CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #98 from weslambert/elastalert

Browse Source 
update config for Elastalert to use custom modules
This commit is contained in:
Mike Reeves
2019-09-23 10:45:53 -04:00
committed by GitHub
parent 6d14a94765 965ee6f922
commit c685089b2b
3 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/elastalert/files/modules/so/hivealerter.py → salt/elastalert/files/modules/so/thehive.py
View File

@@ -7,7 +7,7 @@ from thehive4py.api import TheHiveApi
from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper
class HiveAlerter(Alerter): class TheHiveAlerter(Alerter):
""" """
Use matched data to create alerts containing observables in an instance of TheHive Use matched data to create alerts containing observables in an instance of TheHive
""" """

5
salt/elastalert/files/rules/so/nids2hive.yaml
View File

@@ -1,9 +1,10 @@
{% set es = salt['pillar.get']('static:masterip', '') %}
{% set hivehost = salt['pillar.get']('static:masterip', '') %} {% set hivehost = salt['pillar.get']('static:masterip', '') %}
{% set hivekey = salt['pillar.get']('static:hivekey', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %}
# hive.yaml # hive.yaml
# Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance. # Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance.
# #
es_host: elasticsearch es_host: {{es}}
es_port: 9200 es_port: 9200
name: TheHive - New IDS Alert! name: TheHive - New IDS Alert!
type: frequency type: frequency
@@ -19,7 +20,7 @@ filter:
- term: - term:
event_type: "ids" event_type: "ids"
alert: elastalert.modules.so.hivealerter alert: modules.so.thehive.TheHiveAlerter
hive_connection: hive_connection:
hive_host: {{hivehost}} hive_host: {{hivehost}}

12
salt/elastalert/init.sls
View File

@@ -111,13 +111,13 @@ elastaconf:
so-elastalertimage: so-elastalertimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.1.0 - name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.1.1
so-elastalert: so-elastalert:
docker_container.running: docker_container.running:
- require: - require:
- so-elastalertimage - so-elastalertimage
- image: soshybridhunter/so-elastalert:HH1.1.0 - image: soshybridhunter/so-elastalert:HH1.1.1
- hostname: elastalert - hostname: elastalert
- name: so-elastalert - name: so-elastalert
- user: elastalert - user: elastalert
@@ -125,14 +125,14 @@ so-elastalert:
- binds: - binds:
- /opt/so/rules/elastalert:/etc/elastalert/rules/:ro - /opt/so/rules/elastalert:/etc/elastalert/rules/:ro
- /opt/so/log/elastalert:/var/log/elastalert:rw - /opt/so/log/elastalert:/var/log/elastalert:rw
- /opt/so/conf/elastalert/modules:/opt/elastalert/elastalert/modules:ro - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
- /opt/so/conf/elastalert/elastalert_config.yaml:/etc/elastalert/conf/elastalert_config.yaml:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/etc/elastalert/conf/elastalert_config.yaml:ro
- environment: - environment:
#- ELASTICSEARCH_HOST: {{ esip }} - ELASTICSEARCH_HOST: {{ esip }}
#- ELASTICSEARCH_PORT: {{ esport }} - ELASTICSEARCH_PORT: {{ esport }}
- ELASTALERT_CONFIG: /etc/elastalert/conf/elastalert_config.yaml - ELASTALERT_CONFIG: /etc/elastalert/conf/elastalert_config.yaml
- ELASTALERT_SUPERVISOR_CONF: /etc/elastalert/conf/elastalert_supervisord.conf - ELASTALERT_SUPERVISOR_CONF: /etc/elastalert/conf/elastalert_supervisord.conf
#- RULES_DIRECTORY: /etc/elastalert/rules/ - RULES_DIRECTORY: /etc/elastalert/rules/
- LOG_DIR: /var/log/elastalert - LOG_DIR: /var/log/elastalert
{% endif %} {% endif %}