diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py new file mode 100644 index 000000000..0ba3f3601 --- /dev/null +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -0,0 +1,23 @@ +# -*- coding: utf-8 -*- + +from datetime import date +import requests,json +from elastalert.alerts import Alerter + +class PlaybookESAlerter(Alerter): + """ + Use matched data to create alerts in elasticsearch + """ + + required_options = set(['play_title','play_url','sigma_level','elasticsearch_host']) + + def alert(self, matches): + for match in matches: + headers = {"Content-Type": "application/json"} + payload = {"play_title": self.rule['play_title'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"data": match} + today = str(date.today()) + url = f"http://{self.rule['elasticsearch_host']}/playbook-alerts-{today}/_doc/" + requests.post(url, data=json.dumps(payload), headers=headers, verify=False) + + def get_info(self): + return {'type': 'PlaybookESAlerter'} diff --git a/salt/playbook/files/redmine.db b/salt/playbook/files/redmine.db index 52f171833..520f0b3c3 100644 Binary files a/salt/playbook/files/redmine.db and b/salt/playbook/files/redmine.db differ diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index 37ec0172d..555c2ee6a 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -53,7 +53,7 @@ slack_url = YOURSLACKWORKSPACE slack_webhook = YOURSLACKWEBHOOK [playbook] -playbook_url = http://{{ip}}:3200/playbook +playbook_url = http://{{ip}}/playbook playbook_key = a4a34538782804adfcb8dfae96262514ad70c37c [log] diff --git a/salt/soctopus/files/templates/es-generic.template b/salt/soctopus/files/templates/es-generic.template new file mode 100644 index 000000000..cdda8a19b --- /dev/null +++ b/salt/soctopus/files/templates/es-generic.template @@ -0,0 +1,7 @@ +{% set ES = salt['pillar.get']('static:masterip', '') %} + +alert: modules.so.playbook-es.PlaybookESAlerter +elasticsearch_host: "{{ ES }}:9200" +play_title: "" +play_url: "https://{{ ES }}/playbook/issues/6000" +sigma_level: ""