Email Notification Setup in ElastAlert

[colaint]

Hi everyone,

I’m trying to set up email notifications for alerts in Security Onion 2.4.90, but I’ve run into some confusion regarding SMTP settings and rule locations.

What I’ve done so far:

• Created a custom rule under /opt/so/rules/elastalert/rules/custom:

name: Email Test
type: any
index: logs-*
alert:
  - "email"
email:
  - "[email protected]"

• Added the SMTP username and password via the Security Onion Web UI under “elastalert,” which successfully updated /opt/so/conf/elastalert/predefined/smtp_auth.yaml.

Where I’m stuck:

According to the documentation, there should be a setting under:
Web UI > SOC > Config > Server > Modules > ElastAlertEngine > "Notifications: Sev 0/Default Parameters"
However, I couldn’t find this option in the UI.

Here is my current SMTP settings:

smtp_host: "smtp.gmail.com"
smtp_port: 465
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: '/opt/so/conf/elastalert/predefined/smtp_auth.yaml'

Confusion on Custom Rule Locations:

I’ve also found older posts suggesting different locations for custom rules:

• /opt/so/saltstack/local/salt/elastalert/files/custom
• /opt/so/conf/elastalert/custom

Questions:

1. Where exactly should I put my SMTP settings?
2. Which is the correct path for custom rules?

Any guidance would be greatly appreciated!

Thanks in advance!

[cm-ops]

https://docs.securityonion.net/en/2.4/notifications.html Notifications are a Security Onion Pro feature, do you have a Pro license?

[colaint]

I don't have a Pro license, but I recall seeing somewhere in the documentation that email notifications might still be possible by placing the settings in a custom folder or something similar. Regardless, I appreciate your response and clarification. Thank you!

[rosswakelin]

If you use Elastalert you can get it to send emails for you, rather than direct from Security Onion Pro

[colaint]

Would you mind telling me how to set it up? Thank you!

[rosswakelin]

Here you go...
This is my file to generate an email, ServiceNow tickets and a Teams notification if there is a High alert generated by Suricata. This lives in a file called /opt/so/conf/elastalert/custom/High.yaml:

#elasticsearch Host
es_host: cha-osom-v11
es_port: 9200

# (Required)
# Rule name, must be unique
name: "[OPS IDS]  High Severity Event !!!"


# (Required)
# Index to search, wildcard supported
index: "logs-suricata.alerts-so*"

# (Required)
# Type of alert.
# This rule will monitor a certain field and match if that field changes.
type: frequency

# (Required, change specific)
# The field to look for changes in
num_events: 1
timeframe:
    minutes: 3
buffer_time:
    minutes: 5
allow_buffer_time_overlap: true
filter:
    - query:
       query_string:
         query: "event.severity:3 AND event.acknowledged is null"

#include:
# - rule.name
# - rule.category
# - source.ip
# - destination.ip
# - destination.port
# - event.ingested

alert_text_type: alert_text_only

alert_text: "
*Number of hits*:       {11}\n
\n
*RULE*:\n
*Category*:     {5}\n
*Rulename*:     {6}\n
*Reference*:    {7}\n
\n
*SOURCE - DESTINATION*:\n
*Source*:       {0}:{1}\n
*Destination*:  {2}:{3}\n
*Timestamp*:    {4}\n
\n
*EVENT*\n
*Category*:     {8}\n
*Severity*:     {9}\n
*Sensor*:       {10}\n"

alert_text_args: ["source.ip", "source.port", "destination.ip", "destination.port", "event.ingested", "rule.category", "rule.name", "rule.reference", "event.category", "event.severity_label", "host.name", num_hits]


# (Required)
# The alert is use when a match is found
#alert:
#
#- "ms_teams"
#ms_teams_alert_summary: "Alert"
#ms_teams_theme_color: '#ff0000'
#ms_teams_alert_fixed_width: false
#ms_teams_webhook_url: "https://xxxxt.webhook.office.com/webhookb/xxx5x"
#
#-------------------------------------------------------------------------------------------------------

alert:
- email
- command
- ms_teams

# (required, email specific)
# a list of email addresses to send alerts to

email:
- "[email protected]"
smtp_host: "10.0.0.1"
smtp_port: 25
from_addr: "[email protected]"

command: "curl -k -s -H 'Accept: Application/JSON' -H 'Content-Type: Application/JSON' -H 'Authorization: Basic blahblah' -X POST 'https://mydev.service-now.com/api/global/em/jsonv2' -d'{\"records\": [ { \"source\":\"IDS\",\"node\":\"%(source.ip)s\",\"event_class\":\"%(observer.name)s\",\"resource\":\"%(rule.name)s\",\"metric_name\":\"Connection\",\"type\":\"Security\",\"severity\":\"2\",\"time_of_event\":\"%(@timestamp)s\",\"description\":\"%(rule.category)s, Rule %(rule.name)s, Source IP: %(source.ip)s, Destination IP: %(destination.ip)s, Refer to: %(rule.reference)s\"}]}'"

command: "curl -k -s -H 'Accept: Application/JSON' -H 'Content-Type: Application/JSON' -H 'Authorization: Basic Blahblah' -X POST 'https://mytst.service-now.com/api/global/em/jsonv2' -d'{\"records\": [ { \"source\":\"IDS\",\"node\":\"%(source.ip)s\",\"event_class\":\"%(observer.name)s\",\"resource\":\"%(rule.name)s\",\"metric_name\":\"Connection\",\"type\":\"Security\",\"severity\":\"2\",\"time_of_event\":\"%(@timestamp)s\",\"description\":\"%(rule.category)s, Rule %(rule.name)s, Source IP: %(source.ip)s, Destination IP: %(destination.ip)s, Refer to: %(rule.reference)s\"}]}'"

command: "curl -k -s -H 'Accept: Application/JSON' -H 'Content-Type: Application/JSON' -H 'Authorization: Basic Blahblah' -X POST 'https://myprod1.service-now.com/api/global/em/jsonv2' -d'{\"records\": [ { \"source\":\"IDS\",\"node\":\"%(source.ip)s\",\"event_class\":\"%(observer.name)s\",\"resource\":\"%(rule.name)s\",\"metric_name\":\"Connection\",\"type\":\"Security\",\"severity\":\"2\",\"time_of_event\":\"%(@timestamp)s\",\"description\":\"%(rule.category)s, Rule %(rule.name)s, Source IP: %(source.ip)s, Destination IP: %(destination.ip)s, Refer to: %(rule.reference)s\"}]}'"

ms_teams_alert_summary: IDS Alert
ms_teams_alert_fixed_width: false
ms_teams_theme_color: '#ff0000'
ms_teams_webhook_url: 'https://prod-20.australiasoutheast.logic.azure.com:443/workflows/myflowid/triggers/manual/paths/invoke?api-version=2016-06-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=mysig

`

[colaint]

Thank you so much! Really appreciate it! I will try it out.

[colaint]

Hi Ross,

Thanks again for sharing the configurations - it worked for me! I have another question besides the email setup.

I'm unsure which index I should use. I've tried:

• logs-suricata.alerts-so*
• logs-suricata.alerts-so
• .ds-logs-suricata.alerts-so*

But none of them worked. The only one that did work was .ds-logs-*, but that includes all alerts, which isn't what I want.

I also checked that my actual alerts have soc_source as:
[heavynode]:.ds-logs-suricata.alerts-so-[time and date]

Do you have any idea how I can specify the correct index?

[rosswakelin]

Hi. The index shown in the above file works for me. I also have some direct elastic API queries I run against the SO elastic to get counters that I display on wallboards, and this is one of the lines from that query:

req.body = '{"query":"from logs-suricata.alerts-so | where event.acknowledged is null | stats totalcount = count() by event.severity"}'

so the above query gets me a count for each "level" of alert inside the alerts table that hasn't been acknowledged, i.e. the number of new or outstanding alerts per criticality. Both this query, and my Elastalert query use the same table: logs-suricata.alerts-so