Merge pull request #39 from defensivedepth/FIX/EQL-support

Updates for EQL support
SigmaHQ · Dec 19, 2023 · 1ac8c02 · 1ac8c02
2 parents 4822178 + 89660d6
commit 1ac8c02
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -11,6 +11,7 @@ It supports the following output formats:
 
 * default: Lucene queries.
 * dsl_lucene: DSL with embedded Lucene queries.
+* eql: Elastic Event Query Language queries.
 * kibana_ndjson: Kibana NDJSON with Lucene queries.
 
 Further, it contains the following processing pipelines in `sigma.pipelines.elasticsearch`:
@@ -27,4 +28,4 @@ This backend is currently maintained by:
 * [Hendrik Bäcker](https://github.com/andurin)
 
 Further maintainers required! Send a message to [Thomas](mailto:thomas@patzke.org) if you want to co-maintain this
-backend.
+backend.
diff --git a/sigma/pipelines/elasticsearch/windows.py b/sigma/pipelines/elasticsearch/windows.py
@@ -71,7 +71,7 @@ def ecs_windows() -> ProcessingPipeline:
     return ProcessingPipeline(
         name="Elastic Common Schema (ECS) Windows log mappings from Winlogbeat from version 7",
         priority=20,
-        allowed_backends=("elasticsearch", "lucene", "opensearch"),
+        allowed_backends=("elasticsearch", "eql", "lucene", "opensearch"),
         items=generate_windows_logsource_items("winlog.channel", "{source}") + [                   # Variable field mappinga depending on category/service
             ProcessingItem(
                 identifier=f"elasticsearch_windows-{field}-{logsrc_field}-{logsrc}",
@@ -189,7 +189,7 @@ def ecs_windows_old() -> ProcessingPipeline:
     return ProcessingPipeline(
         name="Elastic Common Schema (ECS) Windows log mappings from Winlogbeat up to version 6",
         priority=20,
-        allowed_backends=("elasticsearch", "lucene", "opensearch"),
+        allowed_backends=("elasticsearch", "eql", "lucene", "opensearch"),
         items=generate_windows_logsource_items("winlog.channel", "{source}") + [
             ProcessingItem(     # Field mappings
                 identifier="ecs_windows_field_mapping",

diff --git a/sigma/pipelines/elasticsearch/zeek.py b/sigma/pipelines/elasticsearch/zeek.py
@@ -16,7 +16,7 @@ def ecs_zeek_beats() -> ProcessingPipeline:
     return ProcessingPipeline(
         name="Elastic Common Schema (ECS) for Zeek using filebeat >= 7.6.1",
         priority=20,
-        allowed_backends=("elasticsearch", "lucene", "opensearch"),
+        allowed_backends=("elasticsearch", "eql", "lucene", "opensearch"),
         items=[
             ProcessingItem(
                 identifier=f"zeek_mapping_category_{ category }_to_service_{ service }",
@@ -485,7 +485,7 @@ def ecs_zeek_corelight() -> ProcessingPipeline:
     return ProcessingPipeline(
         name="Elastic Common Schema (ECS) mapping from Corelight",
         priority=20,
-        allowed_backends=("elasticsearch", "lucene", "opensearch"),
+        allowed_backends=("elasticsearch", "eql", "lucene", "opensearch"),
         items=[
             ProcessingItem(
                 identifier=f"zeek_mapping_category_{ category }_to_service_{ service }",
@@ -954,7 +954,7 @@ def zeek_raw() -> ProcessingPipeline:
     return ProcessingPipeline(
         name="Zeek raw JSON field naming",
         priority=20,
-        allowed_backends=("elasticsearch", "lucene", "opensearch"),
+        allowed_backends=("elasticsearch", "eql", "lucene", "opensearch"),
         items=[
             ProcessingItem(
                 identifier=f"zeek_mapping_category_{ category }_to_service_{ service }",