What replaces the Wazuh alert rules with the new Elastic-Agent

[stummasino-matc]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

94G

Storage for /

more than enough

Storage for /nsm

more than enough

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

So the Wazuh agent used to generate alerts that would show up in the Alert console. All that shows now using the new Elastic-Agent is Suricata alerts. Is there somewhere I can enable alerts for the new agent or is it strictly using playbook plays for this?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Version 2.4.100 is not out, current version is 2.4.80.

If you are looking to alert on endpoint data (host based) you would use the sigma rules to generate alerts. If you are on 2.4.70 or later, there is tool called Detections to enable/create sigma rules for endpoint alerting https://docs.securityonion.net/en/2.4/detections.html