Move In Day

salt/elastalert/defaults.yaml

@@ -1,3 +1,8 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 elastalert:
@@ -11,8 +16,8 @@ elastalert:
       minutes: 10
     old_query_limit:
       minutes: 5
-    es_host: {{salt['pillar.get']('manager:mainip', '')}}
-    es_port: {{salt['pillar.get']('manager:es_port', '')}}
+    es_host: {{salt['pillar.get']('global:managerip', '')}}
+    es_port: 9200
     es_conn_timeout: 55
     max_query_size: 5000
     #aws_region: us-east-1
@@ -21,10 +26,8 @@ elastalert:
     use_ssl: true
     verify_certs: false
     #es_send_get_body_as: GET
-{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
     es_username: "{{ ES_USER }}"
     es_password: "{{ ES_PASS }}"
-{%- endif %}
     writeback_index: elastalert_status
     alert_time_limit:
       days: 2

salt/elastalert/files/modules/so/playbook-es.py

@@ -1,5 +1,11 @@
 # -*- coding: utf-8 -*-
 
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
 from time import gmtime, strftime
 import requests,json
 from elastalert.alerts import Alerter

salt/elastalert/init.sls

@@ -1,17 +1,6 @@
-# Copyright 2014-2022 Security Onion Solutions, LLC
-
-#    This program is free software: you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation, either version 3 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License
-#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# this file except in compliance with the Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
@@ -23,16 +12,8 @@
 {%- set MANAGER_URL = salt['pillar.get']('global:url_base', '') %}
 {%- set MANAGER_IP = salt['pillar.get']('global:managerip', '') %}
 
-{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %}
-  {% set esalert = salt['pillar.get']('manager:elastalert', '1') %}
-  {% set esip = salt['pillar.get']('manager:mainip', '') %}
-  {% set esport = salt['pillar.get']('manager:es_port', '') %}
-{% elif grains['role'] == 'so-node' %}
-  {% set esalert = salt['pillar.get']('elasticsearch:elastalert', '0') %}
-{% endif %}
 
 # Elastalert
-{% if esalert == 1 %}
 
 # Create the group
 elastagroup:
@@ -138,8 +119,6 @@ append_so-elastalert_so-status.conf:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-elastalert
 
-{% endif %}
-
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/elastalert/soc_elastalert.yaml

@@ -0,0 +1,25 @@
+elastalert:
+  config:
+    disable_rules_on_error: false
+      description: Disable rules on failure.
+    run_every:
+      minutes: 3
+        description: Amount of time in minutes between searches.
+    buffer_time:
+      minutes: 10
+        description: Amount of time in minutes to look through.
+    old_query_limit:
+      minutes: 5
+        description: Amount of time in minutes between queries to start at the most recently run query.
+    es_conn_timeout: 55
+      description: Timeout in seconds for connecting to and reading from Elasticsearch.
+    max_query_size: 5000
+      description: The maximum number of documents that will be downloaded from Elasticsearch in a single query.
+    alert_time_limit:
+      days: 2
+        description: The retry window for failed alerts.
+    index_settings:
+      shards: 1
+        description: The amount of shards to use for elastalert.
+      replicas: 0
+        description: The amount of replicas for the Elastalert index.