Use config dateField in xpack watcher to determine

datefield name as in elasticsearch dsl backend
2024-11-07 09:48:58 +00:00 · 2019-09-10 15:59:49 +02:00 · 2019-09-10 15:59:49 +02:00 · 8f612f743c
commit 8f612f743c
parent 038900e2fe
1 changed files with 2 additions and 1 deletions
--- a/tools/sigma/backends/elasticsearch.py
+++ b/tools/sigma/backends/elasticsearch.py
@ -452,6 +452,7 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin)
        tags = sigmaparser.parsedyaml.setdefault("tags", "")
        # Get time frame if exists
        interval = sigmaparser.parsedyaml["detection"].setdefault("timeframe", "30m")
+        dateField = self.sigmaconfig.config.get("dateField", "date")
        
        # creating condition
        indices = sigmaparser.get_logsource().index
@ -673,7 +674,7 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin)
                                            "filter":
                                                {
                                                    "range":{
-                                                        "timestamp":{
+                                                        dateField:{
                                                            "gte":"now-%s/m"%self.filter_range #filter only for the last x minutes events
                                                            }
                                                        }