Adding a custom rule type to ElastAlert in Security Onion

[Lighar]

Version

2.4.150

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

16

Storage for /

200

Storage for /nsm

50

Network Traffic Collection

span port

Network Traffic Speeds

more than 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi all,

I'm trying to add a custom ElastAlert rule type to my Security Onion deployment following the ElastAlert2 guide here:
https://elastalert2.readthedocs.io/en/latest/recipes/adding_rules.html#adding-a-new-rule-type

It works fine in a standalone ElastAlert2 setup, but I can’t reproduce it inside Security Onion. The file layout is too different, and I'm not sure where to place the custom Python module and how to import it correctly in my rules.

I mainly tried to follow the ElastAlert guide, look for the rules files in security onion and understanding how its implemented but failed to really find something that works.

Here are my main questions, if it is possible to do this :

• Where to place the custom_rule_type.py file?
• How to structure the path in the YAML to reference this custom class?
• Can it persist across Security Onion updates ?

Any help or pointers would be really appreciated!

Thanks in advance !

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Have you tried creating a custom directory in /opt/so/saltstack/default/salt/elastalert/files/modules/ and placing your custom_rule_type.py there? If you have a customization in the local path it should be persistent.

https://elastalert2.readthedocs.io/en/latest/recipes/adding_rules.html#tutorial