airbus-cyber
Use Event Fields instead of Split fields
When we created the LoggingAlert plugin we implemented split fields to merge/split alerts based on fields value because Graylog had no equivalent. But now Graylog allows to set Event Fields in en Event Definition and some of these fields can be choosen as primary keys to split alerts. We should POC this feature first to be sure it answers our purpose.
Implementation as it is now, works: "group by" fields are sufficient and event fields are not used. Remove split fields. We must be careful during import, if there are split fields, then there must be an automatic conversion done on the front end side. Any rule where the notifications have a split field are transformed in group by.
- for GROUP/DISTINCT rules, just add the split fields to the group by fields of the rule
- for COUNT rules, convert them in GROUP/DISTINCT rules and add the split fields as group by fields Whenever there is such transformation, then do a warning notification in the IHM.
Remark: think about updating the script to verify the rules before they are imported.
There is an issue aggregating alerts.
- Create a Group/Disctinct rule
- Search query : user:x
- Group by src
- Set an aggregation period in the notification
- Send 2 logs, one with user=x and src=y and the other one with user=x and src=z
- It'll generate 2 different alert_id which is fine because we have 2 different src field
- Send again the 2 same logs within the notification aggregation period
- 2 alert logs will be generated but with the same alert_id (the first one). We should have 2 alert_id, one got from the old alert with src=y and one got from the old alert for src=z