notebook.community

Edit and run 





In [1]:



    


#Step one: 
#Copy the 'lib' directory from the alerts directory in the mozdef github repo into the directory with this
#ipython notebook file.
#The directory structure should look like: 
# .
# ..
# lib/
# lib/__init__.py
# lib/alerttask.py
# lib/config.py



    











In [2]:



    


#Step Two: 
#Edit the lib/config.py file 
#
#In particular: 
# Make sure ALERTS={}
# to avoid sending off celery jobs by accident

# Edit the ES={'servers'} to match your destination elastic search server/cluster

# Change the timezone to match if needed:
# OPTIONS = {
#    'defaulttimezone': 'US/Pacific',
# }



    











In [3]:



    


#Step Three: 
#Iterate your alerts to search for the right events
#aggregate on the right 'details' field
#and output the right alert text



    











In [4]:



    


#import the alerts library for mozdef
#inheriting the configuration from config.py
#You may receive errors about being unable to connect to celery/kombu
#which you can safely ignore
from lib.alerttask import AlertTask
import pyes



    


















    






ERROR:lib.alerttask.AlertTask:Exception while configuring kombu for alerts: [Errno 61] Connection refused










    






{}
[]

















In [5]:



    


#setup a base class to begin prototyping our alert
#that does nothing but connect to ElasticSearch
class AlertTest(AlertTask):
    def main(self):
        self.log.debug('running main')



    


















    






ERROR Exception while configuring kombu for alerts: [Errno 61] Connection refused
ERROR:lib.alerttask.AlertTest:Exception while configuring kombu for alerts: [Errno 61] Connection refused

















In [6]:



    


#instanciate our alert class
testAlert=AlertTest()
#set the logging level
testAlert.log.setLevel('INFO')
#setup a query
#with a time period (X minutes ago)
#and a term search
#and a search for a field that must exist
testAlert.filtersManual(dict(minutes=60),
                        must=[pyes.TermFilter('summary', 'sometext'),
                              pyes.ExistsFilter('details.somefield')])
#search for events
testAlert.searchEventsSimple()



    


















    






ERROR Exception while configuring kombu for alerts: [Errno 61] Connection refused
ERROR:lib.alerttask.AlertTest:Exception while configuring kombu for alerts: [Errno 61] Connection refused

















In [7]:



    


#sample the events that matched the search
testAlert.events[0:2]



    


















    
Out[7]:








[]

















In [8]:



    


# aggregate on a field in the 'details' section of the json: 
testAlert.searchEventsAggreg('http_user_agent')



    











In [9]:



    


#sample the aggregations
testAlert.aggregations[0:2]



    


















    
Out[9]:








[]

















In [10]:



    


#create a test alert
#using the aggregation and events
testAlert.createAlertDict('alert summary goes here','aggregatedAlert','alert',testAlert.events[0:2])



    


















    
Out[10]:








{'category': 'aggregatedAlert',
 'events': [],
 'severity': 'NOTICE',
 'summary': 'alert summary goes here',
 'tags': 'alert',
 'utctimestamp': '2014-12-12T23:19:13.029914+00:00'}

















In [ ]:



    


#If the events, aggregations and resulting alert are satisfactory
#make a myalertname.py file using some of the github files as a reference that includes your 
#'filtersManual', and aggregation choices
# and add the .py file to the config.py ALERTS={} section: 
#ALERTS = {
#    'pyfilename.py.classname': crontab(minute='*/1')
# }

Content source: 526avijitgupta/MozDef

Similar notebooks:

notebook.community | gallery | about