Hello
I have a working HELK setup with Sigma.
I need to run all the SIGMA (stored in their HELK folder) at once on historical logs and then build dashboards etc on them.
I already tried sending those historical logs to HELK passing them via Winlogbeat etc and ElastAlert triggers correctly: unfortunately the timestamp of the ElastAlert-generated event is equal to SIGMA rule match time and does not equals original event timestamp.
Original event timestamp is written by ElastAlert in the field "match_body.event_original_time".
Is there any other way to do achieve the goal of setting this up?
Hello I have a working HELK setup with Sigma. I need to run all the SIGMA (stored in their HELK folder) at once on historical logs and then build dashboards etc on them.
I already tried sending those historical logs to HELK passing them via Winlogbeat etc and ElastAlert triggers correctly: unfortunately the timestamp of the ElastAlert-generated event is equal to SIGMA rule match time and does not equals original event timestamp. Original event timestamp is written by ElastAlert in the field "match_body.event_original_time".
Is there any other way to do achieve the goal of setting this up?