securityonion/salt/elastalert/soc_elastalert.yaml

elastalert:
  enabled:
    description: You can enable or disable Elastalert.
    helpLink: elastalert.html
  alerter_parameters:
    title: Alerter Parameters
    description: Optional configuration parameters for additional alerters that can be enabled for all Sigma rules. Filter for 'Alerter' in this Configuration screen to find the setting that allows these alerters to be enabled within the SOC ElastAlert module. Use YAML format for these parameters, and reference the ElastAlert 2 documentation, located at https://elastalert2.readthedocs.io, for available alerters and their required configuration parameters. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key.
    global: True
    multiline: True
    syntax: yaml
    helpLink: elastalert.html
    forcedType: string
  jira_api_key:
    title: Jira API Key
    description: Optional configuration parameter for Jira API Key, used instead of the Jira username and password. Requires a valid Security Onion license key.
    global: True
    sensitive: True
    helpLink: elastalert.html
    forcedType: string
  jira_pass:
    title: Jira Password
    description: Optional configuration parameter for Jira password. Requires a valid Security Onion license key.
    global: True
    sensitive: True
    helpLink: elastalert.html
    forcedType: string
  jira_user:
    title: Jira Username
    description: Optional configuration parameter for Jira username. Requires a valid Security Onion license key.
    global: True
    helpLink: elastalert.html
    forcedType: string
  smtp_pass:
    title: SMTP Password
    description: Optional configuration parameter for SMTP password, required for authenticating email servers. Requires a valid Security Onion license key.
    global: True
    sensitive: True
    helpLink: elastalert.html
    forcedType: string
  smtp_user:
    title: SMTP Username
    description: Optional configuration parameter for SMTP username, required for authenticating email servers. Requires a valid Security Onion license key.
    global: True
    helpLink: elastalert.html
    forcedType: string
  opsgenie_key:
    title: OpsGenie API Key
    description: Optional configuration parameter for OpsGenie API Key. Requires a valid Security Onion license key.
    global: True
    sensitive: True
    helpLink: elastalert.html
    forcedType: string
  files:
    custom:
      filename__ext:
        title: Custom Parameter File
        description: Optional configuration file that can be used to specify custom file contents, such as a SMTP certificate file. When used, the corresponding parameter must be set to this setting's filename.ext path inside the custom subdirectory. For example, if specifying the SMTP cert file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting for this certificate to be enabled, and assumes this duplicated setting has been named smtp__crt. Note that double underscores will be replaced with a period in the filename.
        global: True
        duplicating: True
        file: True
        helpLink: elastalert.html
  config:
    disable_rules_on_error:
      description: Disable rules on failure.
      global: True
      helpLink: elastalert.html
    run_every:
      minutes:
        description: Amount of time in minutes between searches.
        global: True
        helpLink: elastalert.html
    buffer_time:
      minutes:
        description: Amount of time in minutes to look through.
        global: True
        helpLink: elastalert.html
    old_query_limit:
      minutes:
        description: Amount of time in minutes between queries to start at the most recently run query.
        global: True
        helpLink: elastalert.html
    es_conn_timeout:
      description: Timeout in seconds for connecting to and reading from Elasticsearch.
      global: True
      helpLink: elastalert.html
    max_query_size:
      description: The maximum number of documents that will be returned from Elasticsearch in a single query.
      global: True
      helpLink: elastalert.html
    alert_time_limit:
      days:
        description: The retry window for failed alerts.
        global: True
        helpLink: elastalert.html
    index_settings:
      shards:
        description: The number of shards for elastalert indices.
        global: True
        helpLink: elastalert.html
      replicas:
        description: The number of replicas for elastalert indices.
        global: True
        helpLink: elastalert.html