search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
7.99k stars 1.73k forks source link

ElastAlert filter #3190

Open ngms17 opened 3 years ago

ngms17 commented 3 years ago

I am trying to use ElastAlert with Suricata.

How can I filter my rule file to alert only in logs containing "ET MALWARE"?

filter:
- query:
    query_string:
      query: "suricata.eve.alert.signature: ET MALWARE"

Using like this, I can´t get any hits because I suspect I have to put the entire ET MALWARE ...

Bu in this case, I want to alert on any event that has the ET MALWARE on it

L0n4 commented 3 years ago

you can use like this: `query: "suricata.eve.alert.signature: MALWARE*"` But in this case it may also include the MOBILE_MALWARE category.