-
-
Notifications
You must be signed in to change notification settings - Fork 205
Implement filament rule action #243
Copy link
Copy link
Open
Labels
needs: docsIndicates that the issue needs documentation updatesIndicates that the issue needs documentation updatesscope: filamentsAnything related to filamentsAnything related to filamentsscope: yaraAnything related to libyara and pattern matchingAnything related to libyara and pattern matching
Description
Metadata
Metadata
Assignees
Labels
needs: docsIndicates that the issue needs documentation updatesIndicates that the issue needs documentation updatesscope: filamentsAnything related to filamentsAnything related to filamentsscope: yaraAnything related to libyara and pattern matchingAnything related to libyara and pattern matching
A prominent use case for filaments is alert post-processing. This would allow any filament defining the
on_next_alertfunction to react on alert arrival, either generated by the detection engine or YARA scanner.If the filament has the definition of the
on_next_alert(alert)function, each time an alert is triggered, the filament framework will invoke the former function. The first parameter of this function contains the alert details such as:detection,yara, etc.)Detection rules will define a new action to specify the filament to execute and an optional args given to the Python VM.
Yara scanner must specify the list of filaments to execute when the rule matches. Additionally, the Yara rule can declare the
filamentmetadata with the name of the filament to execute upon rule firing.