Auto-archive events matching filter #52
Labels
Comments
|
Would be nice to have this feature "to the other direction" as well, to auto escalate an event based on a filter. |
|
Just adding that the autoarchive would be a great feature for SIDs like 2402000 (Dshield, CINS, etc) which are useful in IPS mode but generate a ton of alerts that don't require investigation/follow up. |
jasonish
added a commit
that referenced
this issue
Mar 30, 2022
If an event contains the alert metadata {"evebox-action": "archive"},
the server will automatically mark the event as archived.
This works in conjunction with the new (experimental) Suricata-Update
feature to add metadata using its own rule matching.
GitHub issue: #52
This is only done at the server for now and for Elasticsearch. It
requires that events be forwarded through the server and will not work
with Logstash, Filebeat, etc.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related comment:
#51 (comment)
Provide a way to auto-archive (mute) alerts probably matching a filter. Most likely SID, SID/src-ip, or SID/src-ip/dest-ip as thats the aggregation that EveBox uses.
Events matching this filter will never show up in the evebox and be archived immediately.
Easier done if the EveBox agent is used as events go through the server. Will have to be done periodically or on the fly for logstash/elasticsearch setups.
The text was updated successfully, but these errors were encountered: