Skip to content

Instantly share code, notes, and snippets.

@perfecto25
Created July 21, 2021 17:53
Embed
What would you like to do?
ElastAlert Rule Examples
# alerts if system file is changed or modified
name: File Integrity Changed
# Alert on x events in y seconds
type: frequency
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# num_events must occur within this amount of time to trigger an alert
timeframe:
minutes: 30
# A list of elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
query_string:
query: "event.module:file_integrity"
index: auditbeat-*
# When the attacker continues, send a new alert after x minutes
realert:
minutes: 1
query_key:
- file.path
include:
- host.hostname
- user.name
- file.path
- file.mode
- file.group
- file.owner
- file.mtime
include_match_in_root: true
alert_subject: "File Integrity changed on <{}>"
alert_subject_args:
- host.hostname
alert_text: |-
File integrity changed on host {}.
File path: {}
File mode: {}
File group: {}
File owner: {}
File modified time: {}
alert_text_args:
- host.hostname
- file.path
- file.mode
- file.group
- file.owner
- file.mtime
# The alert is use when a match is found
alert:
- email
- slack
email:
- "admin@company.com"
slack_webhook_url: "https://hooks.slack.com/services/112233/CCCJJPPP/XXXYYZZ"
# Alert body only cointains a title and text
alert_text_type: alert_text_only
# checks log file for multicast gaps
name: Multicast Gap Detector
is_enabled: true
# Alert on x events in y seconds
type: frequency
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# num_events must occur within this amount of time to trigger an alert
timeframe:
minutes: 5
filter:
- query:
query_string:
query: message:"Max attempts of retransmission failed" AND log.file.path:*mcast.log
index: filebeat-*
# if gaps continue send a new alert after x minutes
realert:
minutes: 10
query_key:
- log.file.path
include:
- host.hostname
- log.file.path
- message
include_match_in_root: true
alert_subject: "Multicast data gaps detected on: <{}>"
alert_subject_args:
- host.hostname
alert_text: |-
Host: {}
File: {}
Message: {}
alert_text_args:
- host.hostname
- log.file.path
- message
# The alert is use when a match is found
alert:
- email
- slack
email:
- "admin@company.com"
slack_webhook_url: "https://hooks.slack.com/services/112233/CCCJJPPP/XXXYYZZ"
# Alert body only cointains a title and text
alert_text_type: alert_text_only
# Alerts if any new pckage is installed
name: Package Installed
# Alert on x events in y seconds
type: frequency
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# num_events must occur within this amount of time to trigger an alert
timeframe:
minutes: 30
# A list of elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
query_string:
query: "event.action:package_installed"
index: auditbeat-*
# When the attacker continues, send a new alert after x minutes
realert:
minutes: 1
query_key:
- package.name
include:
- host.hostname
- message
- package.description
- package.name
- package.reference
- package.type
- package.version
include_match_in_root: true
alert_subject: "Package Installed on <{}>"
alert_subject_args:
- host.hostname
alert_text: |-
Message {}.
Package description: {}
Package name: {}
Package reference: {}
Package type: {}
Package version: {}
alert_text_args:
- message
- package.description
- package.name
- package.reference
- package.type
- package.version
# The alert is use when a match is found
alert:
- email
- slack
email:
- "admin@company.com"
slack_webhook_url: "https://hooks.slack.com/services/112233/CCCJJPPP/XXXYYZZ"
# Alert body only cointains a title and text
alert_text_type: alert_text_only
# Alerts on repeated SSH failures as detected by Auditbeat agent
name: SSH abuse - ElastAlert 3.0.1
is_enabled: true
# Alert on x events in y seconds
type: frequency
# Alert when this many documents matching the query occur within a timeframe
num_events: 3
# num_events must occur within this amount of time to trigger an alert
timeframe:
minutes: 30
# A list of elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
query_string:
query: "event.type:authentication_failure"
index: auditbeat-*
# When the attacker continues, send a new alert after x minutes
realert:
minutes: 1
query_key:
- source.ip
include:
- host.hostname
- user.name
- source.ip
include_match_in_root: true
alert_subject: "SSH abuse on <{}>"
alert_subject_args:
- host.hostname
alert_text: |-
An attack on {} is detected.
The attacker looks like:
User: {}
IP: {}
alert_text_args:
- host.hostname
- user.name
- source.ip
# The alert is use when a match is found
alert:
- email
- slack
email:
- "admin@company.com"
slack_webhook_url: "https://hooks.slack.com/services/112233/CCCJJPPP/XXXYYZZ"
# Alert body only cointains a title and text
alert_text_type: alert_text_only
# alerts if any user "sudo su" to root, except for system admins named Jsmith, Pbrown (to reduce noise)
name: Sudo Elevation
is_enabled: true
# Alert on x events in y seconds
type: frequency
# Alert when this many documents matching the query occur within a timeframe
num_events: 1
# num_events must occur within this amount of time to trigger an alert
timeframe:
minutes: 5
filter:
- query:
query_string:
query: process.name:su AND message:"session opened" AND user.effective.name:root AND NOT (user.name:jsmith OR user.name:pbrown)
index: filebeat-*
query_key:
- process.name
include:
- host.hostname
- user.name
- related.user
include_match_in_root: true
alert_subject: "SUDO elevation on <{}>"
alert_subject_args:
- host.hostname
alert_text: |-
A user SUDO SU elevated to root on {}.
User: {}
alert_text_args:
- host.hostname
- user.name
# The alert is use when a match is found
alert:
- email
- slack
email:
- "admin@company.com"
slack_webhook_url: "https://hooks.slack.com/services/112233/CCCJJPPP/XXXYYZZ"
# Alert body only cointains a title and text
alert_text_type: alert_text_only
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment