Cyb3rWard0g
commented
4 years ago Have you checked the other indices? Apparently you get the match body in the elastlalert index https://elastalert.readthedocs.io/en/latest/elastalert_status.html
Open mutedmouse opened 4 years ago
Cyb3rWard0g
commented
4 years ago Have you checked the other indices? Apparently you get the match body in the elastlalert index https://elastalert.readthedocs.io/en/latest/elastalert_status.html
mutedmouse
commented
4 years ago Sry about the last one comment, I had not seen the update. I'll check the elastalert_status and send the results of the rule in this ticket tomorrow.
mutedmouse
commented
4 years ago Blacklist rule now works with match_body extraction on latest helk build. I will post the rule I used here and for users to reference as an example. There are a surprisingly few number of working examples so perhaps it can help others.
mutedmouse
commented
4 years ago Steps taken to build rule and resolve question are below:
Entering the docker container
sudo docker exec -it -u0 helk-elastalert /bin/bash
Change user to elastalertuser:
su elastalert
Creating and testing rule before applying
vim /etc/elastalert/blacklist_hash.yml
add the following lines to the blacklist_hash.yml
alert:
- debug
description: Detects an blacklisted hash
filter:
- query:
query_string:
query: (event.code:1)
ignore_null: true
compare_key: hash_md5
blacklist:
- "!file /etc/elastalert/blacklist.csv"
index: logs-*
name: Hash-Blacklist-Match_0
priority: 2
realert:
minutes: 0
type: blacklistsave the blacklist_hash.yml
Create your blacklist.csv lookup file
vim /etc/elastalert/blacklist.csv
add your hash or blacklist values separated by newlines here
check you case as elastic sees all uppercase values for hashes
save the blacklist.csv
Test you rule against recent data
/usr/local/bin/elastalert-test-rule --config /etc/elastalert/config.yaml --days 1 /etc/elastalert/blacklist_hash.yml
verify you have hits in the final json output
Copy your rule to production folder
cp /etc/elastalert/blacklist_hash.yml /etc/elastalert/rules/
Using kibana Discovery page search index elastalert_status_status for "Hash-Blacklist-Match_0" Once it loads and elastalert runs this rule you will see it appear in the results.
Your results should now appear in the elastalert_status index with match_body information relating to the md5 matching value from your blacklist.csv file.
Hope this helps any who find this. The query is as basic as it comes and can be significantly improved upon but provides a syntactic example of a functional blacklist elastalert rule.
Thanks for the hint on where to look @Cyb3rWard0g and the awesome platform.
Cyb3rWard0g
commented
4 years ago Thank you very much @mutedmouse ! I will tag this to be added to the Wiki. Thank you!
I have added a custom rule to helk-elastalert that tests blacklist hashes. This rule has been tested against sample data using elastalert-test-rule and returns the sample hit as seen below in the final output from the elastalert-test-rule command:
When reviewing elastalert_status_status I can see that the rule is loading and matching. However no alert match_information is being shown in elastalert_status. All sigma and original rules are appearing as predicted.
My custom rule, heavily redacted is shown below and placed in the /etc/elastalert/rules directory in the helk-elastalert container:
What can I do to get the match data to populate in elastalert status with the same level of information as the sigma rules do. For example, when sigma rules populate the elastalert_status index, I receive the entire match_body fields broken out from the original event.
Get operating system and version
Get disk space, memory, processor cores, and docker storage