CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

add support for custom alerters

Browse Source
This commit is contained in:
Jason Ertel
2024-05-17 14:49:39 -04:00
parent aa0163349b
commit 1c4d36760a
4 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/elastalert/defaults.yaml
View File

@@ -1,5 +1,6 @@
elastalert:
enabled: False
alerter_parameters: ""
config:
rules_folder: /opt/elastalert/rules/
scan_subdirectories: true

5
salt/elastalert/map.jinja
View File

@@ -13,3 +13,8 @@
{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
{% set ELASTALERTMERGED = salt['pillar.get']('elastalert', ELASTALERTDEFAULTS.elastalert, merge=True) %}
{% set params = ELASTALERTMERGED.alerter_parameters | load_yaml %}
{% if params != None %}
{% do ELASTALERTMERGED.config.update(params) %}
{% endif %}

8
salt/elastalert/soc_elastalert.yaml
View File

@@ -2,6 +2,14 @@ elastalert:
enabled:
description: You can enable or disable Elastalert.
helpLink: elastalert.html
alerter_parameters:
title: Alerter Parameters
description: Custom configuration parameters for additional, optional alerters that can be enabled for all Sigma rules. Filter for 'Additional Alerters' in this Configuration screen to find the setting that allows these alerters to be enabled within the SOC ElastAlert module. Use YAML format for these parameters, and reference the ElastAlert 2 documentation, located at https://elastalert2.readthedocs.io, for available alerters and their required configuration parameters.
global: True
multiline: True
syntax: yaml
helpLink: elastalert.html
forcedType: string
config:
disable_rules_on_error:
description: Disable rules on failure.

7
salt/soc/soc_soc.yaml
View File

@@ -83,6 +83,13 @@ soc:
advanced: True
modules:
elastalertengine:
additionalAlerters:
title: Additional Alerters
description: Specify additional alerters to enable for all Sigma rules, one alerter name per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. Note that the configuration parameters for these alerters must be provided in the ElastAlert configuration section. Filter for 'Alerter Parameters' to find this related setting.
global: True
helpLink: sigma.html
forcedType: "[]string"
multiline: True
allowRegex:
description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
global: True