Example ElastAlert Rule from SO 2.3?

[Ishfal]

Hi All,
Could anyone share an example ElastAlert rule that is working for them on SO 2.3? I have been trying to translate rules I had working on SO 16.04 to the new indices, etc., on SO 2.3 but have been failing so far.

Currently, the documentation and source files don't have example *.yaml files, so I wanted to see if anyone would be willing to share one that is working on their system so I can try to figure out what I'm doing wrong.

Thank you!

[lan94]

Why don't you just share your last rule so that we can determine where your problem lies? You could also try to share your ElastAlert Logs.

[jtrodriguez]

I am having a similar problem. I cannot figure how to get any elastalert rule working. If anyone can provide a sample that would be appreciated.

I am new to security onion and elastalert so any help is appreciated.

I attempted to create a rule with the so-elastalert-create script multiple times but it prevents elastalert from loading properly.

[defensivedepth]

Playbook allows you to easily create new detections which generate alerts in Security Onion. It uses ElastAlert in the background.

Playbook docs: https://docs.securityonion.net/en/2.3/playbook.html#creating-a-new-play

Security Onion Essentials training session that highlights Playbook: https://www.youtube.com/watch?v=IS2SOlDedPc&list=PLljFlTO9rB155aYBjHw2InKkSMLuhWpxH&index=7

If you all can give an example of what you are trying to do, I can show you how to do that within Playbook.

[jtrodriguez]

Will the playbook allow me to create alerts to my email and slack?

[jtrodriguez]

@defensivedepth I found the elastalert version of each playbook item under playbook and referenced that. Thank you!