ElastAlert
Table of Contents
- TLDR (Too long; didn’t read)
- Use-Cases
- Installing ElastAlert
- Writing Rules
- Rule Types & Examples
- Adding Rules
- Running ElastAlert
- References
TLDR
Using ElastAlert on Security Onion 16
- Define your notification criteria (see Use-Cases)
- Create a rule file (see Writing Rules)
- If necessary, create your support files (ex: whitelist, blacklist, etc.)
- Copy everything to the
/etc/elastalert/rules/
directory on your Master Node - Test it by executing
sudo so-elastalert-test
- Restart ElastAlert using
sudo so-elastalert-restart
- Create a Kibana Visualization on your Master Node to view the alerts
Use-Cases
|Applicable Rule Type|Notification Criteria|
|—|—|
|Flatine|Monitoring the heartbeat of a critical server|
|Whitelist|Detecting abnormal DNS queries
Detecting abnormal outbound network connections from a critical server|
Installing ElastAlert
# command goes here
Writing Rules
Option 1: Manually
- Use a text-editor to create a new file
# naming convention tip: ruletype-rulename.yaml sudo vim whitelist-authorized_IPs.yaml
- Add your notification criteria using the proper syntax (see Rule Types & Examples and/or References).
Option 2: Automatically
Security Onion 16 has a script called so-elastalert-create
that makes it easier to develop ElastAlert rules.
sudo so-elastalert-create
Rule Types & Examples
Whitelist
sudo vim whitelist-authorized_IPs.yaml
# alert on any IP address not on the whitelist
es_host: elasticsearch
es_host: 9200
name: Unknown IP detected!
index: "*:logstash-*"
type: whitelist
compare_key: source_ip
ignore_null: true
whitelist:
- "!file /etc/elastalert/rules/_authorized_ips.txt"
alert:
- debug
sudo vim /etc/elastalert/rules/_authorized_ips.txt
192.168.56.1
192.168.56.2
192.168.56.3
Adding Rules
Security Onion 16
# copy your YAML file to the correct directory
sudo cp whitelist-authorized_IPs.yaml /etc/elastalert/rules/
Running ElastAlert
# command goes here