Yelp
Add MISP Alerter
Similar to HiveAlerter, allows the user to create events within MISP from Elastalert matches using the MISPAlerter class, and alert type of mispalerter.
Rule format should be similar to the following:
es_port: 9200
name: Elastalert2MISP
type: frequency
index: "*:logstash-index*"
num_events: 1
timeframe:
minutes: 10
buffer_time:
minutes: 10
allow_buffer_time_overlap: true
filter:
- term:
event_type: "snort"
alert: mispalerter
misp_connection:
misp_url: https://192.168.3.14
misp_key: HF4ZWQJEg1hqfPEZdpLH0rh3fm17PtL9UNoXrJf6
misp_alert_config:
distribution: 0
info: "This is an event generated from Elastalert to MISP!"
analysis: 1
threat_level_id: 1
published: True
misp_attribute_data_mapping:
- ip-src: '{match[source_ip]}'
- ip-dst: '{match[destination_ip]}'
Hi @Qmando ,
Is there anything I can do to improve this, or make this more acceptable? Thanks!
Hi, im trying to use this alerter to upload an incident on my MISP server, but my rule keeps showing 1 alert sent even if there is nothing new in my MISP server.
Here is my rule log: INFO:elastalert:Ran MyRule from 2020-02-02 11:43 CST to 2020-02-02 11:54 CST: 42 query hits (33 already seen), 9 matches, 1 alerts sent
My rule .yaml:
es_host: x.x.x.x
es_port: 9200
name: MyRule
type: any
index: myindex
filter: - query_string: query: "myquey"
alert: mispalerter misp_connection: misp_url: https://x.x.x.x misp_key: my admin user authkey
misp_alert_config: distribution: 0 info: "My Elastalert event" analysis: 1 threat_level_id: 1 published: True
misp_attribute_data_mapping: - ip-src: '{match[source_ip]}' - ip-dst: '{match[destination_ip]}'
Im new at this so sorry if im missing something obvious. I use the same configuration with the email alerter and works fine. Thanks
Hi @MarkDevelo , it's been a minute since I've looked at this, so I will test again and let you know.
Thanks @weslambert , if it helps in the MISP logs i can see the elastalert successful authentication using the API key, in the "change" column it shows "HTTP method: GET" all HTTP methods are "GET" the "target" is the only one that changes : "Target: /user/view/me" "Target: /attributes/describeTypes.json" "Target: /servers/getVersio.json" "Target: /servers/getPyMISPVersion,json" i have the same PyMISP version installed on both servers, the same pythons, both of them with ubuntu 16.04.6. Thanks for your time.
■README.md Need to add "MISP" under Zabbix
■ docs/source/ruletypes.rst Need to add explanation about MISP settings
I haven't tested this recently -- did this work for you, @nsano-rururu ?
I haven't tested this recently -- did this work for you, @nsano-rururu ?
I haven't moved it yet. The following items are likely to work with docker, so I'll try them. https://github.com/coolacid/docker-misp
Travis CI build failed From the feeling of seeing the error message, I feel that it will be resolved by just synchronizing the repository forked on GitHub with the master of the fork source repository.
Yes, I will have a look at it tonight -- will probably end up re-writing some of it anyway. Thanks!
@weslambert
Any way you could push this PR to https://github.com/jertel/elastalert2 ?
Here are some things to keep in mind when making a pull request to elastalert2. Please note that the source code structure of the alert is now different from the original yelp / elastalert.
Structure of related files and source code
elastalert
loaders.py
schema.yaml
/alerters
mispalerter.py
/tests
/alerters
mispalerter_test.py
Here are some things to keep in mind when making a pull request to elastalert2. Please note that the source code structure of the alert is now different from the original yelp / elastalert.
Structure of related files and source code
elastalert loaders.py schema.yaml /alerters mispalerter.py /tests /alerters mispalerter_test.py
Understood, thanks!