Update template rules

Ruben van Vreeland · Ruben van Vreeland · commit a315cf1dfe18 · 2017-08-08T17:28:52.000+02:00
Volumetric is called suspicious
Place index bitsensor before filter
Make realert interval sane
diff --git a/rule_templates/detection_template.yaml b/rule_templates/detection_template.yaml
@@ -1,12 +1,10 @@
-# Alert when there is new detection event in the last 5 seconds
+# Rule name, must be unique
+name: Alert on any detection
 
 # Index to search, wildcard supported
 index: bitsensor
 timestamp_field: endpoint.localtime
 
-# Rule name, must be unique
-name: Alert on All detection
-
 # Type of alert.
 type: any
 realert: 
diff --git a/rule_templates/relevant_attack_template.yaml b/rule_templates/relevant_attack_template.yaml
@@ -1,21 +1,15 @@
-# Alert when a new combination of attacker ip, userAgent and detection type comes up during the period of 10 days.
-
 # Index to search, wildcard supported
-name: Relevant attack alert
-timestamp_field: endpoint.localtime
+name: New attacker
 
 # Type of alert.
-type: new_term
-
-# Index to search, wildcard supported
-index: bitsensor
+type: any
 
-# (Required, new_term specific)
-# Monitor the fields. NOTE: include unique application name.
-fields:
+query_key:
  - "context.ip"
  - "context.http.userAgent"
- - "detections.type"
+
+realert:
+  hours: 1
 
 # (Optional, new_term specific)
 # This means that we will query 10 days worth of data when ElastAlert starts to find which values of ip_address already exist
@@ -25,10 +19,14 @@ terms_window_size:
   
 alert_on_missing_field: true
 
+# Index to search, wildcard supported
+index: bitsensor
+timestamp_field: endpoint.localtime
+
 filter:
 - query:
     query_string:
-      query: "_exists_:detections"
+      query: "_exists_:detections AND detections.relevant:true"
 
 include:
   - endpoint.location
diff --git a/rule_templates/successful_attack_template.yaml b/rule_templates/successful_attack_template.yaml
@@ -1,17 +1,16 @@
-# Alert when there is a succesful attack
-
-# Index to search, wildcard supported
-index: bitsensor
-timestamp_field: endpoint.localtime
-
 # Rule name, must be unique
 name: Alert on Successful Attack
 
 # Type of alert.
 type: any
+
 realert: 
   seconds: 0
 
+# Index to search, wildcard supported
+index: bitsensor
+timestamp_field: endpoint.localtime
+
 # A list of elasticsearch filters used for find events
 # These filters are joined with AND and nested in a filtered query
 # For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
diff --git a/rule_templates/volumetric_alert.yaml b/rule_templates/volumetric_alert.yaml
@@ -1,21 +1,21 @@
 # Alert when there are 500 discovery detection events coming from the same ip, userAgent within 30 seconds.
 
-# Index to search, wildcard supported
-index: bitsensor
-timestamp_field: endpoint.localtime
-
 # Rule name, must be unique
-name: Alert on high frequency
+name: Behaviour is suspicious
 
 # Type of alert.
 type: frequency
 
 # Alert when this many documents matching the query occur within a timeframe
-num_events: 500
+num_events: 100
 
 # num_events must occur within this amount of time to trigger an alert
 timeframe:
-  seconds: 30
+  seconds: 60
+
+# Index to search, wildcard supported
+index: bitsensor
+timestamp_field: endpoint.localtime
 
 query_key:
   - context.ip
@@ -27,7 +27,7 @@ query_key:
 filter: 
 - query:
     query_string:
-      query: "detections.type:discovery"
+      query: "_exists_:detections AND detections.reason:BEHAVIOUR"
 
 include:
   - endpoint.location
