Elastic Serializers

There are two built-in Elastic related serializers: eql and es-rule. Both serializers generate a query in the Event Query Language (EQL) format. The former generates a bare string with the EQL query while the latter produces a JSON object suitable for uploading as an Elastic Security Alert rule (see Create Rule).

Event Query Language (EQL)

The EQL serializer does not require any extra configuration beyond the default serializer options (e.g. logsource or transforms). It can be used directly to produce valid EQL query strings.

Converting a rule to EQL
sigma convert -s eql ./rule.yml

As with other serializers, you can combine the EQL serializer with custom transformations to produce a modified version of the Sigma rule with a serializer configuration file.

Elastic Security Rule

The es-rule serializer is built on-top of the EQL serializer. It first serializes the raw conditional to an EQL query and then utilizes the other Sigma details to produce a JSON object suitable for uploading to Elastic as an alert rule. There are a few extra configuration options which you can use when configuring your es-rule serializers.

enable_rule

If set to true, the generated rule will be enabled. By default, generated rules are disabled.

interval

Control the time interval for the generated rule. The syntax for this field is the same as the interval field in the Elastic REST API specification (see here). The default interval is 5m.

output_index

Control the output index for alerts. The default index is .siem-signals-default.

max_signals

The maximum number of alerts the rule can create during a single execution. The default is 100.

risk_map

A dictionary mapping Sigma rule levels to risk integers. By default low, medium, high and critical are mapped to 5, 35, 65, 95 respectively.

risk_default

If a Sigma rule level does not match an item in the above dictionary, this value will be used instead. The default is 35.

severity_map

A dictionary mapping Sigma rule levels to Elastic severity values. By default, low, medium, high, and critical are mapped to themselves while informational is mapped to low.

severity_default

If a Sigma rule level does not match an item in the above dictionary, this value will be used instead. The default is medium.

timestamp_override

This field directly sets the corresponding field in the output rule. It can be used to adjust where the rule timestamp comes from within Elastic. This is not added to the rule by default. For example, you could set this value to event.timestamp to use that custom field for the event time instead of the ingested time.

actions

List of actions to perform if a rule fires. This is a list of ElasticSecurityAction objects, which are described below. By default, no actions are added to the rule.

Elastic Security Actions

As described by the Create Rule API docs, there are a few different action types which can be specified.

  • .slack

  • .email

  • .pagerduty

  • .webhook

Instead of allowing free-form dictionary objects in the actions field of a serializer, each of these different types define their own schema, which enables validation prior to serialization. Further, each action defined in your serializer can optionally define a list of tags which must match a rule for the action to be applied. For example, the following action would only be applied to rules with the custom tag.

actions:
  - type: slack
    id: my-connector-id
    tags:
      - custom
    message: "my slack message"

If no tags are provided, the action is applied to every rule. The configuration fields are mostly the same as the official Elastic REST API, but have been morphed slightly to conform with the format of the serializer configuration. Their usage should be relatively straight forward. The following is an example of all possible properties for all available Elastic actions.

actions:
  - type: slack
    id: my-connector-id
    tags:
      - custom
    message: "my slack message"
  # At least one of to, cc, bcc must be provided.
  # The subject is optional.
  - type: email
    id: my-connector-id
    to:
      - security@company.com
    cc:
      - someone@company.com
    bcc:
      - someoneelse@company.com
    subject: "ALERT"
    message: "MESSAGE"
  # The body field is JSON serialized per the elastic documentation
  - type: webhook
    id: my-connector-id
    body:
      my: custom
      object: 3.14
  - type: pagerduty
    id: my-connector-id
    severity: "Critical"
    event_action: "trigger"
    # Rest are optional
    dedup_key: "something"
    timestamp: "2020-03-20T14:28:23.382748"
    component: "security-solution"
    group: "logical-group"
    source: ":shrug:"
    summary: "my alert summary"
    # This was renamed due to python conflicts with 'class'
    clazz: "class/type of event"