By using a translator like STIX-shifter, or a similar project that already implements the grammar, like stix2patterns, STIX patterns could be translated into an OpenSearch DSL query. This requires a translator and a model, since Wazuh doesn't really have a common schema for alerts.
Adding direct indicator support would be incredibly useful. The current implementation depends on relationships between indicators and observables ("based-on"). These are fortunately often provided, but they only make sense when the indicator pattern is trivial. Additionaly, some sources also only provide a STIX pattern, without any references to observables.
By using a translator like STIX-shifter, or a similar project that already implements the grammar, like stix2patterns, STIX patterns could be translated into an OpenSearch DSL query. This requires a translator and a model, since Wazuh doesn't really have a common schema for alerts.
Adding direct indicator support would be incredibly useful. The current implementation depends on relationships between indicators and observables ("based-on"). These are fortunately often provided, but they only make sense when the indicator pattern is trivial. Additionaly, some sources also only provide a STIX pattern, without any references to observables.