Created
July 21, 2021 17:53
-
-
Save perfecto25/445e1b568f6fc6ade503b9f1b93fc522 to your computer and use it in GitHub Desktop.
ElastAlert Rule Examples
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # alerts if system file is changed or modified | |
| name: File Integrity Changed | |
| # Alert on x events in y seconds | |
| type: frequency | |
| # Alert when this many documents matching the query occur within a timeframe | |
| num_events: 1 | |
| # num_events must occur within this amount of time to trigger an alert | |
| timeframe: | |
| minutes: 30 | |
| # A list of elasticsearch filters used for find events | |
| # These filters are joined with AND and nested in a filtered query | |
| # For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html | |
| filter: | |
| - query: | |
| query_string: | |
| query: "event.module:file_integrity" | |
| index: auditbeat-* | |
| # When the attacker continues, send a new alert after x minutes | |
| realert: | |
| minutes: 1 | |
| query_key: | |
| - file.path | |
| include: | |
| - host.hostname | |
| - user.name | |
| - file.path | |
| - file.mode | |
| - file.group | |
| - file.owner | |
| - file.mtime | |
| include_match_in_root: true | |
| alert_subject: "File Integrity changed on <{}>" | |
| alert_subject_args: | |
| - host.hostname | |
| alert_text: |- | |
| File integrity changed on host {}. | |
| File path: {} | |
| File mode: {} | |
| File group: {} | |
| File owner: {} | |
| File modified time: {} | |
| alert_text_args: | |
| - host.hostname | |
| - file.path | |
| - file.mode | |
| - file.group | |
| - file.owner | |
| - file.mtime | |
| # The alert is use when a match is found | |
| alert: | |
| - slack | |
| email: | |
| - "[email protected]" | |
| slack_webhook_url: "https://hooks.slack.com/services/112233/CCCJJPPP/XXXYYZZ" | |
| # Alert body only cointains a title and text | |
| alert_text_type: alert_text_only |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # checks log file for multicast gaps | |
| name: Multicast Gap Detector | |
| is_enabled: true | |
| # Alert on x events in y seconds | |
| type: frequency | |
| # Alert when this many documents matching the query occur within a timeframe | |
| num_events: 1 | |
| # num_events must occur within this amount of time to trigger an alert | |
| timeframe: | |
| minutes: 5 | |
| filter: | |
| - query: | |
| query_string: | |
| query: message:"Max attempts of retransmission failed" AND log.file.path:*mcast.log | |
| index: filebeat-* | |
| # if gaps continue send a new alert after x minutes | |
| realert: | |
| minutes: 10 | |
| query_key: | |
| - log.file.path | |
| include: | |
| - host.hostname | |
| - log.file.path | |
| - message | |
| include_match_in_root: true | |
| alert_subject: "Multicast data gaps detected on: <{}>" | |
| alert_subject_args: | |
| - host.hostname | |
| alert_text: |- | |
| Host: {} | |
| File: {} | |
| Message: {} | |
| alert_text_args: | |
| - host.hostname | |
| - log.file.path | |
| - message | |
| # The alert is use when a match is found | |
| alert: | |
| - slack | |
| email: | |
| - "[email protected]" | |
| slack_webhook_url: "https://hooks.slack.com/services/112233/CCCJJPPP/XXXYYZZ" | |
| # Alert body only cointains a title and text | |
| alert_text_type: alert_text_only |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Alerts if any new pckage is installed | |
| name: Package Installed | |
| # Alert on x events in y seconds | |
| type: frequency | |
| # Alert when this many documents matching the query occur within a timeframe | |
| num_events: 1 | |
| # num_events must occur within this amount of time to trigger an alert | |
| timeframe: | |
| minutes: 30 | |
| # A list of elasticsearch filters used for find events | |
| # These filters are joined with AND and nested in a filtered query | |
| # For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html | |
| filter: | |
| - query: | |
| query_string: | |
| query: "event.action:package_installed" | |
| index: auditbeat-* | |
| # When the attacker continues, send a new alert after x minutes | |
| realert: | |
| minutes: 1 | |
| query_key: | |
| - package.name | |
| include: | |
| - host.hostname | |
| - message | |
| - package.description | |
| - package.name | |
| - package.reference | |
| - package.type | |
| - package.version | |
| include_match_in_root: true | |
| alert_subject: "Package Installed on <{}>" | |
| alert_subject_args: | |
| - host.hostname | |
| alert_text: |- | |
| Message {}. | |
| Package description: {} | |
| Package name: {} | |
| Package reference: {} | |
| Package type: {} | |
| Package version: {} | |
| alert_text_args: | |
| - message | |
| - package.description | |
| - package.name | |
| - package.reference | |
| - package.type | |
| - package.version | |
| # The alert is use when a match is found | |
| alert: | |
| - slack | |
| email: | |
| - "[email protected]" | |
| slack_webhook_url: "https://hooks.slack.com/services/112233/CCCJJPPP/XXXYYZZ" | |
| # Alert body only cointains a title and text | |
| alert_text_type: alert_text_only |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Alerts on repeated SSH failures as detected by Auditbeat agent | |
| name: SSH abuse - ElastAlert 3.0.1 | |
| is_enabled: true | |
| # Alert on x events in y seconds | |
| type: frequency | |
| # Alert when this many documents matching the query occur within a timeframe | |
| num_events: 3 | |
| # num_events must occur within this amount of time to trigger an alert | |
| timeframe: | |
| minutes: 30 | |
| # A list of elasticsearch filters used for find events | |
| # These filters are joined with AND and nested in a filtered query | |
| # For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html | |
| filter: | |
| - query: | |
| query_string: | |
| query: "event.type:authentication_failure" | |
| index: auditbeat-* | |
| # When the attacker continues, send a new alert after x minutes | |
| realert: | |
| minutes: 1 | |
| query_key: | |
| - source.ip | |
| include: | |
| - host.hostname | |
| - user.name | |
| - source.ip | |
| include_match_in_root: true | |
| alert_subject: "SSH abuse on <{}>" | |
| alert_subject_args: | |
| - host.hostname | |
| alert_text: |- | |
| An attack on {} is detected. | |
| The attacker looks like: | |
| User: {} | |
| IP: {} | |
| alert_text_args: | |
| - host.hostname | |
| - user.name | |
| - source.ip | |
| # The alert is use when a match is found | |
| alert: | |
| - slack | |
| email: | |
| - "[email protected]" | |
| slack_webhook_url: "https://hooks.slack.com/services/112233/CCCJJPPP/XXXYYZZ" | |
| # Alert body only cointains a title and text | |
| alert_text_type: alert_text_only |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # alerts if any user "sudo su" to root, except for system admins named Jsmith, Pbrown (to reduce noise) | |
| name: Sudo Elevation | |
| is_enabled: true | |
| # Alert on x events in y seconds | |
| type: frequency | |
| # Alert when this many documents matching the query occur within a timeframe | |
| num_events: 1 | |
| # num_events must occur within this amount of time to trigger an alert | |
| timeframe: | |
| minutes: 5 | |
| filter: | |
| - query: | |
| query_string: | |
| query: process.name:su AND message:"session opened" AND user.effective.name:root AND NOT (user.name:jsmith OR user.name:pbrown) | |
| index: filebeat-* | |
| query_key: | |
| - process.name | |
| include: | |
| - host.hostname | |
| - user.name | |
| - related.user | |
| include_match_in_root: true | |
| alert_subject: "SUDO elevation on <{}>" | |
| alert_subject_args: | |
| - host.hostname | |
| alert_text: |- | |
| A user SUDO SU elevated to root on {}. | |
| User: {} | |
| alert_text_args: | |
| - host.hostname | |
| - user.name | |
| # The alert is use when a match is found | |
| alert: | |
| - slack | |
| email: | |
| - "[email protected]" | |
| slack_webhook_url: "https://hooks.slack.com/services/112233/CCCJJPPP/XXXYYZZ" | |
| # Alert body only cointains a title and text | |
| alert_text_type: alert_text_only |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment