securityonion/salt/elastalert/soc_elastalert.yaml

elastalert:
  enabled:
    description: You can enable or disable Elastalert.
    helpLink: elastalert.html
  alerter_parameters:
    title: Alerter Parameters
    description: Optional configuration parameters for additional alerters that can be enabled for all Sigma rules. Filter for 'Alerter' in this Configuration screen to find the setting that allows these alerters to be enabled within the SOC ElastAlert module. Use YAML format for these parameters, and reference the ElastAlert 2 documentation, located at https://elastalert2.readthedocs.io, for available alerters and their required configuration parameters. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key.
    global: True
    multiline: True
    syntax: yaml
    helpLink: elastalert.html
    forcedType: string
  jira_api_key:
    title: Jira API Key
    description: Optional configuration parameter for Jira API Key, used instead of the Jira username and password. Requires a valid Security Onion license key.
    global: True
    sensitive: True
    helpLink: elastalert.html
    forcedType: string
  jira_pass:
    title: Jira Password
    description: Optional configuration parameter for Jira password. Requires a valid Security Onion license key.
    global: True
    sensitive: True
    helpLink: elastalert.html
    forcedType: string
  jira_user:
    title: Jira Username
    description: Optional configuration parameter for Jira username. Requires a valid Security Onion license key.
    global: True
    helpLink: elastalert.html
    forcedType: string
  smtp_pass:
    title: SMTP Password
    description: Optional configuration parameter for SMTP password, required for authenticating email servers. Requires a valid Security Onion license key.
    global: True
    sensitive: True
    helpLink: elastalert.html
    forcedType: string
  smtp_user:
    title: SMTP Username
    description: Optional configuration parameter for SMTP username, required for authenticating email servers. Requires a valid Security Onion license key.
    global: True
    helpLink: elastalert.html
    forcedType: string
  files:
    custom:
      alertmanager_ca__crt:
        description: Optional custom Certificate Authority for connecting to an AlertManager server. To utilize this custom file, the alertmanager_ca_certs key must be set to /opt/elastalert/custom/alertmanager_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
        helpLink: elastalert.html
      gelf_ca__crt:
        description: Optional custom Certificate Authority for connecting to a Graylog server. To utilize this custom file, the graylog_ca_certs key must be set to /opt/elastalert/custom/graylog_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
        helpLink: elastalert.html
      http_post_ca__crt:
        description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the legacy HTTP POST alerter. To utilize this custom file, the http_post_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
        helpLink: elastalert.html
      http_post2_ca__crt:
        description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the newer HTTP POST 2 alerter. To utilize this custom file, the http_post2_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
        helpLink: elastalert.html
      ms_teams_ca__crt:
        description: Optional custom Certificate Authority for connecting to Microsoft Teams server. To utilize this custom file, the ms_teams_ca_certs key must be set to /opt/elastalert/custom/ms_teams_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
        helpLink: elastalert.html
      pagerduty_ca__crt:
        description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the pagerduty_ca_certs key must be set to /opt/elastalert/custom/pagerduty_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
        helpLink: elastalert.html
      rocket_chat_ca__crt:
        description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the rocket_chart_ca_certs key must be set to /opt/elastalert/custom/rocket_chat_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
        helpLink: elastalert.html
      smtp__crt:
        description: Optional custom certificate for connecting to an SMTP server. To utilize this custom file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
        helpLink: elastalert.html
      smtp__key:
        description: Optional custom certificate key for connecting to an SMTP server. To utilize this custom file, the smtp_key_file key must be set to /opt/elastalert/custom/smtp.key in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
        helpLink: elastalert.html
      slack_ca__crt:
        description: Optional custom Certificate Authority for connecting to Slack. To utilize this custom file, the slack_ca_certs key must be set to /opt/elastalert/custom/slack_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key.
        global: True
        file: True
        helpLink: elastalert.html
  config:
    disable_rules_on_error:
      description: Disable rules on failure.
      global: True
      helpLink: elastalert.html
    run_every:
      minutes:
        description: Amount of time in minutes between searches.
        global: True
        helpLink: elastalert.html
    buffer_time:
      minutes:
        description: Amount of time in minutes to look through.
        global: True
        helpLink: elastalert.html
    old_query_limit:
      minutes:
        description: Amount of time in minutes between queries to start at the most recently run query.
        global: True
        helpLink: elastalert.html
    es_conn_timeout:
      description: Timeout in seconds for connecting to and reading from Elasticsearch.
      global: True
      helpLink: elastalert.html
    max_query_size:
      description: The maximum number of documents that will be returned from Elasticsearch in a single query.
      global: True
      helpLink: elastalert.html
    alert_time_limit:
      days:
        description: The retry window for failed alerts.
        global: True
        helpLink: elastalert.html
    index_settings:
      shards:
        description: The number of shards for elastalert indices.
        global: True
        helpLink: elastalert.html
      replicas:
        description: The number of replicas for elastalert indices.
        global: True
        helpLink: elastalert.html