No event_id witout json_map

[bryant-smith]

With the configuration and rule below, the rule will NOT trigger an alert without the use of json_map even though it's set in the map file and I see it parsed and set in the --debug json output. Let me know if you need logs to test with.

yaml:

    input-type: json                       # pipe or json
    json-map: "$RULE_PATH/json-input-endpoint.map"  # mapping file if input-type: json
    json-software: endpoint-winlogbeat               # by "software" type. 

json-input-endpoint.map

{"software":"endpoint-winlogbeat","event_id":".event.code","program":".winlog.channel","message":".message","time":".event.created","date":".event.created","src_ip":".host.ip"}

Sagan Rule

alert any $HOME_NET any -> $HOME_NET any (msg:"[ASIMOV] Test Rule"; program:*Sysmon*; json_map:"event_id",".event.code"; event_id:1; classtype:trojan-activity; sid:2; rev:1;)

Sagan --debug json

[D]  * program: "Microsoft-Windows-Sysmon/Operational"
[D]  * host: "0.0.0.0"
[D]  * level: "UNDEFINED"
[D]  * facility: "UNDEFINED"
[D]  * priority: "UNDEFINED"
[D]  * tag: "UNDEFINED"
[D]  * time: "2023-05-24T15:18:09.715Z"
[D]  * date: "2023-05-24T15:18:09.715Z"
[D]  * src_ip : "[ "fe80::50f3:494d:b279:5247", "10.65.45.226" ]"
[D]  * dst_ip : ""
[D]  * src_port : "0"
[D]  * dst_port : "0"
[D]  * proto : "0"
[D]  * ja3: ""
[D]  * event_id: "1"
[D]  * md5: ""
[D]  * sha1: ""
[D]  * sha256: ""
[D]  * filename: ""
[D]  * hostname: ""
[D]  * url: ""
[D]  * username: ""

[quadrantsec]

You're doing two mappings.. Is this correct?

"event_id":".event.code"

^^^ this is in the json-input-endpoint.map

and then within the signature.....

"event_id",".event.code"; event_id:1;

^^ the signature.

You're signature also tells Sagan to look for and alert on "event_id: 1", which appears is what is happening.

I think I am missing something?