Table of Contents

TLDR

Using ElastAlert on Security Onion 16

  1. Define your notification criteria (see Use-Cases)
  2. Create a rule file (see Writing Rules)
    • If necessary, create your support files (ex: whitelist, blacklist, etc.)
  3. Copy everything to the /etc/elastalert/rules/ directory on your Master Node
  4. Test it by executing sudo so-elastalert-test
  5. Restart ElastAlert using sudo so-elastalert-restart
  6. Create a Kibana Visualization on your Master Node to view the alerts

Use-Cases

|Applicable Rule Type|Notification Criteria| |—|—| |Flatine|Monitoring the heartbeat of a critical server| |Whitelist|Detecting abnormal DNS queries
Detecting abnormal outbound network connections from a critical server|

Installing ElastAlert

# command goes here

Writing Rules

Option 1: Manually

  1. Use a text-editor to create a new file
    # naming convention tip: ruletype-rulename.yaml
    sudo vim whitelist-authorized_IPs.yaml
    
  2. Add your notification criteria using the proper syntax (see Rule Types & Examples and/or References).

Option 2: Automatically

Security Onion 16 has a script called so-elastalert-create that makes it easier to develop ElastAlert rules.

sudo so-elastalert-create

Rule Types & Examples

Whitelist

sudo vim whitelist-authorized_IPs.yaml
# alert on any IP address not on the whitelist

es_host: elasticsearch
es_host: 9200
name: Unknown IP detected!
index: "*:logstash-*"
type: whitelist
compare_key: source_ip
ignore_null: true
whitelist:
    - "!file /etc/elastalert/rules/_authorized_ips.txt"
alert:
    - debug
sudo vim /etc/elastalert/rules/_authorized_ips.txt
192.168.56.1
192.168.56.2
192.168.56.3

Adding Rules

Security Onion 16

# copy your YAML file to the correct directory
sudo cp whitelist-authorized_IPs.yaml /etc/elastalert/rules/

Running ElastAlert

# command goes here

References