ElastAlert Rule Help
senatorh...@gmail.com
Does anyone have a sample rule for SMTP alerting on a specific query?
My query would be something like below. But I think it would be a huge help to see a sample, and do some reverse engineering.
index: "*:logstash-*"
filter:
- query:
query_string:
query: "event_type: bro_x509 AND san_dns: \"*somewebpage.com*\"
Thanks guys.
senatorh...@gmail.com
I have been trying for several hours with no luck. I seem to be unable to define a working .yaml rule in SO, for alerting via e-mail.
I am really open to any yaml file, which can help me.
Philip Robson
Hope this helps as an example.
Drop the file in /etc/elastalert/rules
Filename.yaml
Thing that caught me out is the spacing. Checkout the rules in the above rules folder as well.
es_host: elasticsearch
es_port: 9200
name: Security Log Cleared
index: "*:logstash-beats*"
filter:
- query:
query_string:
query: "event_id: 1102 OR event_id: 104"
type: any
alert:
- "email"
email:
- "t...@domain.com"
smtp_host: "Email server FQDN"
smtp_port: 25
from_addr: "fr...@domain.com"
Phil
Wes Lambert
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Wes Lambert
senatorh...@gmail.com
Still a bit confused on simple filtering. Like specifying bro_dns and query. But now I should be able to find out.
Philip Robson
es_host: elasticsearch
es_port: 9200
name: Cisco SSH Failed Login
index: "*:logstash-bro*"
filter:
- query:
query_string:
query: "message: 605004"
type: any