search

Security-Onion-Solutions / security-onion

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
https://securityonion.net
3.06k stars 521 forks source link

Elastalert - Update new_term.yaml #1706

Closed weslambert closed 4 years ago

weslambert commented 4 years ago

INFO:elastalert:Queried rule Security Onion Elastalert - New Term Alert from 2020-01-14 12:49 UTC to 2020-01-14 12:50 UTC: 0 hits ERROR:root:Traceback (most recent call last): File "/opt/elastalert/elastalert/elastalert.py", line 1270, in handle_rule_execution num_matches = self.run_rule(rule, endtime, rule.get('initial_starttime')) File "/opt/elastalert/elastalert/elastalert.py", line 905, in run_rule if not self.run_query(rule, rule['starttime'], endtime): File "/opt/elastalert/elastalert/elastalert.py", line 645, in run_query rule_inst.add_count_data(data) File "/opt/elastalert/elastalert/ruletypes.py", line 84, in add_count_data raise NotImplementedError() NotImplementedError

weslambert commented 4 years ago

It seems that we need to remark/remove use_count_query (and doc_type is no longer needed)

weslambert commented 4 years ago

https://github.com/Security-Onion-Solutions/securityonion-elastic/pull/72

dougburks commented 4 years ago

This is included in securityonion-elastic - 20190510-1ubuntu1securityonion83 which is now available for testing at ppa:securityonion/test.

weslambert commented 4 years ago

Looks good 👍

dougburks commented 4 years ago

Published: https://blog.securityonion.net/2020/02/zeek-301-elastic-686-and-cyberchef-9120.html