I want Elastalert to report matches to TheHive, but SIGMA does not provide configuration for this via the backend options. As far as I know only email and http_post are supported/implemented.
# ... OMITTED ...
#Handle alert action
rule_object['alert'] = []
alert_methods = self.alert_methods.split(',')
if 'email' in alert_methods:
# ... OMITTED ...
if 'http_post' in alert_methods:
# ... OMITTED ...
Proposal
Implementation of TheHive alerter options in sigma/backends/elasticsearch.py. According to TheHive documentation the following fields need to set to raise an alert:
I would volunteer to implement this functionality, if there are no major concerns (look at discussion).
Discussion
Is SIGMA supposed provide such configuration of backend systems?
On the other hand I understand, that these options might be subject to change in e.g. elastalert itself. Providing detailed backend configuration options could result in more maintenance effort to keep up with the supported backends.
In my opinion, this project is intended to enable users to switch between backends. Providing such backend configuration options would enhance the usability.
Any thoughts/concerns on this from you guys? Otherwise I get started with the implementation.
Problem
I want Elastalert to report matches to TheHive, but SIGMA does not provide configuration for this via the backend options. As far as I know only
email
andhttp_post
are supported/implemented.Proposal
Implementation of TheHive alerter options in sigma/backends/elasticsearch.py. According to TheHive documentation the following fields need to set to raise an alert:
The following fields could be set in the backend option file, because they are static and might not change between different rules:
Some of those fields can be filled with data from the SIGMA rule specification itself:
Since the SIGMA specification does allow custom fields, the following fields could be read from a sigma rule file:
I would volunteer to implement this functionality, if there are no major concerns (look at discussion).
Discussion
Is SIGMA supposed provide such configuration of backend systems?
On the other hand I understand, that these options might be subject to change in e.g. elastalert itself. Providing detailed backend configuration options could result in more maintenance effort to keep up with the supported backends.
In my opinion, this project is intended to enable users to switch between backends. Providing such backend configuration options would enhance the usability.
Any thoughts/concerns on this from you guys? Otherwise I get started with the implementation.