Setup email notification for alerts

[rockbesst]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

128Gb

Storage for /

96Gb

Storage for /nsm

814Gb

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi! I need some help with our Secure Onion 2.4.30 host. I set up almost all we need. Last critical option we need is email notifications for alerts. I read documentation, where I saw how to set notification type for every rule.
So, my question is: can I set notification type and SMTP settings in one place for all rules I activated, as it was in Wazuh settings in SO v2.3?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[keis3cker]

Hi,you can add the email alerting to the generic.template on path /opt/so/rules/elastalert/playbook/.
But I guess you have to deactivate and activate the rules again to get them parsed again.
Another option would be to create a single elastalert config which triggers when an alert gets written to the es-index.

[rockbesst]

Thanks for your answer. I added elastalert rule to check alerts count every hour. But elastalert doesn't send emails. As I think, it would work if I install some mail server i.e. exim4. But can I set elastalert to use some external mail server by SMTP?

[keis3cker]

This should work, you can set different parameters for email alert.
Just checkout the elastalert docs;

https://elastalert2.readthedocs.io/en/latest/alerts.html#email

[rockbesst]

Sorry for a dumb questions, but I'm not sure that I clearly understand.
I have a file /opt/so/rules/elastalert/playbook/generic.template , where I have alert type:

alert:
- "modules.so.playbook-es.PlaybookESAlerter"

So, am I right, I need to add mail parameters here, like below?

alert:
- "modules.so.playbook-es.PlaybookESAlerter"
- mail
  email: recipient
  smtp_host: my mail server
  and other parameters

And with this parameters all alerts will be sent to menu Alerts in web interface and to recipient email, right?

[keis3cker]

Yes right this should create an soc alert and an email alert.
But pay attention at the syntax, the the module for mailing is called "email" not "mail".

[rockbesst]

I have one more trouble =)
I added mail settings to generic template /opt/so/rules/elastalert/playbook/generic.template :

alert:
- "modules.so.playbook-es.PlaybookESAlerter"
- "email"
email: hidden
smtp_host: hidden
smtp_port: 25
from_addr: hidden
smtp_auth_file: creds.yaml


elasticsearch_host: "hidden:9200"
play_title: ""
play_id: ""
event.module: "playbook"
event.dataset: "playbook.alert"
event.severity:
rule.category: 
play_url: "https://hidden/playbook/issues/6000"
kibana_pivot: "https://hidden/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))"
soc_pivot: "https://hidden/#/hunt"
sigma_level: ""

index: '.ds-logs-*'
name: EQL
priority: 3
realert:
  minutes: 0
type: any
filter:

But if I restart elastalert or reboot host, this template overwrites to default. What I did wrong?