thomaspatzke
commented
2 years ago Moved to the backend repository because the issue is located here.
Closed si-ddb closed 1 year ago
thomaspatzke
commented
2 years ago Moved to the backend repository because the issue is located here.
andurin
commented
2 years ago @si-ddb Sorry to come over here that late.
I've just tried to check this issue since the kibana error seems pretty clear about unset but wanted fields in the ndjson output.
I didn't test this yet against Kibana/Elasticsearch and I have to create some EK-Docker instances for that - could you do me the favour and post the resulting ndjson file here?
Mine from today looks good to me but I'm not really sure if kibana wants that fields at another level in the json hierarchy.
cat /tmp/win_admin_rdp_login.ndjson| jq
{
"id": "0f63e1ef-1eb9-4226-9d54-8927ca08520a",
"type": "search",
"attributes": {
"title": "SIGMA - Admin User Remote Logon",
"description": "Detect remote login by Administrator user (depending on internal pattern).",
"hits": 0,
...
...
Trying to convert a sigma rule to Kibana ndjson file to import as a rule in Kibana v8.3.3
As an example I took the yaml file win_admin_rdp_login from the SigmaHQ repo
Executed command
sigma.exe convert -t elasticsearch -p ecs_windows -f kibana_ndjson .\win_admin_rdp_login.yml -o C:\temp\win_admin_rdp_login.ndjsonOutput
{ "name": "Network errors", "raw_network_error": { "success": false, "success_count": 0, "rules_count": 1, "errors": [ { "rule_id": "(unknown id)", "error": { "status_code": 400, "message": "Invalid value \"undefined\" supplied to \"description\",Invalid value \"undefined\" supplied to \"risk_score\",Invalid value \"undefined\" supplied to \"name\",Invalid value \"undefined\" supplied to \"severity\",Invalid value \"search\" supplied to \"type\",Invalid value \"undefined\" supplied to \"rule_id\",Invalid value \"{\"id\":\"beats-*\",\"name\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"type\":\"index-pattern\"}\" supplied to \"references\"" } } ], "exceptions_errors": [], "exceptions_success": true, "exceptions_success_count": 0 }, "message": "Invalid value \"undefined\" supplied to \"description\",Invalid value \"undefined\" supplied to \"risk_score\",Invalid value \"undefined\" supplied to \"name\",Invalid value \"undefined\" supplied to \"severity\",Invalid value \"search\" supplied to \"type\",Invalid value \"undefined\" supplied to \"rule_id\",Invalid value \"{\"id\":\"beats-*\",\"name\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"type\":\"index-pattern\"}\" supplied to \"references\"" }Screenshot: https://imgur.com/HSIifFt