-
Notifications
You must be signed in to change notification settings - Fork 1
/
playbook.yml
36 lines (31 loc) · 1.45 KB
/
playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
---
- name: Generate ElastAlert rules with sigmac
hosts: localhost
gather_facts: false
vars:
path_to_elastalert: /path/to/elastalert
path_to_sigma: /path/to/sigma
tasks:
- name: Make parent rule directories
file:
state: directory
path: "{{ path_to_elastalert }}/rules/{{ rule_cat }}/{{ rule_dir }}"
recurse: yes
- name: Convert rules with sigmac
shell: "{{ path_to_sigma }}/tools/sigmac -t elastalert -c \"{{ path_to_sigma }}/tools/config/config.yml\" {{ rule_path }} -O http_post_include_rule_metadata -O alert_methods=http_post --backend-config \"{{ path_to_sigma }}/tools/config/backends/config.yml\""
register: rule
- set_fact:
rule_count: "{{ rule.stdout.split('\n\n') | length }}"
rules: "{{ rule.stdout.split('\n\n') }}"
- name: Iterate over rules and save to files, append index to names since multiple rules are included
local_action: copy content={{ rules[idx] }} dest={{ path_to_elastalert }}/rules/{{ rule_cat }}/{{ rule_dir }}/{{ rule_name.split(".yml")[0] }}_{{ idx }}.yaml
loop: "{{ rules }}"
loop_control:
index_var: idx
when: rule_count|int > 1
- name: Save rule to file
local_action: copy content={{ rules[idx] }} dest={{ path_to_elastalert }}/rules/{{ rule_cat }}/{{ rule_dir }}/{{ rule_name.split(".yml")[0] }}.yaml
loop: "{{ rules }}"
loop_control:
index_var: idx
when: rule_count|int == 1