OpenUBA icon indicating copy to clipboard operation
OpenUBA copied to clipboard

Published 20 hours ago verified publisher icon GACWR

Realtime Alerts

Open Prinstan opened this issue 5 years ago • 9 comments

Can we have a realtime alert mechanism via. email.

Prinstan avatar Mar 21 '20 14:03 Prinstan

this is a great idea.

In your mind, how would that work?

The way it works typically with UBA products is you can set an email string for an alert type, or model, which may consist of multiple email addresses..

We can add a section to the settings page, where you can enter email groups,

That way we can have several email groups you can set for each model job. Thoughts welcomed on this!

tagging @kaiiyer . Also @Prinstan, feel free to make a pull request, and put your thoughts down in psuedo code if you want. We will collab on it.

Jovonni avatar Mar 21 '20 15:03 Jovonni

Yeah I think it's cool to have an alert system. Like UBA gives score to an account out of 100(suppose). If score is below 30 well and good so a low alert or no alert. Up to 70 will be high alert and if score exceeds 70 a critical alert. Depending on the alert and acc to security policies the user should take actions within a given deadline !! @Prinstan @Jovonni what're your thoughts ?

kaiiyer avatar Mar 21 '20 15:03 kaiiyer

good point @kaiiyer . This relates to the risk.py file, we can make another alert.py file that Risk imports.

Lets think about how that fits into the workflow. Probably have an alert job itself that runs after a model jobs. The alert job will analyze all model results, and check for alert criteria to be satisfied... high level thoughts....

@pristin you wanna help, or would just like us to keep you updated? What made you think of this feature? just curious.

Jovonni avatar Mar 21 '20 16:03 Jovonni

Hello Team,

I would like to help you, But I have very little experience in python but I belong to security domain and hence I suggested this feature.

Can any one help me setup the environment, if need be I will learn python Because this project has intrested me a lot

On Sat, 21 Mar, 2020, 10:00 pm Jovonni L. Pharr, [email protected] wrote:

good point @kaiiyer https://github.com/kaiiyer . This relates to the risk.py file, we can make another alert.py file that Risk imports.

Lets think about how that fits into the workflow. Probably have an alert job itself that runs after a model jobs. The alert job will analyze all model results, and check for alert criteria to be satisfied... high level thoughts....

@Pristin https://github.com/Pristin you wanna help, or would just like us to keep you updated. What made you think of this feature? just curious.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/GACWR/OpenUBA/issues/25#issuecomment-602068901, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATFROP6KZ56LE4Y7NGV4M3RITTTVANCNFSM4LQ5XONA .

Prinstan avatar Mar 21 '20 16:03 Prinstan

We should have SMTP configurations in setting. And a tab for Alerts and Notification.

On Sat, 21 Mar, 2020, 10:29 pm Prinstan Colaco, [email protected] wrote:

Hello Team,

I would like to help you, But I have very little experience in python but I belong to security domain and hence I suggested this feature.

Can any one help me setup the environment, if need be I will learn python Because this project has intrested me a lot

On Sat, 21 Mar, 2020, 10:00 pm Jovonni L. Pharr, [email protected] wrote:

good point @kaiiyer https://github.com/kaiiyer . This relates to the risk.py file, we can make another alert.py file that Risk imports.

Lets think about how that fits into the workflow. Probably have an alert job itself that runs after a model jobs. The alert job will analyze all model results, and check for alert criteria to be satisfied... high level thoughts....

@Pristin https://github.com/Pristin you wanna help, or would just like us to keep you updated. What made you think of this feature? just curious.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/GACWR/OpenUBA/issues/25#issuecomment-602068901, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATFROP6KZ56LE4Y7NGV4M3RITTTVANCNFSM4LQ5XONA .

Prinstan avatar Mar 21 '20 17:03 Prinstan

Hello Team, I would like to help you, But I have very little experience in python but I belong to security domain and hence I suggested this feature. Can any one help me setup the environment, if need be I will learn python Because this project has intrested me a lot On Sat, 21 Mar, 2020, 10:00 pm Jovonni L. Pharr, @.***> wrote: good point @kaiiyer https://github.com/kaiiyer . This relates to the risk.py file, we can make another alert.py file that Risk imports. Lets think about how that fits into the workflow. Probably have an alert job itself that runs after a model jobs. The alert job will analyze all model results, and check for alert criteria to be satisfied... high level thoughts.... @Pristin https://github.com/Pristin you wanna help, or would just like us to keep you updated. What made you think of this feature? just curious. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#25 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATFROP6KZ56LE4Y7NGV4M3RITTTVANCNFSM4LQ5XONA .

@Prinstan By setting up environment you mean to start working on this project right. Just fork the repo and run it locally by following instructions here. No additional setup is required if you have python and node already.

kaiiyer avatar Mar 21 '20 17:03 kaiiyer

Hello Team, I would like to help you, But I have very little experience in python but I belong to security domain and hence I suggested this feature. Can any one help me setup the environment, if need be I will learn python Because this project has intrested me a lot On Sat, 21 Mar, 2020, 10:00 pm Jovonni L. Pharr, @.***> wrote: good point @kaiiyer https://github.com/kaiiyer . This relates to the risk.py file, we can make another alert.py file that Risk imports. Lets think about how that fits into the workflow. Probably have an alert job itself that runs after a model jobs. The alert job will analyze all model results, and check for alert criteria to be satisfied... high level thoughts.... @Pristin https://github.com/Pristin you wanna help, or would just like us to keep you updated. What made you think of this feature? just curious. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#25 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATFROP6KZ56LE4Y7NGV4M3RITTTVANCNFSM4LQ5XONA .

No worries, working on it. Will keep this issue updated.

Jovonni avatar Mar 23 '20 21:03 Jovonni

ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch. https://github.com/Yelp/elastalert.git

let me know if this helps you @Jovonni

Prinstan avatar Apr 21 '20 09:04 Prinstan

ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.

https://github.com/Yelp/elastalert.git

let me know if this helps you @Jovonni

Will be looking deeper into elastalert.

I like how they have integrations for several platforms, like slack for example. Might be a bit redundant since it focuses on elastic, and elastic has their own alerting mechanism now with the 7.x versions, and we can invoke that functionality via REST. Elastalert May have been ahead of its time! Great project to use for inspiration! Thank you @Prinstan 👏🏾

Jovonni avatar Apr 22 '20 05:04 Jovonni