From 75ec169d5cea4b988fe313087a25351a922c17cf Mon Sep 17 00:00:00 2001 From: ipninichuck Date: Wed, 22 May 2019 04:30:47 -0700 Subject: [PATCH] added metadata field to the watcher alert While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user. --- tools/sigma/backends/elasticsearch.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index a723a5767..4e36cc51d 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -408,6 +408,7 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin) description = sigmaparser.parsedyaml.setdefault("description", "") false_positives = sigmaparser.parsedyaml.setdefault("falsepositives", "") level = sigmaparser.parsedyaml.setdefault("level", "") + tags = sigmaparser.parsedyaml.setdefault("tags", "") # Get time frame if exists interval = sigmaparser.parsedyaml["detection"].setdefault("timeframe", "30m") @@ -535,6 +536,11 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin) } self.watcher_alert[rulename] = { + "metadata": { + "title": title, + "description": description, + "tags": tags + }, "trigger": { "schedule": { "interval": interval # how often the watcher should check