diff --git a/README.md b/README.md index 816ec35..75bb626 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ It supports the following output formats: * default: Lucene queries. * dsl_lucene: DSL with embedded Lucene queries. +* eql: Elastic Event Query Language queries. * kibana_ndjson: Kibana NDJSON with Lucene queries. Further, it contains the following processing pipelines in `sigma.pipelines.elasticsearch`: @@ -27,4 +28,4 @@ This backend is currently maintained by: * [Hendrik Bäcker](https://github.com/andurin) Further maintainers required! Send a message to [Thomas](mailto:thomas@patzke.org) if you want to co-maintain this -backend. \ No newline at end of file +backend. diff --git a/sigma/pipelines/elasticsearch/windows.py b/sigma/pipelines/elasticsearch/windows.py index 9638c29..4d43a7a 100644 --- a/sigma/pipelines/elasticsearch/windows.py +++ b/sigma/pipelines/elasticsearch/windows.py @@ -71,7 +71,7 @@ def ecs_windows() -> ProcessingPipeline: return ProcessingPipeline( name="Elastic Common Schema (ECS) Windows log mappings from Winlogbeat from version 7", priority=20, - allowed_backends=("elasticsearch", "lucene", "opensearch"), + allowed_backends=("elasticsearch", "eql", "lucene", "opensearch"), items=generate_windows_logsource_items("winlog.channel", "{source}") + [ # Variable field mappinga depending on category/service ProcessingItem( identifier=f"elasticsearch_windows-{field}-{logsrc_field}-{logsrc}", @@ -189,7 +189,7 @@ def ecs_windows_old() -> ProcessingPipeline: return ProcessingPipeline( name="Elastic Common Schema (ECS) Windows log mappings from Winlogbeat up to version 6", priority=20, - allowed_backends=("elasticsearch", "lucene", "opensearch"), + allowed_backends=("elasticsearch", "eql", "lucene", "opensearch"), items=generate_windows_logsource_items("winlog.channel", "{source}") + [ ProcessingItem( # Field mappings identifier="ecs_windows_field_mapping", diff --git a/sigma/pipelines/elasticsearch/zeek.py b/sigma/pipelines/elasticsearch/zeek.py index 9714736..5b65153 100644 --- a/sigma/pipelines/elasticsearch/zeek.py +++ b/sigma/pipelines/elasticsearch/zeek.py @@ -16,7 +16,7 @@ def ecs_zeek_beats() -> ProcessingPipeline: return ProcessingPipeline( name="Elastic Common Schema (ECS) for Zeek using filebeat >= 7.6.1", priority=20, - allowed_backends=("elasticsearch", "lucene", "opensearch"), + allowed_backends=("elasticsearch", "eql", "lucene", "opensearch"), items=[ ProcessingItem( identifier=f"zeek_mapping_category_{ category }_to_service_{ service }", @@ -485,7 +485,7 @@ def ecs_zeek_corelight() -> ProcessingPipeline: return ProcessingPipeline( name="Elastic Common Schema (ECS) mapping from Corelight", priority=20, - allowed_backends=("elasticsearch", "lucene", "opensearch"), + allowed_backends=("elasticsearch", "eql", "lucene", "opensearch"), items=[ ProcessingItem( identifier=f"zeek_mapping_category_{ category }_to_service_{ service }", @@ -954,7 +954,7 @@ def zeek_raw() -> ProcessingPipeline: return ProcessingPipeline( name="Zeek raw JSON field naming", priority=20, - allowed_backends=("elasticsearch", "lucene", "opensearch"), + allowed_backends=("elasticsearch", "eql", "lucene", "opensearch"), items=[ ProcessingItem( identifier=f"zeek_mapping_category_{ category }_to_service_{ service }",