All alarms should report project_name

outflanknl / RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.

BSD 3-Clause "New" or "Revised" License

2.35k stars 371 forks source link

Closed MarcOverIP closed 1 year ago

MarcOverIP commented 1 year ago

There is a config param project_name, but this is not used in every alarm. Please update every alarm to include this.

Alarm "backend alarm module" does have the data in the alarm.

MarcOverIP commented 1 year ago

Seems this is taken up at the module level for sending medium. Email and MSTeams already incorporate this, only Slack is still left to do.

@Matthijsy maybe you can add this? The slack message should include the project_name from the config.

MarcOverIP commented 1 year ago

Prolly sufficient, but had no time to test just now, to change line 41 to the following:

"text": f'*[{config.project_name}] Alarm from {alarm["info"]["name"]} [{alarm["hits"]["total"]} hits]*\n{description}',