Merge pull request #664 from j91321/es-rule-options

es-rule backend options for index-patterns and time interval

tools/sigma/backends/elasticsearch.py

@@ -1145,9 +1145,12 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
     def generate(self, sigmaparser):
         translation = super().generate(sigmaparser)
         if translation:
+            index = sigmaparser.get_logsource().index
+            if len(index) == 0:
+                index = ["apm-*-transaction", "auditbeat-*", "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*"]
             configs = sigmaparser.parsedyaml
             configs.update({"translation": translation})
-            rule = self.create_rule(configs)
+            rule = self.create_rule(configs, index)
             return rule
 
     def create_threat_description(self, tactics_list, techniques_list):
@@ -1195,7 +1198,7 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
         elif level == "critical":
             return randrange(74,101)
 
-    def create_rule(self, configs):
+    def create_rule(self, configs, index):
         tags = configs.get("tags", [])
         tactics_list = list()
         technics_list = list()
@@ -1231,14 +1234,7 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend):
             "filters": [],
             "from": "now-360s",
             "immutable": False,
-            "index": [
-                "apm-*-transaction*",
-                "auditbeat-*",
-                "endgame-*",
-                "filebeat-*",
-                "packetbeat-*",
-                "winlogbeat-*"
-            ],
+            "index": index,
             "interval": "5m",
             "rule_id": rule_id,
             "language": "lucene",