Mes Infos

name: "##Firewall_PortScan"

index: graylog_*

type: cardinality

cardinality_field: DEV_LOG_DPORT

timeframe:
   minutes: 45

buffer_time:
   minutes: 15

max_cardinality: 50

query_key: [DEV_LOG_SRC,DEV_LOG_DST]

filter:
    - query:
        query_string:
            query: '_exists_:DEV_LOG_SRC AND _exists_:DEV_LOG_DST AND _exists_:DEV_LOG_DPORT AND DEV_LOG_DPORT:*'


alert_subject: "[CAR] Firewall PortScan from {0}"

alert_subject_args:
    - DEV_LOG_SRC


alert_text_kw:
    _index: _index
    _id: _id
    DEV_LOG_DPORT: DEV_LOG_DPORT
    DEV_LOG_SRC: DEV_LOG_SRC
    DEV_LOG_DST: DEV_LOG_DST
    DEV_LOG_COMPID: DEV_LOG_COMPID
    DEV_LOG_TIMESTAMP: DEV_LOG_TIMESTAMP
    

alert_text: |

    #### Detection of a PortScan on Firewall:

    - **Firewall Device**: `{DEV_LOG_COMPID}`
    - **Source IP**: `{DEV_LOG_SRC}`
    - **Destination IP**: `{DEV_LOG_DST}`
    - **Destination Port**: `{DEV_LOG_DPORT}`
    - **Event Time**: `{DEV_LOG_TIMESTAMP}`
    

    #### Logs details:
    - Logs available on [Graylog](https://localhost/graylog/messages/{_index}/{_id}).


alert_text_type: alert_text_only


realert:
    hours: 12


alert:
- elastalert_modules.thehive_alerter.TheHiveAlerter


thehive_uri: http://thehive:9000
thehive_auth_file: thehive_acct.yaml
thehive_alert_type: PortScan
thehive_severity: 2
thehive_tlp: 2
thehive_source: Dev
thehive_source_ref: Forcepoint_portscan_{0}
thehive_source_ref_args:
    - DEV_LOG_SRC
thehive_artifacts:
    - data: DEV_LOG_SRC
      datatype: ip
    - data: DEV_LOG_DST
      datatype: ip
thehive_tags:
    - portscan