CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-05-05 19:08:10 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1176 from Security-Onion-Solutions/feature/playbook

Browse Source 
Elastalert/Playbook Stability updates
This commit is contained in:
Josh Brower
2020-08-13 17:19:01 -04:00
committed by GitHub
parent ed4bee0d0b 7400bbd6c1
commit 34d8261669
3 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/elastalert/files/elastalert_config.yaml
+2 -2
View File
@@ -16,12 +16,12 @@ disable_rules_on_error: false
# How often ElastAlert will query Elasticsearch # How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds # The unit can be anything from weeks to seconds
run_every: run_every:
minutes: 1 minutes: 3
# ElastAlert will buffer results from the most recent # ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time # period of time, in case some log sources are not in real time
buffer_time: buffer_time:
minutes: 5 minutes: 10
# The maximum time between queries for ElastAlert to start at the most recently # The maximum time between queries for ElastAlert to start at the most recently
# run query. When ElastAlert starts, for each rule, it will search elastalert_metadata # run query. When ElastAlert starts, for each rule, it will search elastalert_metadata
salt/soctopus/files/templates/generic.template
+2 -2
View File
@@ -1,4 +1,4 @@
{% set es = salt['pillar.get']('global:managerip', '') %} {% set es = salt['pillar.get']('manager:url_base', '') %}
{% set hivehost = salt['pillar.get']('global:managerip', '') %} {% set hivehost = salt['pillar.get']('global:managerip', '') %}
{% set hivekey = salt['pillar.get']('global:hivekey', '') %} {% set hivekey = salt['pillar.get']('global:hivekey', '') %}
alert: alert:
@@ -15,7 +15,7 @@ hive_proxies:
https: '' https: ''
hive_alert_config: hive_alert_config:
title: '{rule[name]} - ' title: "{rule[name]} - "
type: 'playbook' type: 'playbook'
source: 'SecurityOnion' source: 'SecurityOnion'
description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))> \n\n `Raw Data:` {match[message]}" description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))> \n\n `Raw Data:` {match[message]}"
salt/soctopus/files/templates/osquery.template
+2 -2
View File
@@ -1,4 +1,4 @@
{% set es = salt['pillar.get']('global:managerip', '') %} {% set es = salt['pillar.get']('manager:url_base', '') %}
{% set hivehost = salt['pillar.get']('global:managerip', '') %} {% set hivehost = salt['pillar.get']('global:managerip', '') %}
{% set hivekey = salt['pillar.get']('global:hivekey', '') %} {% set hivekey = salt['pillar.get']('global:hivekey', '') %}
alert: alert:
@@ -21,7 +21,7 @@ hive_observable_data_mapping:
- other: '{match[osquery][hostname]}' - other: '{match[osquery][hostname]}'
hive_alert_config: hive_alert_config:
title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}' title: "{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}"
type: 'osquery' type: 'osquery'
source: 'SecurityOnion' source: 'SecurityOnion'
description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))> \n\n `Hostname:` __{match[osquery][hostname]}__ `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:` __{match[osquery][name]}__ `Data:` {match[osquery][columns]}" description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))> \n\n `Hostname:` __{match[osquery][hostname]}__ `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:` __{match[osquery][name]}__ `Data:` {match[osquery][columns]}"