mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-08 10:12:53 +01:00
34 lines
1.3 KiB
Bash
34 lines
1.3 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
# https://securityonion.net/license; you may not use this file except in compliance with the
|
|
# Elastic License 2.0.
|
|
|
|
# Set the default output destination to stdout
|
|
output_dest="/dev/stdout"
|
|
|
|
# If the "cron" flag is passed, change the output destination to the log file
|
|
if [ "$1" = "cron" ]; then
|
|
output_dest="/opt/so/log/soc/detections_runtime-status_sigma.log"
|
|
fi
|
|
|
|
# Run the query and output based on the output_dest value
|
|
/sbin/so-elasticsearch-query '*:elastalert_error*/_search' -d '{"query":{"range":{"@timestamp":{"gte":"now-11m","lte":"now"}}},"size": 50}' | \
|
|
jq --compact-output '.hits.hits[] | {
|
|
_timestamp: ._source["@timestamp"],
|
|
"rule.name": ._source.data.rule,
|
|
error_type: "runtime_status",
|
|
error_message: ._source.message,
|
|
detection_type: "sigma",
|
|
event_module: "soc",
|
|
event_dataset: "soc.detections",
|
|
error_analysis: (
|
|
if ._source.message | contains("Unknown column [winlog.channel]") then "Target logsource never seen"
|
|
elif ._source.message | contains("parsing_exception") then "Syntax Error"
|
|
else "Unknown"
|
|
end
|
|
)
|
|
}' >> $output_dest
|
|
|