Can you trigger a script based on specific event IDs?

[kingtriumph]

This may be a silly question, but has anyone tried to trigger a script based on specific events/alerts? The idea would be to script disabling switchports when specific event IDs from a firewall or cloud AV are seen by Security Onion. I'm not sure if this is practical or even doable with Security Onion, but I figured I'd ask before jumping down a rabbit hole. Thanks.

[InfosecGoon]

You could probably put something together with Elastalert to do this -- create the Play in Playbook and then update the rule to use the HTTP alerter or something to fire off a script. Do you have access to a SOAR platform or anything else with an addressable API that could do this?

[kingtriumph]

HI @InfosecGoon, I appreciate the response. I hadn't thought to use Playbook to trigger the action. I'll have to look into that angle more - thanks for the suggestion. I had never heard of SOAR before you mentioned it, but now I'll be going down that rabbit hole :)

Thanks again for the response.

[weslambert]

You can also look into the command alerter, which should allow you to execute commands, but keep in mind that it is relative to what is available to the container, so scripts would need to reside in an accessible directory, or bind-mounted to the container. Last, you could create also custom alerter using Python, but that might be a but more involved.