From d2b31ecfbf00824e586e20f3d38aeda8bf867f76 Mon Sep 17 00:00:00 2001
From: thomashaw <thomashaw@gmail.com>
Date: Tue, 19 Apr 2022 16:12:25 +0100
Subject: [PATCH] updated elastalert rule execalerter to include 'raise'
 keyword

---
 lib/helpers/rules.rb                                            | 2 +-
 .../elastalert/files/example_rules/example-acc-access.yaml      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/helpers/rules.rb b/lib/helpers/rules.rb
index 9f52e1e0e..8b5c148eb 100644
--- a/lib/helpers/rules.rb
+++ b/lib/helpers/rules.rb
@@ -64,7 +64,7 @@ class Rules
         '        query: "combined_path: \"' + goal['file_path'] + '\" AND auditd.result: success AND event.action: opened-file"' + "\n" +
         "alert:\n" +
         "  - \"elastalert.modules.alerter.exec.ExecAlerter\"\n" +
-        "command: [\"/usr/bin/ruby\", \"/opt/alert_actioner/alert_router.rb\"]\n" +
+        "command: [\"/usr/bin/ruby\", \"/opt/alert_actioner/alert_router.rb\", \"raise\"]\n" +
         "pipe_match_json: true\n" +
         "realert:\n" +
         "  minutes: 0\n"
diff --git a/modules/utilities/unix/logging/elastalert/files/example_rules/example-acc-access.yaml b/modules/utilities/unix/logging/elastalert/files/example_rules/example-acc-access.yaml
index 85b328083..fbbcbbc10 100644
--- a/modules/utilities/unix/logging/elastalert/files/example_rules/example-acc-access.yaml
+++ b/modules/utilities/unix/logging/elastalert/files/example_rules/example-acc-access.yaml
@@ -7,7 +7,7 @@ filter:
         query: "related.user: 'crackme' AND (event.category: 'authentication' OR event.category: 'session') AND (event.action: 'user_login' OR event.action: 'started-session' OR event.action: 'acquired-credentials) AND event.outcome: 'success'"
 alert:
   - "elastalert.modules.alerter.exec.ExecAlerter"
-command: ["/usr/bin/ruby", "/opt/alert_actioner/alert_router.rb"]
+command: ["/usr/bin/ruby", "/opt/alert_actioner/alert_router.rb", "raise"]
 pipe_match_json: true
 realert:
   minutes: 0