CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #556 from Security-Onion-Solutions/bugfix/playbook1

Browse Source 
NIDS2TheHive Update for ECS
This commit is contained in:
Josh Brower
2020-04-11 11:48:13 -04:00
committed by GitHub
parent 5a16dc066d 995b255017
commit 277ee4d5ea
1 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
salt/elastalert/files/rules/so/nids2hive.yaml
View File

@@ -8,21 +8,20 @@ es_host: {{es}}
es_port: 9200
name: NIDS-Alert
type: frequency
index: "*:logstash-ids*"
index: "so-ids-*"
num_events: 1
timeframe:
minutes: 10
buffer_time:
minutes: 10
allow_buffer_time_overlap: true
query_key: ["alert", "ips"]
query_key: ["rule.signature_id"]
realert:
days: 1
filter:
- query:
query_string:
query: "event_type: ids AND NOT tags: _jsonparsefailure"
query: "event.module: suricata"
alert: modules.so.thehive.TheHiveAlerter
@@ -35,16 +34,16 @@ hive_proxies:
https: ''
hive_alert_config:
title: '{match[alert]}'
title: '{match[rule][name]}'
type: 'NIDS'
source: 'SecurityOnion'
description: "`NIDS Dashboard:` \n\n <https://{{es}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:{match[sid]}')),sort:!('@timestamp',desc))> \n\n `IPs: `{match[source_ip]}:{match[source_port]} --> {match[destination_ip]}:{match[destination_port]} \n\n `Signature:` {match[rule_signature]}"
description: "`NIDS Dashboard:` \n\n <https://{{es}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))> \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
severity: 2
tags: ['{match[sid]}','{match[source_ip]}','{match[destination_ip]}']
tags: ['{match[rule][signature_id]}','{match[source][ip]}','{match[destination][ip]}']
tlp: 3
status: 'New'
follow: True
hive_observable_data_mapping:
- ip: '{match[source_ip]}'
- ip: '{match[destination_ip]}'
- ip: '{match[source][ip]}'
- ip: '{match[destination][ip]}'