Merge branch 'agix-elastalert_dsl_backend'

2019-05-30 22:38:41 +02:00
parent 2cf402aa1f 67707b6c82
commit fa0aaa7d2b
10 changed files with 44 additions and 15 deletions
@@ -26,6 +26,7 @@ test-sigmac:
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher -c tools/config/elk-winlogbeat.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert -c tools/config/elk-winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
+	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert-dsl -c tools/config/elk-winlogbeat.yml -O alert_methods=http_post,email -O emails=test@test.invalid -O http_post_url=http://test.invalid rules/ > /dev/null
 	! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-all-index.yml rules/ > /dev/null
 	coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows-all-index.yml rules/ > /dev/null
@@ -6,5 +6,6 @@ backends:
  - kibana
  - xpack-watcher
  - elastalert
+  - elastalert-dsl
 defaultindex:
    - filebeat-*
@@ -6,5 +6,6 @@ backends:
  - kibana
  - xpack-watcher
  - elastalert
+  - elastalert-dsl
 defaultindex:
    - logstash-*
@@ -6,6 +6,7 @@ backends:
  - kibana
  - xpack-watcher
  - elastalert
+  - elastalert-dsl
 defaultindex:
    - logstash-*
    - filebeat-*
@@ -6,6 +6,7 @@ backends:
  - kibana
  - xpack-watcher
  - elastalert
+  - elastalert-dsl
 logsources:
    apache:
        category: webserver
@@ -6,6 +6,7 @@ backends:
  - kibana
  - xpack-watcher
  - elastalert
+  - elastalert-dsl
 logsources:
  windows:
    product: windows
@@ -38,6 +39,6 @@ logsources:
  windows-dhcp:
    product: windows
    service: dhcp
-    conditions: 
+    conditions:
      source: 'Microsoft-Windows-DHCP-Server/Operational'
 defaultindex: logstash-*
@@ -6,6 +6,7 @@ backends:
  - kibana
  - xpack-watcher
  - elastalert
+  - elastalert-dsl
 logsources:
  windows:
    product: windows
@@ -38,7 +39,7 @@ logsources:
  windows-dhcp:
    product: windows
    service: dhcp
-    conditions: 
+    conditions:
      source: 'Microsoft-Windows-DHCP-Server/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names qith yq:
@@ -6,6 +6,7 @@ backends:
  - kibana
  - xpack-watcher
  - elastalert
+  - elastalert-dsl
 logsources:
  windows-application:
    product: windows
@@ -25,7 +25,7 @@ from .mixins import RulenameCommentMixin, QuoteCharMixin
 class BackendOptions(dict):
    """
    Object containing all the options that should be passed to the backend.
-    
+
    The options can come from command line and a YAML configuration file, and will be merged together.
    Options from the command line take precedence.
    """
@@ -588,9 +588,8 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin)
                raise NotImplementedError("Output type '%s' not supported" % self.output_type)
        return result

-class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend):
+class ElastalertBackend(MultiRuleOutputMixin):
    """Elastalert backend"""
-    identifier = 'elastalert'
    active = True
    supported_alert_methods = {'email', 'http_post'}

@@ -646,7 +645,9 @@ class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend):
                "realert": self.generateTimeframe(self.realert_time),
                #"exponential_realert": self.generateTimeframe(self.expo_realert_time)
            }
+
            rule_object['filter'] = self.generateQuery(parsed)
+            self.queries = []

            #Handle aggregation
            if parsed.parsedAgg:
@@ -722,10 +723,6 @@ class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend):
            #Clear fields
            self.fields = []

-    def generateQuery(self, parsed):
-        #Generate ES QS Query
-        return [{ 'query' : { 'query_string' : { 'query' : super().generateQuery(parsed) } } }]
-
    def generateNode(self, node):
        #Save fields for adding them in query_key
        #if type(node) == sigma.parser.NodeSubexpression:
@@ -761,12 +758,12 @@ class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend):
                raise NotImplementedError("%s : The '%s' aggregation operator is not yet implemented for this backend"%(self.title, funcname))

    def convertLevel(self, level):
-    	return {
-        	'critical': 1,
-        	'high': 2,
-        	'medium': 3,
-        	'low': 4
-    	}.get(level, 2)
+        return {
+            'critical': 1,
+            'high': 2,
+            'medium': 3,
+            'low': 4
+        }.get(level, 2)

    def finalize(self):
        result = ""
@@ -774,3 +771,27 @@ class ElastalertBackend(MultiRuleOutputMixin, ElasticsearchQuerystringBackend):
            result += yaml.dump(rule, default_flow_style=False)
            result += '\n'
        return result
+
+class ElastalertBackendDsl(ElastalertBackend, ElasticsearchDSLBackend):
+    """Elastalert backend"""
+    identifier = 'elastalert-dsl'
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+    def generateQuery(self, parsed):
+        #Generate ES DSL Query
+        super().generateBefore(parsed)
+        super().generateQuery(parsed)
+        super().generateAfter(parsed)
+        return self.queries
+
+class ElastalertBackendQs(ElastalertBackend, ElasticsearchQuerystringBackend):
+    """Elastalert backend"""
+    identifier = 'elastalert'
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+    def generateQuery(self, parsed):
+        #Generate ES QS Query
+        return [{ 'query' : { 'query_string' : { 'query' : super().generateQuery(parsed) } } }]
+