update alerts to match the new aggregation functions

2015-05-27 13:23:42 -07:00 · 2015-05-27 13:23:42 -07:00 · f3f6edefa4
--- a/alerts/bro_intel_pyes.py
+++ b/alerts/bro_intel_pyes.py
@ -24,12 +24,12 @@ class AlertBroIntel(AlertTask):
        self.filtersManual(date_timedelta, must=must)

        # Search aggregations on field 'seenindicator', keep 50 samples of events at most
-        self.searchEventsAggreg('seenindicator', samplesLimit=50)
+        self.searchEventsAggregated('details.seenindicator', samplesLimit=50)
        # alert when >= 5 matching events in an aggregation
        self.walkAggregations(threshold=5)

    # Set alert properties
-    def onAggreg(self, aggreg):
+    def onAggregation(self, aggreg):
        # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts
        # aggreg['value']: value of the aggregation field, ex: toto@example.com
        # aggreg['events']: list of events in the aggregation
--- a/alerts/bruteforce_ssh_pyes.py
+++ b/alerts/bruteforce_ssh_pyes.py
@ -30,12 +30,12 @@ class AlertBruteforceSsh(AlertTask):
        self.filtersManual(date_timedelta, must=must, must_not=must_not)

        # Search aggregations on field 'sourceipaddress', keep X samples of events at most
-        self.searchEventsAggreg('sourceipaddress', samplesLimit=10)
+        self.searchEventsAggregated('details.sourceipaddress', samplesLimit=10)
        # alert when >= X matching events in an aggregation
        self.walkAggregations(threshold=10)

    # Set alert properties
-    def onAggreg(self, aggreg):
+    def onAggregation(self, aggreg):
        # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts
        # aggreg['value']: value of the aggregation field, ex: toto@example.com
        # aggreg['events']: list of events in the aggregation
@ -46,7 +46,7 @@ class AlertBruteforceSsh(AlertTask):
        summary = ('{0} ssh bruteforce attempts by {1}'.format(aggreg['count'], aggreg['value']))
        hosts = self.mostCommon(aggreg['allevents'],'_source.details.hostname')
        for i in hosts[:5]:
-            summary += ' {0} ({1} hits)'.format(i[0], i[1])        
+            summary += ' {0} ({1} hits)'.format(i[0], i[1])

        # Create the alert object based on these properties
        return self.createAlertDict(summary, category, tags, aggreg['events'], severity)
--- a/alerts/cloudtrail_pyes.py
+++ b/alerts/cloudtrail_pyes.py
@ -46,4 +46,4 @@ class AlertCloudtrail(AlertTask):
                summary += (' starting {0} '.format(i['instanceId']))

        # Create the alert object based on these properties
-        return self.createAlertDict(summary, category, tags, [event], severity)
+        return self.createAlertDict(summary, category, tags, [event], severity)
--- a/alerts/duo_fail_open.py
+++ b/alerts/duo_fail_open.py
@ -26,13 +26,13 @@ class AlertDuoFailOpen(AlertTask):
        self.filtersManual(date_timedelta, must=must)

        # Search aggregations on field 'sourceipaddress', keep X samples of events at most
-        self.searchEventsAggreg('hostname', samplesLimit=10)
+        self.searchEventsAggregated('details.hostname', samplesLimit=10)
        # alert when >= X matching events in an aggregation
        # in this case, always
        self.walkAggregations(threshold=1)

    # Set alert properties
-    def onAggreg(self, aggreg):
+    def onAggregation(self, aggreg):
        # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts
        # aggreg['value']: value of the aggregation field, ex: toto@example.com
        # aggreg['events']: list of events in the aggregation
--- a/alerts/fail2ban_pyes.py
+++ b/alerts/fail2ban_pyes.py
@ -36,4 +36,4 @@ class AlertFail2ban(AlertTask):
        summary='{0}: {1}'.format(event['_source']['details']['hostname'], event['_source']['summary'].strip())

        # Create the alert object based on these properties
-        return self.createAlertDict(summary, category, tags, [event], severity)
+        return self.createAlertDict(summary, category, tags, [event], severity)
--- a/alerts/multiple_intel_hits_pyes.py
+++ b/alerts/multiple_intel_hits_pyes.py
@ -28,12 +28,12 @@ class AlertMultipleIntelHits(AlertTask):
        self.filtersManual(date_timedelta, must=must)

        # Search aggregations on field 'seenindicator', keep X samples of events at most
-        self.searchEventsAggreg('seenindicator', samplesLimit=10)
+        self.searchEventsAggregated('details.seenindicator', samplesLimit=10)
        # alert when >= X matching events in an aggregation
        self.walkAggregations(threshold=10)

    # Set alert properties
-    def onAggreg(self, aggreg):
+    def onAggregation(self, aggreg):
        # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts
        # aggreg['value']: value of the aggregation field, ex: toto@example.com
        # aggreg['events']: list of events in the aggregation
@ -43,7 +43,7 @@ class AlertMultipleIntelHits(AlertTask):
        hostname = aggreg['events'][0]['_source']['hostname']

        summary = '{0} {1} {2} on {3}'.format(aggreg['count'], hostname, ' Bro intel match for indicator:', aggreg['value'])
-        
+
        summary += ' sample hosts that hit it: '
        for e in aggreg['events'][:3]:
            if 'details' in e['_source'].keys() \