Closed ericzinnikas closed 1 year ago
ericzinnikas
commented
2 years ago After looking at the code, I do see min_time, max_time are supported arguments for the SplunkBackend class, though I wonder if there would be a better way to support this per-rule (per-severity) rather than for all rules.
jabrcks
commented
2 years ago I also had the same thoughts, but I guess that this would end up in modifying the Sigma rules Yaml files - not sure how generic the time frame information is to other systems as I mostly work with Splunk. Maybe one can try adding this information via pipelines (not sure if possible), but then its still pipeline-/product-bound.
thomaspatzke
commented
2 years ago I think some basic possibility for this could be built in a generic way for all backends, but for the first this will be backend-specific, especially for more extended ways to express this like the cron syntax.
Wondering if there are any plans/thoughts for how to implement alert scheduling and relative time-ranges for
savedsearches.confoutput (i.e. run every 30mins, search over the past 30mins to now) per-rule instead of for all rules (under[default]).Currently looking at handling this outside of Sigma by manually setting parts of
savedsearches.conf, ex:Possibly the rule
levelcould map to specific time-ranges and frequencies, or this could just be defined with a new/custom field.