defenxor / dsiem

Security event correlation engine for ELK stack
GNU General Public License v3.0
435 stars 100 forks source link

How to set directives #451

Open ever123ove opened 1 year ago

ever123ove commented 1 year ago

HI,I have encountered some problems in operation, I want to modify the rule value of directives.json, but I don't know how to ensure that he can successfully read the modified result.

mmta commented 1 year ago

There is a validate switch to help you with that. Run it like this:

./dsiem validate

ever123ove commented 1 year ago

Thank you very much for your reply. Another question, is there a way to filter specific IP alarms through policies like Alienvault?

mmta commented 1 year ago

Hi, once an alarm is created they should be managed (including filtered) directly through Elasticsearch/Opensearch or Kibana/Opensearch dashboard. It is better to tune your correlation rules so that alarm isn't created in the first place though.