Skip to content

Commit

Permalink
Update Elasticsearch Watcher backend to populate name field in alert …
Browse files Browse the repository at this point in the history 
…metadata
  • Loading branch information
Cody Swanson committed Jun 27, 2021
1 parent abe353d commit ab3a54c
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions tools/sigma/backends/elasticsearch.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1038,7 +1038,7 @@ def generate(self, sigmaparser):
iaction = {
"elastic":{
"transform":{ #adding title, description, tags on the event
"script": "ctx.payload.transform = [];for (int j=0;j<ctx.payload.hits.total;j++){ctx.payload.hits.hits[j]._source.alerttimestamp=ctx.trigger.scheduled_time;ctx.payload.hits.hits[j]._source.alerttitle=ctx.metadata.title;ctx.payload.hits.hits[j]._source.alertquery=ctx.metadata.query;ctx.payload.hits.hits[j]._source.alertdescription=ctx.metadata.description;ctx.payload.hits.hits[j]._source.tags=ctx.metadata.tags;ctx.payload.transform.add(ctx.payload.hits.hits[j]._source)} return ['_doc': ctx.payload.transform];"
"script": "ctx.payload.transform = [];for (int j=0;j<ctx.payload.hits.total;j++){ctx.payload.hits.hits[j]._source.alerttimestamp=ctx.trigger.scheduled_time;ctx.payload.hits.hits[j]._source.alerttitle=ctx.metadata.name;ctx.payload.hits.hits[j]._source.alertquery=ctx.metadata.query;ctx.payload.hits.hits[j]._source.alertdescription=ctx.metadata.description;ctx.payload.hits.hits[j]._source.tags=ctx.metadata.tags;ctx.payload.transform.add(ctx.payload.hits.hits[j]._source)} return ['_doc': ctx.payload.transform];"
},
"index":{
"index": index,
Expand All @@ -1060,7 +1060,7 @@ def generate(self, sigmaparser):

self.watcher_alert[rulename] = {
"metadata": {
"title": title,
"name": title,
"description": description,
"tags": tags,
"query":result #addede query to metadata. very useful in kibana to do drill down directly from discover
Expand Down

0 comments on commit ab3a54c

Please sign in to comment.