Last active
September 8, 2022 08:25
-
-
Save soulsearcher/30d3c2ea3c89e53b01e87b83b8ebe91b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Alert when a login event is detected for user "admin" never before seen IP | |
# In this example, "login" logs contain which user has logged in from what IP | |
# (Optional) | |
# Elasticsearch host | |
es_host: localhost | |
# (Optional) | |
# Elasticsearch port | |
es_port: 9200 | |
# (OptionaL) Connect with SSL to Elasticsearch | |
#use_ssl: True | |
# (Optional) basic-auth username and password for Elasticsearch | |
#es_username: someusername | |
#es_password: somepassword | |
# (Required) | |
# Rule name, must be unique | |
name: openvpn_term_rule | |
# (Required) | |
# Type of alert. | |
# the frequency rule type alerts when num_events events occur with timeframe time | |
type: any | |
# (Required) | |
# Index to search, wildcard supported | |
index: example-* | |
# (Required, new_term specific) | |
# Monitor the field ip_address | |
#fields: | |
# - "_id" | |
# (Optional, new_term specific) | |
# This means that we will query 90 days worth of data when ElastAlert starts to find which values of ip_address already exist | |
# If they existed in the last 90 days, no alerts will be triggered for them when they appear | |
#terms_window_size: | |
# days: 1 | |
# (Required) | |
# A list of Elasticsearch filters used for find events | |
# These filters are joined with AND and nested in a filtered query | |
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html | |
# We are filtering for only "login_event" type documents with username "admin" | |
filter: | |
- query: | |
query_string: | |
query: "type: access" | |
# (Required) | |
# The alert is use when a match is found | |
alert: | |
- "telegram" | |
alert_text: "from elastalert - {0}, {1}, {2}" | |
alert_text_args: ["type", "username2", "timestamp"] | |
alert_text_type: alert_text_only | |
# from botfather | |
telegram_bot_token: bot_token | |
# Unique identifier for the target chat or username of the target channel (in the format @channelusername) | |
# https://api.telegram.org/bot_token/getUpdates | |
telegram_room_id: "chat_id" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment