From 066f1251a78a9d4268d674a75c7bd291f348749e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 11 Apr 2020 11:47:34 -0400 Subject: [PATCH] NIDS2TheHive Update for ECS --- salt/elastalert/files/rules/so/nids2hive.yaml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml index 019a0844f..7408a34ce 100644 --- a/salt/elastalert/files/rules/so/nids2hive.yaml +++ b/salt/elastalert/files/rules/so/nids2hive.yaml @@ -8,21 +8,20 @@ es_host: {{es}} es_port: 9200 name: NIDS-Alert type: frequency -index: "*:logstash-ids*" +index: "so-ids-*" num_events: 1 timeframe: minutes: 10 buffer_time: minutes: 10 allow_buffer_time_overlap: true -query_key: ["alert", "ips"] +query_key: ["rule.signature_id"] realert: days: 1 - filter: - query: query_string: - query: "event_type: ids AND NOT tags: _jsonparsefailure" + query: "event.module: suricata" alert: modules.so.thehive.TheHiveAlerter @@ -35,16 +34,16 @@ hive_proxies: https: '' hive_alert_config: - title: '{match[alert]}' + title: '{match[rule][name]}' type: 'NIDS' source: 'SecurityOnion' - description: "`NIDS Dashboard:` \n\n \n\n `IPs: `{match[source_ip]}:{match[source_port]} --> {match[destination_ip]}:{match[destination_port]} \n\n `Signature:` {match[rule_signature]}" + description: "`NIDS Dashboard:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" severity: 2 - tags: ['{match[sid]}','{match[source_ip]}','{match[destination_ip]}'] + tags: ['{match[rule][signature_id]}','{match[source][ip]}','{match[destination][ip]}'] tlp: 3 status: 'New' follow: True hive_observable_data_mapping: - - ip: '{match[source_ip]}' - - ip: '{match[destination_ip]}' + - ip: '{match[source][ip]}' + - ip: '{match[destination][ip]}'