Elastalert rule for SOC alert view #9524
Replies: 2 comments 1 reply
-
|
Hello Yannick, Did you add the Elastalert index setting in the manager's minion pillar file? SOC does not search this index by default, so you will need to add it in there to see the alert in Hunt or Dashboards. You can use Playbook to add it to Alerts. Hope this helps. |
Beta Was this translation helpful? Give feedback.
-
|
Hello eb-op, thank you for your quick reply. I have added the elastalert index setting in the manger's minion pillar file. After that i created a rule with so-elastalert-create. I've created that rule in the elastalert directory and tested it with so-elastalert-test. The rule seems to work but i can't find the corresponding log entry in elasticsearch. Do i have to make changes to the rule after the creation with so-elastalert-create? Thank for your help. |
Beta Was this translation helpful? Give feedback.
-
|
Also see https://docs.securityonion.net/en/2.3/playbook.html#overview: Any results from a Play (low, medium, high, critical severity) are available to view within Dashboards, Hunt, or Kibana. High or critical severity results from a Play will generate an Alert within the Security Onion Console Alerts interface. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hallo everyone,
I'm running SO as a distributed deployment on an air-gapped system with version 2.3.190. My question is, is there a way to create a rule with so-elastalert-create and make it come up in the alert overview? I managed to send alerts via mail but I don't find the alert as an event in elastic.
I tried the steps as described here
https://docs.securityonion.net/en/2.3/elastalert.html?highlight=Elastalert%20 but I couldn't make it work.
Thank you for help.
Beta Was this translation helpful? Give feedback.
All reactions