Automatic e-mails trough elastalert

[Fudginas]

Hello guys,

I need to find a way to generate e-mails when an alert drops (Critical, High, Medium) but I'm having an hard time to setup to install an SMTP service. I read that with elastalert you can generate e-mails when an alert drops therefore I don't need a SMTP service only the SMTP server hostname, port and admin credencials of the SMTP server but I never configured elastalert.

The version I'm using is 2.3.260 and it's based in CentOS.

If someone can help it would be awsome!

Thank you

[jaypfe]

Have you looked at https://docs.securityonion.net/en/2.3/elastalert.html#email---internal
They have some examples in there of using smtp services and setting up alerts. You make these changes at the console in /opt/so/rules/elastalert/

You can either modify the outputs of each rule you want to alert on, or in my case I built a rule with playbook that matches on every alert and just set it to send emails. In my case, I was making rules in Kibana security rather than playbook. To monitor playbook alerts the index should be 'so-playbook-alerts*'

`name: SO ALERTS
type: any
index: '.internal.alerts-security*'
query:
match_all: {}
alert:

• "email"
  email:
• "[email protected]"
  smtp_host: "SmtpUrl.Example.com"
  smtp_port: 25
  smtp_ssl: false
  from_addr: "Security Onion"
  smtp_auth_file: '/opt/elastalert/rules/smtp_auth_file.txt'
  alert_subject: "ALERT: {0} Triggered"
  alert_subject_args:
• kibana.alert.rule.name`

You will build a file with your username and password as described in the docs.

The alerts will contain the log that caused the alert. If you want that to not be the case, you will need to build a custom index that strips out the fields you dont want.

Hope this helps!