Elastalert Backend

[krapgras]

Hello,

How difficult would it be to (re)integrate the sigma2elastalert backend?
I'm trying to revive the HELK stack and one of the steps it uses is converting the sigma rules to elastalert.
From what i can see the script (linked below) just uses the old sigmac es-qs and then does some text alterations via python [args.sigmac, file, "--target", "es-qs"].

Unfortunately my knowledge on the new pySigma is limited but i would imagine that the changes should be minimal to reimplement this as the es-qs backend still exists?

legacy-sigmatools

[thomaspatzke]

Check the YAML pipelines project from @frack113, he implemented Elastalert support based on the Elastic backend with processing pipelines.

[krapgras]

Thanks I totally missed this one :) That should do the trick I think!

[adilraad2001]

did convese the rules ?

[krapgras]

@adilraad2001 not sure what you mean but yes I have updated the rules a bit and it is working.

It is part of my helk fork and you can find the file here

One thing I did have to do is yaml lint some of the files as not all conventions where fully correct in syntax. I didn’t try to fix them to be honest (lack of time)