forked from 4quarks/pdnssoc-cli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathconfig.yml.sample
83 lines (75 loc) · 2.82 KB
/
config.yml.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
logging_level: "INFO"
#############################
# MISP SERVER CONFIGURATION #
#############################
#
# In this section you can define server specific parameters for
# MISP. Specifically, you can define the connection details as
# well as arguments to be provided when searching for events
# and attributes. Each of the server will be used serially,
# for fetching initial attributes and querying for specific
# events.
misp_servers:
- domain: "https://example-misp-instance.com"
api_key: "API_KEY"
# PyMISP.search() arguments. For complete list of options
# consult https://pymisp.readthedocs.io/en/latest/modules.html#pymisp.PyMISP.search
args:
enforce_warninglist: True # Suggested to reduce false positives
# Restrict results by timestamp:
# In tags, for each tag name you can set a different timestamp.
# This is useful to reduce false positives.
# The generic section is applied to all of the attributes not
# matched by the tags section.
# The delta value can be any key,value tuple accepted by datetime.timedelta
# or False if no time restriction should be applied.
periods:
generic:
delta:
days: 30
tags:
- names:
- "tag_name"
delta: False
correlation:
input_dir: ./input_dir/ # Use this if no files are defined from commmand line
output_dir: ./output_dir/ # Alert output directory
archive_dir: ./archive/
malicious_domains_file: ./misp_domains.txt # List of newline delimited domain attributes fetched by MISP
malicious_ips_file: ./misp_ips.txt # List of newline delimited ip attributes fetched by MISP
last_correlation_pointer_file: ./correlation.last # Status file for last succesful correlation
last_retro_pointer_file: ./retro.last # Status file for last succesful retro-correlation
###################
# Scheduled tasks #
###################
#
# Define interval for recurring task in daemonized mode.
schedules:
fetch_iocs:
interval: 10 # minutes
correlation:
interval: 1 # minutes
retro:
interval: 1440 # minutes
alerting:
interval: 60 # minutes
############
# Alerting #
############
#
alerting:
last_alerting_pointer_file: ./tests/alert.last
# A summary email notification will be sent to the address defined at summary_to
# A separate notification will be sent to each email mapped to a sensor in mappings.
email:
from: "[email protected]"
subject: "[pDNSSOC] Community XYZ alert"
summary_to: "[email protected]"
server: "localhost"
port: 25
# Template to be used for email alerts
# Example: https://github.com/CERN-CERT/pdnssoc-cli/blob/main/src/resources/alert_email_template.html
template: ./alert_email_template.html
mappings:
- client_id: client_1 # Client ID matching the global.server-identity
contact: [email protected]