Elastalert to email

[DebianGuru]

My end goal is to have any alerts (that would show up as event.severity_label high) to be sent to email.

From what I understand (and read) I should follow https://docs.securityonion.net/en/2.3/elastalert.html#email-internal.

I generated a file called /opt/so/rules/elastalert/smtp.yaml. I pasted the example from the link above in, just replacing the appropriate fields, then saved the file.

sudo so-elastalert-restart then failed to restart elastalert. sudo so-status showed [ERROR].sudo

tail -f /opt/so/log/elastalert/elastalert.log showed the error like this:
"elastalert Error connecting to SMTP host: [Errno 99] Cannot assign requested address"

I verified the hostname of our mail server and verified that I could ping it and it resolved to the correct IP.

Any ideas? Thanks.

[cm-ops]

What does your config look like? Additional documentation is here https://elastalert2.readthedocs.io/en/latest/ruletypes.html#email

[DebianGuru]

Thanks for replying. I made a file called smtp.yaml and placed it into /opt/so/rules/elastalert/ folder. I pasted from the documentation. Of course, I verified the name of our mail server and port 25 was correct. The formatting in the SO document, vs the elastalert site look somewhat different? Am I putting this in the correct file with the right format? I know that spacing is important too, but the examples in the SO document had no leading spaces.

alert:

• "email"
  email:
• "[email protected]"
  smtp_host: "mail.mycompany.com"
  smtp_port: 25
  from_addr: "[email protected]"

(The preview is messing up this a bit. The characters are "-" not dots and it's all left justified.

[cm-ops]

alert:
- "email"
email:
- "[email protected]"
smtp_host: "your_company_smtp_server"
smtp_port: 25
from_addr: "[email protected]" 

That looks correct. Is that all that is in the file? You would add that as an alert to the rule config, for example, all high severity events.

[DebianGuru]

That's Chris, I just discovered that yesterday. The documentation is brief and I didn't realize that it was just a small part of the whole necessary file. I think I'm supposed to set this as type: blacklist. If I understand, that means anything see in matching the key and value would trigger this alert?

At the moment, I'm just going to be happy sending suricata alerts, then I'll narrow it down to include only "high" suricat alerts. (I think that would be event.security_label: "high").

At first, I set it as type "any" and I did get emails, so the email mechanism is working. Then I changed it to "blacklist".

Strangely enough, after I set this up, (about 12 hours) I've actually seen no alerts come through suricata at all so I have
Here's the full file now:

name: email
type: blacklist
es_host: securityonion
es_port: 9200
index: ":so-"

compare_key:

• "event.module"
  blacklist:
• "suricata"

alert:

• "email"
  email:
• "[email protected]"
  smtp_host: "your_company_smtp_server"
  smtp_port: 25
  from_addr: "[email protected]"

Does that look correct?

Messing with this here won't affect what SO is already doing will it? (It won't divert alerts away from SOC?).

Thanks for your help.

[cm-ops]

You could try something like below:

# Elasticsearch Host
es_host: <IP>
es_port: 9200

# (Required)
# Rule name, must be unique
name: Alert Serverity Label High


# (Required)
# Index to search, wildcard supported
index: "*:so-*"


# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
timeframe:
  minutes: 10

buffer_time:
  minutes: 10

allow_buffer_time_overlap: true

query_key: ["rule.uuid","source.ip","destination.ip"]

# This option allows you to ignore repeating alerts for a period of time.
realert:
  minutes: 60

#(Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:

- term:
    event.severity_label: "high"

# (Required)
# The alert is use when a match is found
alert:
- email
email:
- "[email protected]"
smtp_host: "your_company_smtp_server"
smtp_port: 25
from_addr: "[email protected]"