开源SOC实现（十二）-告警通知工具Praeco

systemctl status docker

git clone https://github.com/johnsusek/praeco.git

cd praecomkdir -p rules rule_templateschmod -R 777 rules rule_templates

vi config/api.config.json

{  "appName": "elastalert-server",  "port": 3030,  "wsport": 3333,  "elastalertPath": "/opt/elastalert",  "verbose": false,  "es_debug": false,  "debug": false,  "rulesPath": {    "relative": true,    "path": "/rules"  },  "templatesPath": {    "relative": true,    "path": "/rule_templates"  },  "dataPath": {    "relative": true,    "path": "/server_data"  },  "es_host": "*WAZUH-INDEXER*",  "es_port": 9200,  "es_username": "admin",  "es_password": "*YOUR_PASSWORD*",  "es_ssl": true,  "ea_verify_certs": false,  "opensearch_flg": true,  "writeback_index": "praeco_elastalert_status"}

vi config/elastalert.yaml

# The elasticsearch hostname for metadata writeback# Note that every rule can have its own elasticsearch hostes_host: 192.168.116.201# The elasticsearch portes_port: 9200# This is the folder that contains the rule yaml files# Any .yaml file will be loaded as a rulerules_folder: rules# How often ElastAlert 2 will query elasticsearch# The unit can be anything from weeks to secondsrun_every:  seconds: 60# ElastAlert 2 will buffer results from the most recent# period of time, in case some log sources are not in real timebuffer_time:  minutes: 1# Optional URL prefix for elasticsearch#es_url_prefix: elasticsearch# Connect with TLS to elasticsearchuse_ssl: True# Verify TLS certificatesverify_certs: False# GET request with body is the default option for Elasticsearch.# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport# for details#es_send_get_body_as: GET# Option basic-auth username and password for elasticsearches_username: admines_password: *YOUR_PASSWORD*# The index on es_host which is used for metadata storage# This can be a unmapped index, but it is recommended that you run# elastalert-create-index to set a mappingwriteback_index: praeco_elastalert_status# If an alert fails for some reason, ElastAlert will retry# sending the alert until this time period has elapsedalert_time_limit:  days: 2skip_invalid: True

export PRAECO_ELASTICSEARCH=192.168.116.202

docker compose up -d

http://192.168.116.202:8080

docker logs <3030端口容器对应的ID>例如：docker logs d725775a88cf

SCHTASKS /CREATE /RU “NT AUTHORITYSYSTEM” /SC DAILY /TN “MyTasksNotepad task” /TR “C:WindowsSystem32notepad.exe” /ST 11:00

(data_win_eventdata_parentImage:(*\powershell.exe) AND data_win_eventdata_commandLine:(*SCHTASKS*/CREATE*/RU*)

https://stackoverflow.com/questions/32423837/telegram-bot-how-to-get-a-group-chat-id

https://api.telegram.org/bot1234567890:xxxxxxxxxxxxxxxxxxxx/getUpdates