of the head, but using the count and timeframe, would it be based on the detector detection or the timeframe set on the sigma? For example, for brute force detection: condition: selection1 and selection2 | count (*) by source.ip > 3
|
What is the bug?
Importing a rule with aggregation throws an error.
How can one reproduce the bug?
Steps to reproduce the behavior:
What is the expected behavior?
Ideally OpenSearch should convert Sigma into a valid detection rule behind the scenes when the difference in syntax is known.
The text was updated successfully, but these errors were encountered: