What is the bug?
We can not get any findings from some test detectors we created.
How can one reproduce the bug?
Steps to reproduce the behavior:
- Create a winlogbeat index with mappings from winlogbeat 7.10.2
- Create a test detector with the "Sysmon Configuration Change" shipped rule on that index
- Insert the following document:
POST winlogbeat-7.10.2-test-1/_doc { "@timestamp": "2023-03-02T20:12:59+0000", "host.name": "server01", "winlog.event_id": "16", "winlog.channel": "Microsoft-Windows-Sysmon/Operational", }
What is the expected behavior?
We would expect to see a finding with that doc attached.
What is your host/environment?
- OS: Almalinux 9.x
- Version 2.6.0
Do you have any additional context?
We used the auto generated field mapping for the sigma rules and all except from 3 were found in the mapping supplied from winlogbeat.
What is the bug?
We can not get any findings from some test detectors we created.
How can one reproduce the bug?
Steps to reproduce the behavior:
POST winlogbeat-7.10.2-test-1/_doc { "@timestamp": "2023-03-02T20:12:59+0000", "host.name": "server01", "winlog.event_id": "16", "winlog.channel": "Microsoft-Windows-Sysmon/Operational", }What is the expected behavior?
We would expect to see a finding with that doc attached.
What is your host/environment?
Do you have any additional context?
We used the auto generated field mapping for the sigma rules and all except from 3 were found in the mapping supplied from winlogbeat.