Elastic Search Backend

[Zirbo]

Hello,
We are using sigmac for our project and we are considering switching to pySigma, but we need to be able to convert our rules to Splunk and Elastic Search Query DSL. Unfortunately, while a Splunk module is available (https://github.com/SigmaHQ/pySigma-backend-splunk ), an Elastic module is not.
Is there already a project for one? Or could you estimate how much time-consuming would it be to create one? (we could contribute it if it's not too much effort... but unfortunately I cannot decide myself how much effort is too much)

Thank you for your answer!!!

[thomaspatzke]

Hi! Porting the Elastic backends to pySigma is indeed on the top of my todo list, you're not the first one asking for this 😉 And I believe this could push a lot of users towards pySigma/sigma-cli.

I plan to start within the next two weeks. While implementing the base conversion (syntax etc.) is relative straightforward and done quickly, porting all the mappings and solve the Elastic-specific challenges (different handling of different field configurations etc.) would be likely the more time-consuming task.

I will use this thread to notify about progress on it. Contributions would be great and small contributions (e.g. such ones that solve your issues/needs) are always a step forward.

[Zirbo]

Hallo Thomas,
that's amazing :) And it's very on point that you mention pySigma/sigma-cli as I also plan to use that pretty extensively :) I'd be happy to help you, especially with testing!

[thomaspatzke]

Testing is good, the best tests are done in real life 😁

[nasbench]

Elastic backend now exists (for a while) https://github.com/SigmaHQ/pySigma-backend-elasticsearch