-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
133 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
fabric { | ||
|
||
cache_dir = "./.fabric" | ||
|
||
plugins_registry { | ||
mirror_dir = "/tmp/plugins/" | ||
} | ||
|
||
plugin_versions = { | ||
"data.elasticsearch" = "1.2.3" | ||
"content.openai" = ">= 1.2.0, < 2.0.0" | ||
} | ||
} | ||
|
||
config data elasticsearch { | ||
cloud_id = "elastic-cloud-id" | ||
api_key = "elastic-cloud-api-key" | ||
} | ||
|
||
config content openai "personal_openai_key" { | ||
# `from_env_var` is a built-in function that reads the value of an environment variable | ||
api_key = from_env_var("MY_OPENAI_KEY") | ||
} | ||
|
||
|
||
content text "disclaimer" { | ||
|
||
meta = { | ||
tags = ["required"] | ||
updated_at = "2023-12-26T20:16:01+01:00" | ||
} | ||
|
||
# Text is a go-template string. In this example, `now` is an exposed `time.Now` | ||
text = <<-EOT | ||
We strive for accuracy in this article but cannot guarantee it, and we are not liable for any resulting damages or losses. If you have questions or concerns about typos, content errors, or other matters in the article, don't hesitate to contact us at the provided address. | ||
Contact: Example Company -- https://example.company | ||
{{now.UTC.Year}} | ||
EOT | ||
} | ||
|
||
|
||
|
||
document "weekly-alerts-overview" { | ||
|
||
meta = { | ||
name = "Weekly Alerts Overview Template" | ||
description = <<-EOT | ||
The overview describes the alerts from the Elastic SIEM and exported to a local JSON file. | ||
EOT | ||
|
||
author = "John Smith <[email protected]>" | ||
tags = ["elasticsearch", "alerts", "weekly"] | ||
updated_at = "2023-12-26T20:16:01+01:00" | ||
} | ||
|
||
|
||
data json "exported_alerts" { | ||
path = "/Users/traut/Sandbox/exported_alerts*.json" | ||
} | ||
|
||
data elasticsearch "last_week_alerts" { | ||
index = ".alerts-security.alerts-*" | ||
query_string = "kibana.alert.severity:critical AND @timestamp:[now-7d/d TO now]" | ||
size = 10 | ||
} | ||
|
||
data elasticsearch "last_week_alerts_another_cluster" { | ||
# Inline configuration that takes precedence over the default configuration | ||
config { | ||
cloud_id = "another-elastic-cloud-id" | ||
api_key = "another-elastic-cloud-api-key" | ||
} | ||
|
||
index = ".alerts-security.alerts-*" | ||
query_string = "kibana.alert.severity:critical AND @timestamp:[now-7d/d TO now]" | ||
size = 10 | ||
} | ||
|
||
title = "Weekly Alerts Overview" | ||
|
||
content text { | ||
text = "Every week the security team shares an overview of the alerts created" | ||
} | ||
|
||
section "elastic_alerts" { | ||
|
||
title = "Elastic SIEM alerts" | ||
|
||
content table "alerts_table" { | ||
query = <<-EOT | ||
.data.elasticsearch.last_week_alerts | ( | ||
group_by(."kibana.alert.rule.name") | | ||
map({rule_name: .[0]."kibana.alert.rule.name", count: length}) | ||
) | ||
EOT | ||
|
||
# Attributes specific for `content.table` plugin | ||
columns = ["Rule Name", "Alerts Count"] | ||
datapoints = [".rule_name", ".count"] | ||
} | ||
} | ||
|
||
section "exported_alerts" { | ||
|
||
title = "Exported alerts" | ||
|
||
content table { | ||
query = ".data.json.exported_alerts[]" | ||
|
||
# Attributes specific for `content.table` plugin | ||
columns = ["Alert Name", "Rule Name", "Created At"] | ||
datapoints = [".alert_name", ".rule_name", ".created_at"] | ||
} | ||
|
||
content openai { | ||
# Referencing the named configuration defined on the root level of the file | ||
config = config.content.openai.personal_openai_key | ||
query = ".data.json.exported_alerts[] | {alert_name,rule_name}" | ||
|
||
keep_if_no_data = true | ||
no_data_text = "There are no exported alerts this week" | ||
|
||
prompt = "Summarize the list of alerts, described by provided alert name and rule name pairs" | ||
} | ||
} | ||
|
||
content ref { | ||
# Referencing the content block defined above on the root level of the file | ||
base = content.text.disclaimer | ||
} | ||
} |