SysmonSearch icon indicating copy to clipboard operation
SysmonSearch copied to clipboard

Published 20 hours ago verified publisher icon JPCERTCC

sysmon_search_plugin/conf.js

Open masa-0706 opened this issue 5 years ago • 1 comments

Please give me the exapmle of following: //monitor rule file path "savepath": "[path to the script]/rule_files"

I can't understand what "monitor rule" is.

Regards,

masa-0706 avatar Jul 06 '20 08:07 masa-0706

The savepath in the conf.js is a directory where the kibana saves the detection rule files.

When you push "Save as Detection Rule" button in the Search page, the search condition will be saved as a detection rule file, and it is used by the python script which collects alert data from Elasticsearch.

https://github.com/JPCERTCC/SysmonSearch/wiki/Search

If you don't use docker, the savepath should be anywhere the kibana can write the files. And you must set the same path to the RULE_FILE_DIRECTORY in the collection_alert_data_setting.py.

https://github.com/JPCERTCC/SysmonSearch/blob/master/script/collection_alert_data_setting.py

Whe you use docker, kibana's savepath is /tmp/rule_files. And the directory is also mounted on stixioc-import-server's /root/script/rule_files for the collection_alert_data_setting.py.

S03D4-164 avatar Jul 11 '20 00:07 S03D4-164