Open simcen opened 7 years ago
simcen
commented
7 years ago Hi Anil
Actually it's more that you can create Incidents in Alert Manager from a ES Correlation Search. We won't add additional workflow options as this will be most likely provided by ES itself.
Do you think there is a need that the Alert Manager itself should support Adaptive Response items?
anilyellamati
commented
7 years ago Hi Simon,
Thanks for quick reply, I am looking at organizations who are not using ES. There are alerts, if we want to take any action on that particular alert it will be useful.
Can we create a object which can display workflow rules can execute script or http post link with parameters from alert.
Believe me it is powerful, anyone using alert manager though they have ES, dont know just a question.
Regards, Anil Yellamati
On Fri 2 Dec, 2016 7:05 pm Simon, notifications@github.com wrote:
Hi Anil
Actually it's more that you can create Incidents in Alert Manager from a ES Correlation Search. We won't add additional workflow options as this will be most likely provided by ES itself.
Do you think there is a need that the Alert Manager itself should support Adaptive Response items?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/simcen/alert_manager/issues/166#issuecomment-264396539, or mute the thread https://github.com/notifications/unsubscribe-auth/AQl69dbi4DW--AZFg-R-QQXj-75059TAks5rD9FbgaJpZM4KydwW .
simcen
commented
7 years ago Hi Anil
Thanks again for your feedback. I understood the requirements and definitively think it makes sense. Let me take it into consideration for the roadmap.
Best, Simon
johnfromthefuture
commented
7 years ago Adding to this conversation a few months late... :)
Supporting anything relative to ES seems like a minor issue to me. I chose not to run ES with my SOC and instead run Alert Manager because it gives me the framework I need to track and triage alerts after some minor modifications. The key thing is that I'm comfortable running alert manager without the notion that I can call Splunk support and ask for bug fixes, new functionality, etc. If I need something, I just write it and do it.
Specific to the request here, executing a script or http post with parameters from a given alert is exactly what the modular alert framework is for - when an alert fires, you can have it send data to Alert Manager and then execute a custom alert action for a REST API post to your defense mechanism. If we're looking for a one-click button inside of Alert Manager to take that action, I would probably argue against adding the functionality. It would make the code-base more complex for potentially little payoff and someone will inevitably complain about the inherent security risk of launching external scripts like that from Alert Manager.
The modular alert framework provides the automated response. A more manual response can be built with custom lookups or custom search commands.
Hi Simcen,
is it something we can execute some scripts for workflow actions ? example, Action block ip in firewall and linked to script ? example whois of source IP or destination IP kind of. thanks
Regards, Anil