From f3f6edefa462dbc1ed53f83fc22841775b217096 Mon Sep 17 00:00:00 2001 From: Jeff Bryner Date: Wed, 27 May 2015 13:23:42 -0700 Subject: [PATCH] update alerts to match the new aggregation functions --- alerts/bro_intel_pyes.py | 4 ++-- alerts/bruteforce_ssh_pyes.py | 6 +++--- alerts/cloudtrail_pyes.py | 2 +- alerts/duo_fail_open.py | 4 ++-- alerts/fail2ban_pyes.py | 2 +- alerts/multiple_intel_hits_pyes.py | 6 +++--- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/alerts/bro_intel_pyes.py b/alerts/bro_intel_pyes.py index bb93be55..3ed2e4e1 100644 --- a/alerts/bro_intel_pyes.py +++ b/alerts/bro_intel_pyes.py @@ -24,12 +24,12 @@ class AlertBroIntel(AlertTask): self.filtersManual(date_timedelta, must=must) # Search aggregations on field 'seenindicator', keep 50 samples of events at most - self.searchEventsAggreg('seenindicator', samplesLimit=50) + self.searchEventsAggregated('details.seenindicator', samplesLimit=50) # alert when >= 5 matching events in an aggregation self.walkAggregations(threshold=5) # Set alert properties - def onAggreg(self, aggreg): + def onAggregation(self, aggreg): # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts # aggreg['value']: value of the aggregation field, ex: toto@example.com # aggreg['events']: list of events in the aggregation diff --git a/alerts/bruteforce_ssh_pyes.py b/alerts/bruteforce_ssh_pyes.py index 19c4871e..d6748088 100644 --- a/alerts/bruteforce_ssh_pyes.py +++ b/alerts/bruteforce_ssh_pyes.py @@ -30,12 +30,12 @@ class AlertBruteforceSsh(AlertTask): self.filtersManual(date_timedelta, must=must, must_not=must_not) # Search aggregations on field 'sourceipaddress', keep X samples of events at most - self.searchEventsAggreg('sourceipaddress', samplesLimit=10) + self.searchEventsAggregated('details.sourceipaddress', samplesLimit=10) # alert when >= X matching events in an aggregation self.walkAggregations(threshold=10) # Set alert properties - def onAggreg(self, aggreg): + def onAggregation(self, aggreg): # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts # aggreg['value']: value of the aggregation field, ex: toto@example.com # aggreg['events']: list of events in the aggregation @@ -46,7 +46,7 @@ class AlertBruteforceSsh(AlertTask): summary = ('{0} ssh bruteforce attempts by {1}'.format(aggreg['count'], aggreg['value'])) hosts = self.mostCommon(aggreg['allevents'],'_source.details.hostname') for i in hosts[:5]: - summary += ' {0} ({1} hits)'.format(i[0], i[1]) + summary += ' {0} ({1} hits)'.format(i[0], i[1]) # Create the alert object based on these properties return self.createAlertDict(summary, category, tags, aggreg['events'], severity) diff --git a/alerts/cloudtrail_pyes.py b/alerts/cloudtrail_pyes.py index e2081ba9..16da4759 100644 --- a/alerts/cloudtrail_pyes.py +++ b/alerts/cloudtrail_pyes.py @@ -46,4 +46,4 @@ class AlertCloudtrail(AlertTask): summary += (' starting {0} '.format(i['instanceId'])) # Create the alert object based on these properties - return self.createAlertDict(summary, category, tags, [event], severity) \ No newline at end of file + return self.createAlertDict(summary, category, tags, [event], severity) diff --git a/alerts/duo_fail_open.py b/alerts/duo_fail_open.py index 84f14db6..9d85be7d 100644 --- a/alerts/duo_fail_open.py +++ b/alerts/duo_fail_open.py @@ -26,13 +26,13 @@ class AlertDuoFailOpen(AlertTask): self.filtersManual(date_timedelta, must=must) # Search aggregations on field 'sourceipaddress', keep X samples of events at most - self.searchEventsAggreg('hostname', samplesLimit=10) + self.searchEventsAggregated('details.hostname', samplesLimit=10) # alert when >= X matching events in an aggregation # in this case, always self.walkAggregations(threshold=1) # Set alert properties - def onAggreg(self, aggreg): + def onAggregation(self, aggreg): # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts # aggreg['value']: value of the aggregation field, ex: toto@example.com # aggreg['events']: list of events in the aggregation diff --git a/alerts/fail2ban_pyes.py b/alerts/fail2ban_pyes.py index 2dddba17..b3799cf4 100644 --- a/alerts/fail2ban_pyes.py +++ b/alerts/fail2ban_pyes.py @@ -36,4 +36,4 @@ class AlertFail2ban(AlertTask): summary='{0}: {1}'.format(event['_source']['details']['hostname'], event['_source']['summary'].strip()) # Create the alert object based on these properties - return self.createAlertDict(summary, category, tags, [event], severity) \ No newline at end of file + return self.createAlertDict(summary, category, tags, [event], severity) diff --git a/alerts/multiple_intel_hits_pyes.py b/alerts/multiple_intel_hits_pyes.py index 78ab5144..5668d3eb 100644 --- a/alerts/multiple_intel_hits_pyes.py +++ b/alerts/multiple_intel_hits_pyes.py @@ -28,12 +28,12 @@ class AlertMultipleIntelHits(AlertTask): self.filtersManual(date_timedelta, must=must) # Search aggregations on field 'seenindicator', keep X samples of events at most - self.searchEventsAggreg('seenindicator', samplesLimit=10) + self.searchEventsAggregated('details.seenindicator', samplesLimit=10) # alert when >= X matching events in an aggregation self.walkAggregations(threshold=10) # Set alert properties - def onAggreg(self, aggreg): + def onAggregation(self, aggreg): # aggreg['count']: number of items in the aggregation, ex: number of failed login attempts # aggreg['value']: value of the aggregation field, ex: toto@example.com # aggreg['events']: list of events in the aggregation @@ -43,7 +43,7 @@ class AlertMultipleIntelHits(AlertTask): hostname = aggreg['events'][0]['_source']['hostname'] summary = '{0} {1} {2} on {3}'.format(aggreg['count'], hostname, ' Bro intel match for indicator:', aggreg['value']) - + summary += ' sample hosts that hit it: ' for e in aggreg['events'][:3]: if 'details' in e['_source'].keys() \