digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 19:28:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

updated elastalert rule execalerter to include 'raise' keyword

Browse Source
This commit is contained in:
thomashaw
2022-04-19 16:12:25 +01:00
parent 8a7c80498f
commit d2b31ecfbf
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/helpers/rules.rb
View File

@@ -64,7 +64,7 @@ class Rules
' query: "combined_path: \"' + goal['file_path'] + '\" AND auditd.result: success AND event.action: opened-file"' + "\n" +
"alert:\n" +
" - \"elastalert.modules.alerter.exec.ExecAlerter\"\n" +
"command: [\"/usr/bin/ruby\", \"/opt/alert_actioner/alert_router.rb\"]\n" +
"command: [\"/usr/bin/ruby\", \"/opt/alert_actioner/alert_router.rb\", \"raise\"]\n" +
"pipe_match_json: true\n" +
"realert:\n" +
" minutes: 0\n"

2
modules/utilities/unix/logging/elastalert/files/example_rules/example-acc-access.yaml
View File

@@ -7,7 +7,7 @@ filter:
query: "related.user: 'crackme' AND (event.category: 'authentication' OR event.category: 'session') AND (event.action: 'user_login' OR event.action: 'started-session' OR event.action: 'acquired-credentials) AND event.outcome: 'success'"
alert:
- "elastalert.modules.alerter.exec.ExecAlerter"
command: ["/usr/bin/ruby", "/opt/alert_actioner/alert_router.rb"]
command: ["/usr/bin/ruby", "/opt/alert_actioner/alert_router.rb", "raise"]
pipe_match_json: true
realert:
minutes: 0