You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An intended side effect was the the logs key was not required if the datatypes key is provided.
Example:
@rule(datatypes=['command'])
def alert_suspicious_wget(rec):
results = fetch_values_by_datatype(rec, 'command')
for result in results:
if fnmatch(result, "wget *"):
return true
return false
However, this doesn't match reality. If you don't specify logs, you get the following:
StreamAlert [ERROR]: Invalid rule [...] - rule must have 'logs' declared
Workaround
Define all relevant logs in the logs key for rules that use data normalization.
Expectations
if the datatypes key exists, logs is not required, it's optional
if the datatypes key does not exist, logs is required
The text was updated successfully, but these errors were encountered:
What
#285 introduced data normalization.
An intended side effect was the the
logs
key was not required if thedatatypes
key is provided.Example:
However, this doesn't match reality. If you don't specify
logs
, you get the following:StreamAlert [ERROR]: Invalid rule [...] - rule must have 'logs' declared
Workaround
Define all relevant logs in the
logs
key for rules that use data normalization.Expectations
datatypes
key exists,logs
is not required, it's optionaldatatypes
key does not exist,logs
is requiredThe text was updated successfully, but these errors were encountered: