valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added option to use old URL in xpack-watcher backend

Browse Source
This commit is contained in:
Thomas Patzke 2019-05-21 00:01:21 +02:00
parent 4e63e925cf
commit 7e163d71eb
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
tools/sigma/backends/elasticsearch.py
View File

@ -390,12 +390,18 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin)
options = ElasticsearchQuerystringBackend.options + ( options = ElasticsearchQuerystringBackend.options + (
("output", "curl", "Output format: curl = Shell script that imports queries in Watcher index with curl", "output_type"), ("output", "curl", "Output format: curl = Shell script that imports queries in Watcher index with curl", "output_type"),
("es", "localhost:9200", "Host and port of Elasticsearch instance", None), ("es", "localhost:9200", "Host and port of Elasticsearch instance", None),
("watcher_url", "watcher", "Watcher URL: watcher (default)=_watcher/..., xpack=_xpack/wacher/... (deprecated)", None),
("mail", None, "Mail address for Watcher notification (only logging if not set)", None), ("mail", None, "Mail address for Watcher notification (only logging if not set)", None),
) )
watcher_urls = {
"watcher": "_watcher",
"xpack": "_xpack/watcher",
}
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs) super().__init__(*args, **kwargs)
self.watcher_alert = dict() self.watcher_alert = dict()
self.url_prefix = self.watcher_urls[self.watcher_url]
def generate(self, sigmaparser): def generate(self, sigmaparser):
# get the details if this alert occurs # get the details if this alert occurs
@ -564,9 +570,9 @@ class XPackWatcherBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin)
result = "" result = ""
for rulename, rule in self.watcher_alert.items(): for rulename, rule in self.watcher_alert.items():
if self.output_type == "plain": # output request line + body if self.output_type == "plain": # output request line + body
result += "PUT _watcher/watch/%s\n%s\n" % (rulename, json.dumps(rule, indent=2)) result += "PUT %s/watch/%s\n%s\n" % (self.url_prefix, rulename, json.dumps(rule, indent=2))
elif self.output_type == "curl": # output curl command line elif self.output_type == "curl": # output curl command line
result += "curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- %s/_watcher/watch/%s <<EOF\n%s\nEOF\n" % (self.es, rulename, json.dumps(rule, indent=2)) result += "curl -s -XPUT -H 'Content-Type: application/json' --data-binary @- %s/%s/watch/%s <<EOF\n%s\nEOF\n" % (self.es, self.url_prefix, rulename, json.dumps(rule, indent=2))
elif self.output_type == "json": # output compressed watcher json, one per line elif self.output_type == "json": # output compressed watcher json, one per line
result += json.dumps(rule) + "\n" result += json.dumps(rule) + "\n"
else: else: