mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
49 lines
1.3 KiB
Plaintext
49 lines
1.3 KiB
Plaintext
{% set es = salt['pillar.get']('static:masterip', '') %}
|
|
{% set hivehost = salt['pillar.get']('static:masterip', '') %}
|
|
{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
|
|
es_host: {{es}}
|
|
es_port: 9200
|
|
name: Alert-Name
|
|
type: frequency
|
|
index: "*:logstash-*"
|
|
num_events: 1
|
|
timeframe:
|
|
minutes: 10
|
|
buffer_time:
|
|
minutes: 10
|
|
allow_buffer_time_overlap: true
|
|
|
|
filter:
|
|
- query:
|
|
query_string:
|
|
query: 'select from test'
|
|
|
|
alert: modules.so.thehive.TheHiveAlerter
|
|
|
|
hive_connection:
|
|
hive_host: https://{{hivehost}}/thehive/
|
|
hive_apikey: {{hivekey}}
|
|
|
|
hive_proxies:
|
|
http: ''
|
|
https: ''
|
|
|
|
hive_alert_config:
|
|
title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
|
|
type: 'external'
|
|
source: 'SecurityOnion'
|
|
description: '`Hostname:` __{match[osquery][hostname]}__ `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:` __{match[osquery][name]}__ `Data:` {match[osquery][columns]}'
|
|
severity: 2
|
|
tags: ['elastalert', 'SecurityOnion']
|
|
tlp: 3
|
|
status: 'New'
|
|
follow: True
|
|
caseTemplate: '5000'
|
|
|
|
hive_observable_data_mapping:
|
|
- ip: '{match[osquery][EndpointIP1]}'
|
|
- ip: '{match[osquery][EndpointIP2]}'
|
|
- other: '{match[osquery][hostIdentifier]}'
|
|
- other: '{match[osquery][hostname]}'
|
|
- ip: '{match[osquery][columns][address]}'
|