sync default Elastalert rules

salt/elastalert/files/rules/so/nids2hive.yaml

@@ -0,0 +1,45 @@
+{% set hivehost = salt['pillar.get']('static:masterip', '') %} %}
+{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
+# hive.yaml
+# Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance.
+#
+es_host: elasticsearch
+es_port: 9200
+name: TheHive - New IDS Alert!
+type: frequency
+index: "*:logstash-ids*"
+num_events: 1
+timeframe:
+    minutes: 10
+buffer_time:
+    minutes: 10
+allow_buffer_time_overlap: true
+
+filter:
+- term:
+    event_type: "ids"
+
+alert: elastalert.modules.so.hivealerter
+
+hive_connection:
+  hive_host: {{hivehost}}
+  hive_apikey: {{hivekey}}
+
+hive_proxies:
+  http: ''
+  https: ''
+
+hive_alert_config:
+  title: '{rule[name]} -- {match[alert]}'
+  type: 'external'
+  source: 'SecurityOnion'
+  description: '{match[message]}'
+  severity: 2
+  tags: ['elastalert, SecurityOnion']
+  tlp: 3
+  status: 'New'
+  follow: True
+
+hive_observable_data_mapping:
+  - ip: '{match[source_ip]}'
+  - ip: '{match[destination_ip]}'

salt/elastalert/init.sls

@@ -93,6 +93,14 @@ elastasomodulesync:
     - group: 939
     - makedirs: True
 
+elastarulesync:
+  file.recurse:
+    - name: /opt/so/rules/elastalert
+    - source: salt://elastalert/files/rules
+    - user: 933
+    - group: 939
+    - template: jinja
+
 elastaconf:
   file.managed:
     - name: /opt/so/conf/elastalert/elastalert_config.yaml