How to trigger an alert for sudo execution using detection tab

[sandraimmaculate]

Hello,
I have installed security onion 2.4 in Rocky Linux 9 with 4 vcpu and 16GB RAM and with 250 root volume. I have created a trigger to raise an alert whenever the sudo command is executed in endpoints where the agents is installed using playbook! and it was working. Now as the playbook was replaced with detection tab i have created same rule in detection tab but i'm not getting the alert why ?? still in the alert tab the alerts are coming from playbook

it have to give the alert if the rule got trigger in the endpoint where the elastic agent is installed

[sandraimmaculate]

I tried to create a custom rule in /opt/so/rules/elastalert/rules/custom/custom_rulefailedlogin.yaml if i add this path in

the elastalert status is becoming missing

i created a sample rule for testing

name: "Frequent Failed Logins Alert"
type: frequency
index: logs-*
num_events: 5
timeframe:
  minutes: 1
filter:
- term:
    event.action: "failed_login"
alert:
- email
email:
- [email protected]

[cm-ops]

What is the error for the Elastalert container? /opt/so/log/elastalert/elastalert.log

[cm-ops]

You would need to add the email alerter to you configuration manually. Here is the documetation on the email alerter https://elastalert2.readthedocs.io/en/latest/alerts.html#email.

Notifications are an enterprise-level feature of Security Onion. Manual configuration is not supported, however you can get it to work by manual configuration.

[sandraimmaculate]

Sir, Thanks for your reply!
I have seen this document and added smtp_username and smtp_password in administration > configurations > elastalert in security onion and there is no any option to add the to email address to send alert. Do i need to install elastalert2 in security onion server??
Sir! can you please explain the steps how to trigger an email alert. I'm new to this

[cm-ops]

Notifications are an enterprise-level feature of Security Onion. Manual configuration is not supported, however you can get it to work by manual configuration. Any configurations in the SOC GUI are Pro features, you would need to manually place them in the rule config.

You need to add the alert type, email, and any other configurations you need from here https://elastalert2.readthedocs.io/en/latest/alerts.html#email to the rule config. To restate, manual configurations are not supported.

[sandraimmaculate]

yes if i create a custom rule and add it in elastalert config file after restart it getting overwrite!
What if i install elastalert2 and configure it with security onion elasticsearch ?? it wont cause any problem to the existing one right!

[cm-ops]

The existing Elastalert container is running Elastalert2.