Skip to content

Implement filament rule action #243

New issue
New issue
Open
Open
Implement filament rule action#243
Labels
needs: docsIndicates that the issue needs documentation updatesscope: filamentsAnything related to filamentsscope: yaraAnything related to libyara and pattern matching
@rabbitstack

Description

@rabbitstack
rabbitstack
opened on Jan 24, 2024

A prominent use case for filaments is alert post-processing. This would allow any filament defining the on_next_alert function to react on alert arrival, either generated by the detection engine or YARA scanner.
If the filament has the definition of the on_next_alert(alert) function, each time an alert is triggered, the filament framework will invoke the former function. The first parameter of this function contains the alert details such as:

  • alert title
  • alert detailed description
  • provenance (detection, yara, etc.)
  • tags
  • alert metadata

Detection rules will define a new action to specify the filament to execute and an optional args given to the Python VM.
Yara scanner must specify the list of filaments to execute when the rule matches. Additionally, the Yara rule can declare the filament metadata with the name of the filament to execute upon rule firing.

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs: docsIndicates that the issue needs documentation updatesscope: filamentsAnything related to filamentsscope: yaraAnything related to libyara and pattern matching

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions