Playbook - create play API

2025-12-06 17:22:49 +01:00 · 2020-02-14 16:38:02 -05:00
parent 9666f24e14
commit 240620caa3
4 changed files with 31 additions and 1 deletions
--- a/salt/elastalert/files/modules/so/playbook-es.py
+++ b/salt/elastalert/files/modules/so/playbook-es.py
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+
+from datetime import date   
+import requests,json
+from elastalert.alerts import Alerter
+
+class PlaybookESAlerter(Alerter):
+    """
+    Use matched data to create alerts in elasticsearch
+    """
+
+    required_options = set(['play_title','play_url','sigma_level','elasticsearch_host'])
+
+    def alert(self, matches):
+       for match in matches:
+            headers = {"Content-Type": "application/json"}
+            payload = {"play_title": self.rule['play_title'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"data": match}
+            today = str(date.today())
+            url = f"http://{self.rule['elasticsearch_host']}/playbook-alerts-{today}/_doc/"
+            requests.post(url, data=json.dumps(payload), headers=headers, verify=False)
+                            
+    def get_info(self):
+        return {'type': 'PlaybookESAlerter'} 
--- a/salt/playbook/files/redmine.db
+++ b/salt/playbook/files/redmine.db
--- a/salt/soctopus/files/SOCtopus.conf
+++ b/salt/soctopus/files/SOCtopus.conf
@@ -53,7 +53,7 @@ slack_url = YOURSLACKWORKSPACE
 slack_webhook = YOURSLACKWEBHOOK

 [playbook]
-playbook_url = http://{{ip}}:3200/playbook
+playbook_url = http://{{ip}}/playbook
 playbook_key = a4a34538782804adfcb8dfae96262514ad70c37c

 [log]
--- a/salt/soctopus/files/templates/es-generic.template
+++ b/salt/soctopus/files/templates/es-generic.template
@@ -0,0 +1,7 @@
+{% set ES = salt['pillar.get']('static:masterip', '') %}
+
+alert: modules.so.playbook-es.PlaybookESAlerter
+elasticsearch_host: "{{ ES }}:9200"
+play_title: ""
+play_url: "https://{{ ES }}/playbook/issues/6000"
+sigma_level: ""