-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] Need assistance in generating rules for Nginx logs #76
Comments
Hi @Loginsoft-Research do you have the full output? It looks like this only captures part of the traceback, but there should be more information as well as the exception message. If you're using a local fork, you can modify blob/main/etc/non-ecs-schema.json to add your exceptions when you aren't using ECS fields. Also, I belive our minimum supported version of Python is 3.7. You might get lucky with 3.6, but we haven't tested that. https://github.com/elastic/detection-rules#getting-started |
Hello 👋, thanks for the questions. Hopefully this helps:
In addition to what @rw-access said, if the non-ECS fields are beats fields, then as long as you define the
At the moment, the rules can only be exported in ndjson format. I just opened #83 to better support importing or creating rules which were exported from kibana, so you could do: This would build the rule from your exported rule and prompt you for any additional needed information
Support for this was just added as of #50 and can be done with As far as your error - as @rw-access mentioned, with the rest of the error information, we might be able to determine the issue and whether it will be solved by any of the mentioned PR's |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment. |
Hi Elastic Team,
We are trying to write new rules based on our research. We have been successful in writing rules from the Kibana SIEM dashboard, however on exporting the rules we get them in ndjson format. However, on writing a rule with the same query using detection_rules python module, it errors out.
Example: Rule for a vulnerability on Nginx
Command:
rlwrap python3 -m detection_rules create-rule ../nginx_rules/"testing".toml
Error log:
The text was updated successfully, but these errors were encountered: