Feature request - GUI for testing custom Elastalert rules

[agafonoo]

Our organization relies on a set of custom Elastalert rules that use a POST request to an alerting/incident triage tool. We have DevOps pipelines that will push the rules from a Git repository to the "/opt/so/rules/elastalert/rules/custom/" folder in test or production SO environments.

Testing these rules has always been painful. We developed a CLI app that uses the npm elasticdump package to copy index data between prod and dev SO environments. The app can then use SSH and issue the "elastalert-test-rule" to test a particular rule and make sure there are no syntax errors.

This is all too clunky, however, and there are too many manual steps for an analyst/developer to take. What we would love to see in Security Onion is a GUI similar to what's already there for Suricata rules where you can just create a new rule and have it auto-deploy in 15 minutes. If the syntax is bad, the GUI would tell you before the rule deployed and broke the so-elastalert container...

[defensivedepth]

Can you write these rules as Sigma within Detections?

[agafonoo]

We probably could rewrite our rules as Sigma but we'd then have to rewrite our backend to ingest Sigma - each of our Elastalerts sends a POST request to an endpoint for our SOAR platform. It's a good idea though - just something that may take a while to rewrite.

[defensivedepth]

So to be clear - you would write your detections in Sigma, and on the Security Onion backend it converts that sigma into an Elastalert rule.

Now by default, those Elastalert rules only output alerts to the Elasticsearch instance that Security Onion is running. With Security Onion Pro, you can configure the Elastalert output via the web interface, and have it POST to your SOAR platform.

[agafonoo]

Ah, that's good to know about Pro - we have enterprise support with Security Onion but aren't Pro though we considering it to get access to MoM and other features.