-
Notifications
You must be signed in to change notification settings - Fork 0
/
Elasticsearch_Query.json
80 lines (80 loc) · 2.32 KB
/
Elasticsearch_Query.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
{
"name": "Elasticsearch_Query",
"version": "1.0",
"author": "Soumille Lucas",
"url": "https://github.com/TheHive-Project/Cortex-Analyzers",
"license": "AGPL-V3",
"description": "Make queries to Elasticsearch",
"dataTypeList": ["domain", "ip", "url", "fqdn", "uri_path","user-agent", "hash", "email", "mail", "mail_subject" , "registry", "regexp", "other", "filename"],
"baseConfig": "Elasticsearch",
"config": {
"service": "es-query",
"query": "{\"query\": { \"bool\": { \"must\": [ {\"match\": {'user':'%s'}} ], \"filter\": [ { \"range\": { \"@timestamp\": { \"gte\": \"now-30d\" }}}]}} ,\"aggs\" : {\"agg\": {\"terms\": {\"field\": \"message.keyword\", \"size\" : 10}}}}"
},
"configurationItems": [
{
"name": "host",
"description": "Elasticsearch Hostname",
"type": "string",
"multi": true,
"required": true,
"defaultValue": "localhost"
},
{
"name": "port",
"description": "Elasticsearch Port",
"type": "number",
"multi": false,
"required": false,
"defaultValue": 9200
},
{
"name": "https",
"description": "Should talk to Elasticsearch API using HTTP or HTTPS",
"type": "boolean",
"multi": false,
"required": false,
"defaultValue": true
},
{
"name": "username",
"description": "Should talk to Elasticsearch API with this username",
"type": "string",
"multi": false,
"required": false,
"defaultValue": ""
},
{
"name": "password",
"description": "Should talk to Elasticsearch API with this password",
"type": "string",
"multi": false,
"required": false,
"defaultValue": ""
},
{
"name": "index",
"description": "Elasticsearch Index to query",
"type": "string",
"multi": false,
"required": false,
"defaultValue": "logstash-*"
},
{
"name": "cert_check",
"description": "Verify server certificate",
"type": "boolean",
"multi": false,
"required": true,
"defaultValue": false
},
{
"name": "cert_path",
"description": "Path to the CA on the system used to check server certificate",
"type": "string",
"multi": false,
"required": false
}
],
"command": "elasticsearch-analyzer/elasticsearch_analyzer.py"
}