Set up ElastAlert without Playbook

[davidjud]

Version

2.4.40

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

20

Storage for /

200

Storage for /nsm

100

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi everyone,

I am currently trying to configure ElastAlert to send a email, whenever there is a alert with the catagory high or medium. But as I was looking up how to do so, I got quite confused because of the SO-Playbook. I don't want to create a Playbook, but just want elastAlert to send emails whenever a speceific alert is shown in the normal Alert section of the SOC.
Is there any possibily to configure SO that way or is it necessary for elastAlert to have a Playbook?

Thanks in advance!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

You could try and run https://docs.securityonion.net/en/2.4/elastalert.html#so-elastalert-create to create just the Elastalert rule.

[DebianGuru]

How about making a file /opt/so/rules/elastalert/email-alert.yaml and modify the bottom 3 lines to suite your environment and possibly add '- "medium" ' uner the blacklist: key? This worked for me in 2.3 before I needed a more elegant solution.

name: email-alert
type: blacklist
es_host: securityonion
es_port: 9200
index: "*:so-*"

compare_key:
- "event.severity_label"
blacklist:
- "high"

realert:
  minutes: 0

alert:

realert:
  minutes: 0

alert:
- "email"
email:
- "[email protected]"
smtp_host: "mail.domain.local"
smtp_port: 25
from_addr: "[email protected]"

[davidjud]

How about making a file /opt/so/rules/elastalert/email-alert.yaml and modify the bottom 3 lines to suite your environment and possibly add '- "medium" ' uner the blacklist: key? This worked for me in 2.3 before I needed a more elegant solution.

name: email-alert
type: blacklist
es_host: securityonion
es_port: 9200
index: "*:so-*"

compare_key:
- "event.severity_label"
blacklist:
- "high"

realert:
  minutes: 0

alert:

realert:
  minutes: 0

alert:
- "email"
email:
- "[email protected]"
smtp_host: "mail.domain.local"
smtp_port: 25
from_addr: "[email protected]"

Hey, thanks for your answer!
As the first answer to my problem suggested, I ran the so-elastalert-create command. The "final ouput" of this command is a .yaml file which is almost exactly simmilar to yours. My only concern is that in your file some attributes e.g. "email" or the recipient email are within double quotes, in contrast to my yaml file - in which they are not. (I didn't create the file, as it was created with the so-elastalert-create command)
Have you already tried this out in the new 2.4v?

[DebianGuru]

While mine does work in 2.3 I've not tried it in 2.4. As far as the double quotes, they worked for me, but I'm no yaml expert. I've learned most of this by trial and error. Perhaps, I'll look into the so-elastalert-create command myself. I don't think it existed when I started using the 2.3 brancy (I see it was there at some point) so I had to do it the old fashioned way.

[davidjud]

While mine does work in 2.3 I've not tried it in 2.4. As far as the double quotes, they worked for me, but I'm no yaml expert. I've learned most of this by trial and error. Perhaps, I'll look into the so-elastalert-create command myself. I don't think it existed when I started using the 2.3 brancy (I see it was there at some point) so I had to do it the old fashioned way.

Thanks a lot for your commitment trying to help me. By now I configured everything, so that theoretically everything should work. But up to now, I couldn't find out whether it actually works.