Correct aggregation for ElastAlert backend

[spvcxsh1p]

Hello! I have encountered a problem with using aggregation functions in SIGMA rules. I use ElastAlert as a backend. When trying to convert a SIGMA rule that uses the count() by construct, I get an error that ElastAlert cannot use this aggregation function. Can you tell me, maybe someone has encountered a similar problem, are there other methods that can be used to implement aggregation functions in SIGMA, supported by ElastAlert? Here is an example of a rule that does not work on ElastAlert, is it possible to convert it using other aggregation functions to use it on the ElastAlert backend?

title: Network Scans id: fab0ddf0-b8a9-4d70-91ce-a20547209afb description: Detects many failed connection attempts to different ports or hosts author: Thomas Patzke date: 2017/02/19 logsource: category: firewall detection: selection: action: denied timeframe: 24h condition:

• selection | count(dst_port) by src_ip > 10
• selection | count(dst_ip) by src_ip > 10 fields:
• src_ip
• dst_ip
• dst_port falsepositives:
• Inventarization systems
• Vulnerability scans
• Penetration testing activity level: medium

[github-actions[bot]]

Welcome @spvcxsh1p :wave:

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley: