From 4f9ef890980eee18b2184902bdf34f77385b9d71 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 6 Aug 2020 14:30:44 -0400
Subject: [PATCH] Simplify elastalert rules

---
 salt/elastalert/files/rules/so/suricata_thehive.yaml | 8 ++------
 salt/elastalert/files/rules/so/wazuh_thehive.yaml    | 8 ++------
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/salt/elastalert/files/rules/so/suricata_thehive.yaml b/salt/elastalert/files/rules/so/suricata_thehive.yaml
index 0135edadd..8657d4168 100644
--- a/salt/elastalert/files/rules/so/suricata_thehive.yaml
+++ b/salt/elastalert/files/rules/so/suricata_thehive.yaml
@@ -8,14 +8,10 @@
 es_host: {{es}}
 es_port: 9200
 name: Suricata-Alert
-type: frequency
+type: any
 index: "*:so-ids-*"
-num_events: 1
-timeframe:
-    minutes: 10
 buffer_time:
-    minutes: 10
-allow_buffer_time_overlap: true
+    minutes: 5
 query_key: ["rule.uuid","source.ip","destination.ip"]
 realert:
     days: 1
diff --git a/salt/elastalert/files/rules/so/wazuh_thehive.yaml b/salt/elastalert/files/rules/so/wazuh_thehive.yaml
index 8aa085566..7fd49e23e 100644
--- a/salt/elastalert/files/rules/so/wazuh_thehive.yaml
+++ b/salt/elastalert/files/rules/so/wazuh_thehive.yaml
@@ -8,14 +8,10 @@
 es_host: {{es}}
 es_port: 9200
 name: Wazuh-Alert
-type: frequency
+type: any
 index: "*:so-ossec-*"
-num_events: 1
-timeframe:
-    minutes: 10
 buffer_time:
-    minutes: 10
-allow_buffer_time_overlap: true
+    minutes: 5
 realert:
     days: 1
 filter: