75ec169d5c
added metadata field to the watcher alert
...
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
2019-05-22 04:30:47 -07:00
194afa739f
Generate rule name for each condition
...
In backends kibana and xpack-watcher.
Fixes #329
2019-05-21 00:36:19 +02:00
af0bd1b082
Removed debug code from backend option handling
...
Additionally: code simplification
2019-05-21 00:21:52 +02:00
7e163d71eb
Added option to use old URL in xpack-watcher backend
2019-05-21 00:01:21 +02:00
f86342012a
Update elasticsearch.py
...
From ElasticSearch 7.0, the URI to access to Watcher API changes
Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
2019-05-16 16:17:57 +02:00
a6d2a5d79b
fix: more general fixes of the var type issue
2019-05-15 21:25:53 +02:00
9f1bbb0a0d
fix: missing type check in WDATP backend
2019-05-15 21:20:20 +02:00
526468bec3
Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url
...
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
2019-05-10 00:31:33 +02:00
a361664ed2
Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix
...
Correct parenthesization for NOT expressions in the ES-QS backend
2019-05-10 00:14:29 +02:00
eb022f3908
Conditional field mapping for null values
...
Fixes #326
2019-04-25 23:24:05 +02:00
cfb4f32651
Backend es-dsl tolerates rules without title and log source
2019-04-25 22:41:31 +02:00
d0bd8a2a41
Mandatory configuration for most backends
2019-04-22 23:40:21 +02:00
4e16bbafa8
Correct parenthesization for NOT expressions in the ES-QS backend
2019-04-16 10:30:18 +02:00
152febcea2
sumologic: fixing non-pushed cleannode()
2019-04-07 13:04:15 -04:00
d32e5c10b8
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
2019-04-03 17:22:58 +02:00
0419ff215a
Fixed quoting of single quotes in grep backend
2019-04-01 23:22:05 +02:00
2dda9a7b77
Moved Sysmon schema XML from contrib directory into module
2019-03-16 00:59:29 +01:00
5e973a6321
Fixes and CI testing of --backend-config
2019-03-15 23:46:38 +01:00
0864d05aa5
Merge branch 'backend-config-file' of https://github.com/christophetd/sigma into christophetd-backend-config-file
2019-03-15 23:35:11 +01:00
3f7e08733a
Added backend option 'sysmon' for ala backend
2019-03-15 23:26:15 +01:00
8d1723e65c
Merge branch 'master' of https://github.com/tuckner/sigma into tuckner-master
2019-03-15 23:06:08 +01:00
a1ba04aec8
modified process creation logic
2019-03-08 00:01:43 -06:00
a429f09cc1
Merge branch 'elastalert-alert-types' of https://github.com/christophetd/sigma into christophetd-elastalert-alert-types
2019-03-07 23:54:05 +01:00
e9ddd933f8
more fixes for process creation
2019-03-07 16:28:35 -06:00
5a64f572e3
update
2019-03-07 10:32:59 -06:00
283bd278f4
added eventid to sysmon process creation
2019-03-05 20:58:23 -06:00
971bd49071
accomodated process creation and slash escapes
2019-03-05 20:50:30 -06:00
cf186387af
Added schema file checking
2019-03-04 11:53:51 -06:00
c5796d7853
Added Azure Log Analytics backend
2019-03-04 10:49:50 -06:00
8179d182c4
added azure log analytics
2019-03-04 10:44:45 -06:00
c922f7d73f
Merge branch 'master' into project-1
2019-02-26 00:24:46 +01:00
1a6faf385c
Add HTTP POST alert type to the Elastalert backend
2019-02-23 14:12:14 +01:00
3a7160d52b
Accept backend options from a configuration file ( closes #213 )
2019-02-23 13:20:20 +01:00
9ef314486e
Grep backend escapes +
2019-02-19 14:49:06 +01:00
01dfc23a26
Merge pull request #234 from juju4/devel-sumo
...
Sumologic support update
2019-02-09 23:54:23 +01:00
4429d7564f
remove 'escape' of '_' - not needed
2019-02-09 12:57:43 -05:00
a815b7eb9b
add custom cleanValue function for wildcards in keyvalue: OK with lists, NOK with string
2019-02-09 12:57:07 -05:00
5d94b9f0bc
Changed stats to eventstats
...
Changed 'stats' to 'eventstats' when using aggregation, this keeps the original data of the event in the result.
2019-02-05 17:36:46 +01:00
2f5eb08b41
Adapt count function when aggfield not present
...
When no field is present, use "count" , when field is present use "dc(field)". As described in the Sigma specifications.
Splunk throws errors when using "count()" with empy fields. use "count" instead.
2019-02-05 15:44:05 +01:00
7d159fb980
sumologic backend: review with inspiration from arcsight
2019-02-03 12:53:58 -05:00
6215a694a8
Remove escaping from '\\*' in es-dsl backend
2019-02-02 23:51:11 +01:00
8a0784ad33
Fixed escaping of \\*
2019-02-02 00:18:58 +01:00
2fd88c837d
Added generic sigma rule support to WDATP backend
...
* Process creation rules
2019-01-14 23:54:05 +01:00
a9cf14438c
Merge branch 'master' into project-1
2019-01-14 22:36:15 +01:00
aa37ef2559
extending the qradar backend to allow for timeframe query
2019-01-11 03:33:49 +00:00
73b0c3a25b
Fixed wildcard issue for es-dsl backend
...
Moved field mapping code into mixin shared by es-qs and es-dsl.
2018-12-21 14:10:45 +01:00
ffd43823cf
Fixed wildcard issue in es-qs backend and depending
...
See GitHub issue #194 . Fix for es-dsl is pending.
2018-12-19 00:33:12 +01:00
4175d0cdd5
Fixed config and added index field
...
* Added index field _index to backend implementation
* Fixed index values in config
2018-12-10 22:37:39 +01:00
1f707cb37c
Adding Sumologic backend
2018-12-09 17:55:51 -05:00
2091c90538
Fixed ElastAlert *_key options
...
* Always use .keyword field instead of analyzed one
* Fixed 'null' value if group field was not set
2018-12-09 22:33:23 +01:00
ipninichuck