Index in Elastalert rule to send alert mail

[Cantondy]

Hello,

I want to create an Elastalert rule that sends an email when a “High” severity alert is detected.
According to a rule found here (dating from 2020): #2141, the rule looks for an index containing “:so-ids-".

As this index no longer seems to exist in Security Onion version 2.4, I see the following indexes which could potentially be those containing Suricata alerts:

• .ds-logs-suricata

• .ds-logs-detections

I'm not sure I'm looking in the right indexes, I'd like my Elastalert rule to look for alerts generated for both Suricata and Sigma (in short, all alerts generated by Security Onion).
Has anyone ever created such a rule, and which index is the right one?

Thanks in advance !

[rosswakelin]

The index you need is logs-suricata.alerts-so

Here is an example of some of my rule file:

#elasticsearch` Host
es_host: cha-osom-v11
es_port: 9200

# (Required)
# Rule name, must be unique
name: "[OPS IDS]  High Severity Event !!!"


# (Required)
# Index to search, wildcard supported
index: "logs-suricata.alerts-so"

# (Required)
# Type of alert.
# This rule will monitor a certain field and match if that field changes.
type: frequency

# (Required, change specific)
# The field to look for changes in
num_events: 1
timeframe:
    minutes: 3
buffer_time:
    minutes: 5
allow_buffer_time_overlap: true
filter:
    - query:
       query_string:
         query: "event.severity:3 AND event.acknowledged is null"

Change event.severity to 4 to get Critical alerts

[Cantondy]

Hello,

Thank you very much for your complete answer!
It is indeed the logs-suricata.alerts-so index that works.

Here's my current working template, which detects a severity 3 alert (high).
The section below "alert: - "email" allows you to send a formatted e-mail containing information on the rules retrieved.

# Elasticsearch Host
es_host: MY_MANAGER
es_port: 9200

# (Required)
# Rule name, must be unique
name: "[SO] High Severity Event"

# (Required)
# Index to search, wildcard supported
index: "logs-suricata.alerts-so"

# (Required)
# Type of alert
type: any

# Aggregate multiple matches in period together into one alert
aggregation:
    seconds: 5

# (Required, change specific)
# Filter used to query Elasticsearch logs
filter:
- query:
    query_string:
        query: "event.severity:3"

# (Required, change specific)
# Notification for alert           
alert:
- "email"

# (Optional)
# Formating alert body
alert_text: "
Number of hits: {0}\n
\n
*RULE*:\n
-----------------------\n
Rulename  :	{1}\n
Category  :	{2}\n
Reference :	{3}\n
\n
*SOURCE - DESTINATION*:\n
-----------------------\n
Source		:	{4}:{5}\n
Destination	:	{6}:{7}\n
Timestamp	:	{8}\n
\n
*EVENT*\n
-----------------------\n
Category  :	{9}\n
Severity    :	{10}\n
Sensor	 :	{11}\n"

# Args to retrieve from the log for formatting
alert_text_args: ["num_hits", "rule.name", "rule.category", "rule.uuid", "source.ip", "source.port", "destination.ip", "destination.port", "event.ingested", "event.category", "event.severity_label", "observer.name"]

# Show only formatted text (not full log)
alert_text_type: alert_text_only

# (Required, change specific)
# Configuration for specific alerting type  
email:
- "[email protected]"
smtp_host: "exemple_host"
smtp_port: 25
smtp_ssl: false
from_addr: "[email protected]"

[rosswakelin]

the .ds files are the data streams, which are dynamically created as "sub components" of the index. If you reference the index logs-suricata.alerts-so, then it automatically also references the matching streams. You don't need to reference the streams directly. Ross

…

On Fri, 10 Jan 2025 at 21:44, Dylan Canton ***@***.***> wrote: Hello, Thank you very much for your complete answer! there's one last thing I don't understand: when I do a search for indexes containing *logs-suricata.alerts-so*, I get the following indexes: .ds-logs-suricata.alerts-so-2024.10.25-000002 .ds-logs-suricata.alerts-so-2024.12.13-000045 .ds-logs-suricata.alerts-so-2024.10.26-000003 .ds-logs-suricata.alerts-so-2024.12.14-000046 .ds-logs-suricata.alerts-so-2024.10.27-000004 .ds-logs-suricata.alerts-so-2024.12.11-000043 .ds-logs-suricata.alerts-so-2024.10.28-000005 .ds-logs-suricata.alerts-so-2024.12.12-000044 ... Each index starts with “*.ds-*” and ends with a *timestamp*. Do I need to indicate this in the elastalert rule or is just putting *logs-suricata.alerts-so* without the “.ds-” and the timestamp enough for Elastalert to search in Elastisearch ? I'm having trouble understanding the handling of index names between API requests made on Elasticsearch and elastalert rules (if the names are to be exactly similar). — Reply to this email directly, view it on GitHub <#14093 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFJEGQIDMYRLNDHVGX4767D2J6CAXAVCNFSM6AAAAABU4WCOPWVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTCNZZGU2DSMA> . You are receiving this because you commented.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/14093/comments/11795490 @github.com>