Add integration started template

Ruben van Vreeland · Ruben van Vreeland · commit f9662d8d73fa · 2018-01-11T17:53:56.000+01:00
diff --git a/rule_templates/integration_started.yaml b/rule_templates/integration_started.yaml
@@ -0,0 +1,55 @@
+# Rule name, must be unique
+name: Integration Started
+
+# Alert on x events in y seconds
+type: frequency
+use_terms_query: true
+
+# Alert when this many documents matching the query occur within a timeframe
+num_events: 1
+
+# num_events must occur within this amount of time to trigger an alert
+timeframe:
+  hours: 1
+
+# When the attacker continues, send a new alert after x minutes
+realert:
+  days: 7
+
+query_key:
+  - meta.provider
+  - endpoint.name
+  
+include:
+  - meta.provider
+  - endpoint.name
+
+alert_subject: "Integration started on <{}> | <{}|Show Dashboard>"
+alert_subject_args:
+  - endpoint.name
+  - kibana_link
+
+alert_text: |-
+  Integration on {} has started with plugin {}.
+
+alert_text_args:
+  - endpoint.name
+  - meta.provider
+
+# The alert when a match is found
+alert:
+  - slack
+
+slack_webhook_url: "https://hooks.slack.com/services/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"
+slack_username_override: "ElastAlert"
+
+# Alert body only cointains a title and text
+alert_text_type: alert_text_only
+
+# Link to BitSensor Kibana Dashboard
+use_kibana4_dashboard: "https://dev.bitsensor.io/app/kibana#/dashboard/Pre-Integration"
+
+# Index to search, wildcard supported
+index: bitsensor
+timestamp_field: endpoint.localtime
+doc_type: datapoint
