From 30d732e18f53920f5a60440b2403f2a163bbb0bd Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 18 Sep 2019 19:37:47 +0000 Subject: [PATCH 1/3] sync default Elastalert rules --- salt/elastalert/files/rules/so/nids2hive.yaml | 45 +++++++++++++++++++ salt/elastalert/init.sls | 8 ++++ 2 files changed, 53 insertions(+) create mode 100644 salt/elastalert/files/rules/so/nids2hive.yaml diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml new file mode 100644 index 000000000..e5e3a7111 --- /dev/null +++ b/salt/elastalert/files/rules/so/nids2hive.yaml @@ -0,0 +1,45 @@ +{% set hivehost = salt['pillar.get']('static:masterip', '') %} %} +{% set hivekey = salt['pillar.get']('static:hivekey', '') %} +# hive.yaml +# Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance. +# +es_host: elasticsearch +es_port: 9200 +name: TheHive - New IDS Alert! +type: frequency +index: "*:logstash-ids*" +num_events: 1 +timeframe: + minutes: 10 +buffer_time: + minutes: 10 +allow_buffer_time_overlap: true + +filter: +- term: + event_type: "ids" + +alert: elastalert.modules.so.hivealerter + +hive_connection: + hive_host: {{hivehost}} + hive_apikey: {{hivekey}} + +hive_proxies: + http: '' + https: '' + +hive_alert_config: + title: '{rule[name]} -- {match[alert]}' + type: 'external' + source: 'SecurityOnion' + description: '{match[message]}' + severity: 2 + tags: ['elastalert, SecurityOnion'] + tlp: 3 + status: 'New' + follow: True + +hive_observable_data_mapping: + - ip: '{match[source_ip]}' + - ip: '{match[destination_ip]}' diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 4250165b5..2dd06f200 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -93,6 +93,14 @@ elastasomodulesync: - group: 939 - makedirs: True +elastarulesync: + file.recurse: + - name: /opt/so/rules/elastalert + - source: salt://elastalert/files/rules + - user: 933 + - group: 939 + - template: jinja + elastaconf: file.managed: - name: /opt/so/conf/elastalert/elastalert_config.yaml From 1f8fd7ddd18a730eda0b760277780c0d8a2cdf6a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 18 Sep 2019 19:42:02 +0000 Subject: [PATCH 2/3] fix typo --- salt/elastalert/files/rules/so/nids2hive.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml index e5e3a7111..1d4b4ee39 100644 --- a/salt/elastalert/files/rules/so/nids2hive.yaml +++ b/salt/elastalert/files/rules/so/nids2hive.yaml @@ -1,4 +1,4 @@ -{% set hivehost = salt['pillar.get']('static:masterip', '') %} %} +{% set hivehost = salt['pillar.get']('static:masterip', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %} # hive.yaml # Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance. From 9a53cfd5ffb504eca3cff0a735056de440971994 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 18 Sep 2019 19:47:39 +0000 Subject: [PATCH 3/3] update path --- salt/elastalert/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 2dd06f200..b17e657ca 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -96,7 +96,7 @@ elastasomodulesync: elastarulesync: file.recurse: - name: /opt/so/rules/elastalert - - source: salt://elastalert/files/rules + - source: salt://elastalert/files/rules/so - user: 933 - group: 939 - template: jinja