updated elastalert rule execalerter to include 'raise' keyword

This commit is contained in:
thomashaw
2022-04-19 16:12:25 +01:00
parent 8a7c80498f
commit d2b31ecfbf
2 changed files with 2 additions and 2 deletions

View File

@@ -64,7 +64,7 @@ class Rules
' query: "combined_path: \"' + goal['file_path'] + '\" AND auditd.result: success AND event.action: opened-file"' + "\n" +
"alert:\n" +
" - \"elastalert.modules.alerter.exec.ExecAlerter\"\n" +
"command: [\"/usr/bin/ruby\", \"/opt/alert_actioner/alert_router.rb\"]\n" +
"command: [\"/usr/bin/ruby\", \"/opt/alert_actioner/alert_router.rb\", \"raise\"]\n" +
"pipe_match_json: true\n" +
"realert:\n" +
" minutes: 0\n"

View File

@@ -7,7 +7,7 @@ filter:
query: "related.user: 'crackme' AND (event.category: 'authentication' OR event.category: 'session') AND (event.action: 'user_login' OR event.action: 'started-session' OR event.action: 'acquired-credentials) AND event.outcome: 'success'"
alert:
- "elastalert.modules.alerter.exec.ExecAlerter"
command: ["/usr/bin/ruby", "/opt/alert_actioner/alert_router.rb"]
command: ["/usr/bin/ruby", "/opt/alert_actioner/alert_router.rb", "raise"]
pipe_match_json: true
realert:
minutes: 0