Implement filament rule action #243
Labels
needs: docs
Indicates that the issue needs documentation updates
scope: filaments
Anything related to filaments
scope: yara
Anything related to libyara and pattern matching
Comments
rabbitstack
added
scope: filaments
rabbitstack
added
the
scope: yara
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A prominent use case for filaments is alert post-processing. This would allow any filament defining the
on_next_alertfunction to react on alert arrival, either generated by the detection engine or YARA scanner.If the filament has the definition of the
on_next_alert(alert)function, each time an alert is triggered, the filament framework will invoke the former function. The first parameter of this function contains the alert details such as:detection,yara, etc.)Detection rules will define a new action to specify the filament to execute and an optional args given to the Python VM.
Yara scanner must specify the list of filaments to execute when the rule matches. Additionally, the Yara rule can declare the
filamentmetadata with the name of the filament to execute upon rule firing.The text was updated successfully, but these errors were encountered: