From 4f9ef890980eee18b2184902bdf34f77385b9d71 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 6 Aug 2020 14:30:44 -0400 Subject: [PATCH 1/2] Simplify elastalert rules --- salt/elastalert/files/rules/so/suricata_thehive.yaml | 8 ++------ salt/elastalert/files/rules/so/wazuh_thehive.yaml | 8 ++------ 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/salt/elastalert/files/rules/so/suricata_thehive.yaml b/salt/elastalert/files/rules/so/suricata_thehive.yaml index 0135edadd..8657d4168 100644 --- a/salt/elastalert/files/rules/so/suricata_thehive.yaml +++ b/salt/elastalert/files/rules/so/suricata_thehive.yaml @@ -8,14 +8,10 @@ es_host: {{es}} es_port: 9200 name: Suricata-Alert -type: frequency +type: any index: "*:so-ids-*" -num_events: 1 -timeframe: - minutes: 10 buffer_time: - minutes: 10 -allow_buffer_time_overlap: true + minutes: 5 query_key: ["rule.uuid","source.ip","destination.ip"] realert: days: 1 diff --git a/salt/elastalert/files/rules/so/wazuh_thehive.yaml b/salt/elastalert/files/rules/so/wazuh_thehive.yaml index 8aa085566..7fd49e23e 100644 --- a/salt/elastalert/files/rules/so/wazuh_thehive.yaml +++ b/salt/elastalert/files/rules/so/wazuh_thehive.yaml @@ -8,14 +8,10 @@ es_host: {{es}} es_port: 9200 name: Wazuh-Alert -type: frequency +type: any index: "*:so-ossec-*" -num_events: 1 -timeframe: - minutes: 10 buffer_time: - minutes: 10 -allow_buffer_time_overlap: true + minutes: 5 realert: days: 1 filter: From ddd099233a1111dadd0bba37571162fdb81c9080 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 6 Aug 2020 15:43:45 -0400 Subject: [PATCH 2/2] Playbook Fixes - Issue #1064 --- salt/elastalert/files/elastalert_config.yaml | 4 ++-- salt/elastalert/files/modules/so/playbook-es.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/elastalert/files/elastalert_config.yaml b/salt/elastalert/files/elastalert_config.yaml index 7646e8221..ba2b79448 100644 --- a/salt/elastalert/files/elastalert_config.yaml +++ b/salt/elastalert/files/elastalert_config.yaml @@ -21,7 +21,7 @@ run_every: # ElastAlert will buffer results from the most recent # period of time, in case some log sources are not in real time buffer_time: - minutes: 1 + minutes: 5 # The maximum time between queries for ElastAlert to start at the most recently # run query. When ElastAlert starts, for each rule, it will search elastalert_metadata @@ -38,7 +38,7 @@ es_host: {{ esip }} es_port: {{ esport }} # Sets timeout for connecting to and reading from es_host -es_conn_timeout: 60 +es_conn_timeout: 55 # The maximum number of documents that will be downloaded from Elasticsearch in # a single query. The default is 10,000, and if you expect to get near this number, diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py index c794bdf12..adc03dd29 100644 --- a/salt/elastalert/files/modules/so/playbook-es.py +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -16,7 +16,7 @@ class PlaybookESAlerter(Alerter): today = strftime("%Y.%m.%d", gmtime()) timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S", gmtime()) headers = {"Content-Type": "application/json"} - payload = {"rule.name": self.rule['play_title'],"event.severity": self.rule['event.severity'],"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"event.module": self.rule['event.module'],"event.dataset": self.rule['event.dataset'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"rule.category": self.rule['rule.category'],"data": match, "@timestamp": timestamp} + payload = {"rule.name": self.rule['play_title'],"event.severity": self.rule['event.severity'],"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"event.module": self.rule['event.module'],"event.dataset": self.rule['event.dataset'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"rule.category": self.rule['rule.category'],"alert_data": match, "@timestamp": timestamp} url = f"http://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/" requests.post(url, data=json.dumps(payload), headers=headers, verify=False)