New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New feature: alert-elastic
command
#951
Comments
@YamatoSecurity Thank you for raising the issue. For example, how about writing only the latest timestamp in the File and deeming anything before that time to have been sent? |
@hitenkoku Thank you for your comment! Indeed, the CSV file will get bigger and bigger over time but should not double the log size. The problem with just writing the latest timestamp and scanning recent logs is that Hayabusa won't be able to find past incidents (perform threat hunting) which is the main goal. It would just become an inferior host IDS which I couldn't really recommend to use. |
How about we also not include the Rule Title in the CSV file which will save space. I thought it might be useful for debugging but now that I think about it we probably do not need it. If it is just timestamps and rule IDs, the file should not get too big. And if we compress it, it should become pretty small. |
Thanks for the comment. I think Timestamp and Rule ID are sufficient for the contents of the csv. I will try to create one. |
@YamatoSecurity Would it be correct to sort the following config in alphabetical order of the long option?
|
@hitenkoku
|
This is going to take a while to test so I changed the milestone to 2.4.0. Maybe release next month in April? |
New
alert-elastic
(sub)command:When using
alert-xxxx
, hayabusa will not display alerts to the screen like withcsv-timeline
. Instead, it will display messages about sending the logs. Example:etc...
If the alerts are sent successfully then the following information is written to the
sent-alerts.csv
file. (If the file already exists, then the file is updated)Timestamp (Original ISO-8601 timestamp), Rule ID, Rule Title
Before Hayabusa sends the alerts, it checks the Timestamp and Rule ID in this file. If the timestamp and rule ID match, then we assume that the alert was previously sent and the alert does not get sent again.
The Rule Title is not needed for checking as the title may be changed over time, however, I want to save it to help out when debugging.
The following rust crates look good to use:
@hitenkoku Do you think you can do this issue?
The text was updated successfully, but these errors were encountered: