help with setting up email alerts from Security Onion #10280

mrapw · 2023-05-04T13:07:01Z

mrapw
May 4, 2023

Hi,
I am new to security onion, I have recently deployed it from the ISO as a plug 'n' play siem solution, and have updated it to 2.3.240.

most of the critical/high playbooks, are active, and winlogbeat with sysmon is set up on various Windows servers to send logs. alerts are appearing in the Alerts section, so all good.

what I'd like is to set up is some email alerting please whenever a critical or high severity event is detected

I've had a search for other similar discussions in this forum and a had a look at the info below, but it doesn't work and can't get a concrete answer on how to configure this so need some guidance.

https://docs.securityonion.net/en/2.3/elastalert.html#email-internal

if I create an smtp-alert.yaml in /opt/so/rules/elastalert/ and populated this, but no emails are sent, and so-elasticalert-test says 'test failed'. from the Security onion server I can ping and connect to port 25 successfully on our SMTP relay server.

smtp-alert.yaml example e.g.:

alert:

"email"
email:
"[email protected]"
smtp_host: "192.168.xx.xx"
smtp_port: 25
from_addr: "[email protected]"

am I missing something here ?

thanks in advance

Answered by THExCAPNxRK

May 4, 2023

Hello,

Not sure if you pasted the full rule you created but you need to create a criteria for the rule to trigger. Here is what I use and it works fine

name: Playbook Email Alert
index: "*:so-playbook-alerts-*"
type: any
query_key: [rule.name, event_data.agent.name]
filter:
- query:
    query_string:
      query: sigma_level:(high OR critical)
alert:
 - email:
     from_addr: "[email protected]"
     email: "[email protected]"
     smtp_host: "192.168.xxx.xxx"
     smtp_port: 25
alert_subject: "{0} triggered on {1}"
alert_subject_args:
- rule.name
- event_data.agent.name

This will send 1 email for each unique rule that triggers on each unique system. To remove this …

View full answer

THExCAPNxRK · 2023-05-04T16:35:31Z

THExCAPNxRK
May 4, 2023

Hello,

Not sure if you pasted the full rule you created but you need to create a criteria for the rule to trigger. Here is what I use and it works fine

name: Playbook Email Alert
index: "*:so-playbook-alerts-*"
type: any
query_key: [rule.name, event_data.agent.name]
filter:
- query:
    query_string:
      query: sigma_level:(high OR critical)
alert:
 - email:
     from_addr: "[email protected]"
     email: "[email protected]"
     smtp_host: "192.168.xxx.xxx"
     smtp_port: 25
alert_subject: "{0} triggered on {1}"
alert_subject_args:
- rule.name
- event_data.agent.name

This will send 1 email for each unique rule that triggers on each unique system. To remove this and send an email for every single rule that triggers remove the query_key line.

0 replies

mrapw · 2023-05-09T11:19:35Z

mrapw
May 9, 2023
Author

Hi,
that worked great, thank you so much. I am now getting email alerts for new high and critical events which is just what I was after.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

help with setting up email alerts from Security Onion #10280

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

help with setting up email alerts from Security Onion #10280

Uh oh!

mrapw May 4, 2023

Replies: 2 comments

Uh oh!

THExCAPNxRK May 4, 2023

Uh oh!

mrapw May 9, 2023 Author

mrapw
May 4, 2023

THExCAPNxRK
May 4, 2023

mrapw
May 9, 2023
Author