Elastic Rule Healthcheck
What
It is a tool to detect if a native Elastic rule is failing due to some error. It also has the ability to be able to notify on Slack in case of a failing rule detection.
Why
Because setting up detection rules and then not being able to detect the attack because for some reason the rule started failing and no one investigated and tuned the rule properly would be a PITA.
Tech Stack
This project uses:
- Elasticsearch
- Slack
- Python
Setup
Install all required packages
This is a one-time command
pipenv install
Usage
Required params:
-e
: Elasticsearch URL that will be queried for status of Elastic rules.-u
: Elastic user name that has relevant permissions to query to detections API on Elasticsearch.-p
: Elastic user password that has relevant permissions to query to detections API on Elasticsearch.-m
: Set by default. Max time threshold of the rule, in minutes, which a successful rule execution time must not exceed to be considered as a working rule. Eg: 5, 10, 15, 20.
Optional params:
-s
: Slack webhook where all the failure results will be sent.-v
: Verbosity level.
Example:
View script help menu
python.exe elastic_rule_healthcheck.py -h
Simply execute the script
python.exe elastic_rule_healthcheck.py -e https://my_es_cloud.eu-central-1.aws.cloud.es.io -u username -p 'password'
Execute the script with custom Max Time Threshold
python.exe elastic_rule_healthcheck.py -e https://my_es_cloud.eu-central-1.aws.cloud.es.io -u username -p 'password' -m 20
Execute the script and forward failure results to Slack
python.exe elastic_rule_healthcheck.py -e https://my_es_cloud.eu-central-1.aws.cloud.es.io -u username -p 'password' -s https://hooks.slack.com/randomvalue