mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
46 lines
1.5 KiB
YAML
46 lines
1.5 KiB
YAML
{% set es = salt['pillar.get']('global:managerip', '') %}
|
|
{% set hivehost = salt['pillar.get']('global:managerip', '') %}
|
|
{% set hivekey = salt['pillar.get']('global:hivekey', '') %}
|
|
{% set MANAGER = salt['pillar.get']('global:url_base', '') %}
|
|
|
|
# Elastalert rule to forward high level Wazuh alerts from Security Onion to a specified TheHive instance.
|
|
#
|
|
es_host: {{es}}
|
|
es_port: 9200
|
|
name: Wazuh-Alert
|
|
type: any
|
|
index: "*:so-ossec-*"
|
|
buffer_time:
|
|
minutes: 5
|
|
realert:
|
|
days: 1
|
|
filter:
|
|
- query:
|
|
query_string:
|
|
query: "event.module: ossec AND rule.level>=8"
|
|
|
|
alert: hivealerter
|
|
|
|
hive_connection:
|
|
hive_host: http://{{hivehost}}
|
|
hive_port: 9000/thehive
|
|
hive_apikey: {{hivekey}}
|
|
|
|
hive_proxies:
|
|
http: ''
|
|
https: ''
|
|
|
|
hive_alert_config:
|
|
title: '{match[rule][name]}'
|
|
type: 'wazuh'
|
|
source: 'SecurityOnion'
|
|
description: "`SOC Hunt Pivot:` \n\n <https://{{MANAGER}}/#/hunt?q=event.module%3A%20ossec%20AND%20rule.id%3A{match[rule][id]}%20%7C%20groupby%20host.name%20rule.name> \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MANAGER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))>"
|
|
severity: 2
|
|
tags: ['{match[rule][id]}','{match[host][name]}']
|
|
tlp: 3
|
|
status: 'New'
|
|
follow: True
|
|
|
|
hive_observable_data_mapping:
|
|
- other: '{match[host][name]}'
|