Security Onion Pro and Notifications

[rosswakelin]

Version

2.4.70

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

250Gb

Storage for /nsm

1Tb

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I notice that "Notifications" are now a Security Onion Pro licensed feature.
Does this mean that the notification methods we currently have defined using the manual configuration of Elastalert will no longer function? Or is the licensed feature just the ability to configure the alerts using the GUI?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[TOoSmOotH]

This feature is just for the gui portion and includes other alerters other than just smtp. You can continue using your old rules and drop them in the custom folder in /opt/so/conf/elastalert/custom. If you want to manage your elastalert rules with Detections then you will need to use sed or something like that to modify the files once they are placed in the normal location.

[rosswakelin]

Ok thanks, we have a set of webhooks for ServiceNow that we use to generate tickets for High and Severe NIDS events.