at the moment, "sigma plugins" are needed to convert sigma rules to Lucene queries since Gulp is ingesting documents in its own GulpDocument format, which renames most of the source event fields to ECS format (while keeping the raw event in "event.original").
this proposal is about to remove sigma plugins at all, and rework GulpDocument keeping just "@timestamp" and the other few ECS-renamed fields used by the UI to do its visualization logic, like "event.code", "agent.type".
this way, documents will be ingested with fields as-is, plus the fields mentioned above would be added to keep the existing UI logic happy.
at the moment, "sigma plugins" are needed to convert sigma rules to Lucene queries since Gulp is ingesting documents in its own GulpDocument format, which renames most of the source event fields to ECS format (while keeping the raw event in "event.original").
this proposal is about to remove sigma plugins at all, and rework GulpDocument keeping just "@timestamp" and the other few ECS-renamed fields used by the UI to do its visualization logic, like "event.code", "agent.type".
this way, documents will be ingested with fields as-is, plus the fields mentioned above would be added to keep the existing UI logic happy.
benefits: