Merge pull request #334 from Cyb3rWard0g/temp-sigma-fixes

encoding fix and elastalert mapping

docker/helk-elastalert/rules/helk_sysmon_services_rare_child.yml

@@ -4,10 +4,10 @@ description: Detects rare childs from services.exe (gold image based)
 filter:
 - query:
     query_string:
-      query: (event_id:1 AND process_parent_name:"services.exe" AND NOT (process_path:"\windows\system32" OR process_path:"\program files\windows defender\mpcmdrun.exe" OR "\program files (x86)\google\update\googleupdate.exe" OR "c:\windows\servicing"))
+      query: (event_id:1 AND process_parent_name:"services.exe" AND NOT (process_path:"\\windows\\system32" OR process_path:"\\program\ files\\windows\ defender\\mpcmdrun.exe" OR "\\program\ files\ \(x86\)\\google\\update\\googleupdate.exe" OR "c:\\windows\\servicing"))
 index: logs-endpoint-winevent-sysmon-*
 name: Windows-services-rare-child_0
 priority: 2
 realert:
   minutes: 0
-type: any
+type: any

docker/helk-logstash/output_templates/01-elastalert-status.json

@@ -0,0 +1,18 @@
+{
+  "order": 999,
+  "index_patterns": [
+    "elastalert_status*"
+  ],
+  "version": 2019082901,
+  "mappings": {
+    "properties": {
+      "match_body": {
+        "properties": {
+          "z_logstash_pipeline": {
+            "type": "keyword"
+          }
+        }
+      }
+    }
+  }
+}