Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sysmon_search_plugin/conf.js #7

Open
masa-0706 opened this issue Jul 6, 2020 · 1 comment
Open

sysmon_search_plugin/conf.js #7

masa-0706 opened this issue Jul 6, 2020 · 1 comment

Comments

@masa-0706
Copy link

masa-0706 commented Jul 6, 2020

Please give me the exapmle of following:
//monitor rule file path
"savepath": "[path to the script]/rule_files"

I can't understand what "monitor rule" is.

Regards,

@S03D4-164
Copy link
Collaborator

The savepath in the conf.js is a directory where the kibana saves the detection rule files.

When you push "Save as Detection Rule" button in the Search page, the search condition will be saved as a detection rule file, and it is used by the python script which collects alert data from Elasticsearch.

https://github.com/JPCERTCC/SysmonSearch/wiki/Search

If you don't use docker, the savepath should be anywhere the kibana can write the files. And you must set the same path to the RULE_FILE_DIRECTORY in the collection_alert_data_setting.py.

https://github.com/JPCERTCC/SysmonSearch/blob/master/script/collection_alert_data_setting.py

Whe you use docker, kibana's savepath is /tmp/rule_files. And the directory is also mounted on stixioc-import-server's /root/script/rule_files for the collection_alert_data_setting.py.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants