How to edit max_query_size

aniketpant1 commented 3 years ago

I have 800 sigma rules i have to edit max_query_size in each file is there any way to edit

aniketpant1 commented 3 years ago

hey @nsano-rururu is this correct tools/sigmac -t elastalert -c tools/config/generic/sysmon.yml -c sigmac/sigmac-config.yml --backend-option timestamp_field=etl_processed_time max_query_size=10 -o /root/sigma_rules/sigma_sysmon_win_advanced_ip_scanner.yml rules/windows/process_creation/win_advanced_ip_scanner.yml

aniketpant1 commented 3 years ago

Error while running the above usage: sigmac [-h] [--recurse] [--filter FILTER] [--target {fireeye-helix,es-rule,kibana,grep,arcsight,arcsight-esm,elastalert-dsl,uberagent,es-qs,es-dsl,carbonblack,sumologic,sumologic-cse,graylog,stix,qradar,ala,fieldlist,logiq,sql,powershell,sqlite,sysmon,elastalert,xpack-watcher,limacharlie,qualys,splunk,csharp,ee-outliers,humio,splunkxml,sumologic-cse-rule,mdatp,netwitness,logpoint,kibana-ndjson,ala-rule,netwitness-epl,crowdstrike}] [--lists] [--config CONFIG] [--output OUTPUT] [--print0] [--backend-option BACKEND_OPTION] [--backend-config BACKEND_CONFIG] [--backend-help BACKEND_HELP] [--defer-abort] [--ignore-backend-errors] [--verbose] [--debug] [inputs [inputs ...]] sigmac: error: unrecognized arguments: rules/windows/process_creation/win_advanced_ip_scanner.yml

Yelp / elastalert

How to edit max_query_size #3101