sync default Elastalert rules

2025-12-06 09:12:45 +01:00 · 2019-09-18 19:37:47 +00:00
parent 6cd9ce8040
commit 30d732e18f
2 changed files with 53 additions and 0 deletions
--- a/salt/elastalert/files/rules/so/nids2hive.yaml
+++ b/salt/elastalert/files/rules/so/nids2hive.yaml
@@ -0,0 +1,45 @@
+{% set hivehost = salt['pillar.get']('static:masterip', '') %} %}
+{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
+# hive.yaml
+# Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance.
+#
+es_host: elasticsearch
+es_port: 9200
+name: TheHive - New IDS Alert!
+type: frequency
+index: "*:logstash-ids*"
+num_events: 1
+timeframe:
+    minutes: 10
+buffer_time:
+    minutes: 10
+allow_buffer_time_overlap: true
+
+filter:
+- term:
+    event_type: "ids"
+
+alert: elastalert.modules.so.hivealerter
+
+hive_connection:
+  hive_host: {{hivehost}}
+  hive_apikey: {{hivekey}}
+
+hive_proxies:
+  http: ''
+  https: ''
+
+hive_alert_config:
+  title: '{rule[name]} -- {match[alert]}'
+  type: 'external'
+  source: 'SecurityOnion'
+  description: '{match[message]}'
+  severity: 2
+  tags: ['elastalert, SecurityOnion']
+  tlp: 3
+  status: 'New'
+  follow: True
+
+hive_observable_data_mapping:
+  - ip: '{match[source_ip]}'
+  - ip: '{match[destination_ip]}'
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -93,6 +93,14 @@ elastasomodulesync:
    - group: 939
    - makedirs: True

+elastarulesync:
+  file.recurse:
+    - name: /opt/so/rules/elastalert
+    - source: salt://elastalert/files/rules
+    - user: 933
+    - group: 939
+    - template: jinja
+
 elastaconf:
  file.managed:
    - name: /opt/so/conf/elastalert/elastalert_config.yaml