diff --git a/syntax-example.fabric b/syntax-example.fabric new file mode 100644 index 00000000..94fa2985 --- /dev/null +++ b/syntax-example.fabric @@ -0,0 +1,133 @@ +fabric { + + cache_dir = "./.fabric" + + plugins_registry { + mirror_dir = "/tmp/plugins/" + } + + plugin_versions = { + "data.elasticsearch" = "1.2.3" + "content.openai" = ">= 1.2.0, < 2.0.0" + } +} + +config data elasticsearch { + cloud_id = "elastic-cloud-id" + api_key = "elastic-cloud-api-key" +} + +config content openai "personal_openai_key" { + # `from_env_var` is a built-in function that reads the value of an environment variable + api_key = from_env_var("MY_OPENAI_KEY") +} + + +content text "disclaimer" { + + meta = { + tags = ["required"] + updated_at = "2023-12-26T20:16:01+01:00" + } + + # Text is a go-template string. In this example, `now` is an exposed `time.Now` + text = <<-EOT + We strive for accuracy in this article but cannot guarantee it, and we are not liable for any resulting damages or losses. If you have questions or concerns about typos, content errors, or other matters in the article, don't hesitate to contact us at the provided address. + + Contact: Example Company -- https://example.company + + {{now.UTC.Year}} + EOT +} + + + +document "weekly-alerts-overview" { + + meta = { + name = "Weekly Alerts Overview Template" + description = <<-EOT + The overview describes the alerts from the Elastic SIEM and exported to a local JSON file. + EOT + + author = "John Smith " + tags = ["elasticsearch", "alerts", "weekly"] + updated_at = "2023-12-26T20:16:01+01:00" + } + + + data json "exported_alerts" { + path = "/Users/traut/Sandbox/exported_alerts*.json" + } + + data elasticsearch "last_week_alerts" { + index = ".alerts-security.alerts-*" + query_string = "kibana.alert.severity:critical AND @timestamp:[now-7d/d TO now]" + size = 10 + } + + data elasticsearch "last_week_alerts_another_cluster" { + # Inline configuration that takes precedence over the default configuration + config { + cloud_id = "another-elastic-cloud-id" + api_key = "another-elastic-cloud-api-key" + } + + index = ".alerts-security.alerts-*" + query_string = "kibana.alert.severity:critical AND @timestamp:[now-7d/d TO now]" + size = 10 + } + + title = "Weekly Alerts Overview" + + content text { + text = "Every week the security team shares an overview of the alerts created" + } + + section "elastic_alerts" { + + title = "Elastic SIEM alerts" + + content table "alerts_table" { + query = <<-EOT + .data.elasticsearch.last_week_alerts | ( + group_by(."kibana.alert.rule.name") | + map({rule_name: .[0]."kibana.alert.rule.name", count: length}) + ) + EOT + + # Attributes specific for `content.table` plugin + columns = ["Rule Name", "Alerts Count"] + datapoints = [".rule_name", ".count"] + } + } + + section "exported_alerts" { + + title = "Exported alerts" + + content table { + query = ".data.json.exported_alerts[]" + + # Attributes specific for `content.table` plugin + columns = ["Alert Name", "Rule Name", "Created At"] + datapoints = [".alert_name", ".rule_name", ".created_at"] + } + + content openai { + # Referencing the named configuration defined on the root level of the file + config = config.content.openai.personal_openai_key + query = ".data.json.exported_alerts[] | {alert_name,rule_name}" + + keep_if_no_data = true + no_data_text = "There are no exported alerts this week" + + prompt = "Summarize the list of alerts, described by provided alert name and rule name pairs" + } + } + + content ref { + # Referencing the content block defined above on the root level of the file + base = content.text.disclaimer + } +}