RedELK icon indicating copy to clipboard operation
RedELK copied to clipboard

Published 20 hours ago verified publisher icon outflanknl

New alarm: new implant from a new user

Open fastlorenzo opened this issue 3 years ago • 3 comments

Send an alarm when a new implant is detected for a user we didn't have an implant in the past.

fastlorenzo avatar Jun 14 '21 20:06 fastlorenzo

You mean new user for the entire ops, or user-system combo?

MarcOverIP avatar Jun 17 '21 10:06 MarcOverIP

I think new user for the entire ops would be the most beneficial. We could also make a parameter in the alarm to select the scope:

  1. entire ops
  2. per host

fastlorenzo avatar Jun 17 '21 11:06 fastlorenzo

I agree.

Im just thinking of the added value. At least in our ops we have new implant notification done near instantly via other means. Having also RedELK do this feels redundant. And with the lower timer that RedELK alarms run, the notification will take several minutes after the fact. That having said, it prolly is not a hard alarm to make. And we can still disable it in the config. So it could not hurt.

MarcOverIP avatar Jun 17 '21 11:06 MarcOverIP