Cyb3rSn0rlax
Social MediaGitHub
  • About Cyb3rSn0rlax
  • 🛡️ SOC Engineering
  • 🧞Building an Open SIEM From Scratch
    • 1. Introduction to Elastic Stack
      • a. Installing and configuring Elasticsearch
      • b. Installing and configuring Kibana
      • c. Installing and configuring Logstash
    • 2. Installing OpenDistro for Elasticsearch Plugins
    • 3. Installing ElastAlert
    • 4. ELK Stack: "L" is for Lord of the Stack
      • a- Event Parsing: Pipelines
      • b - Event Parsing : From Beats to Logstash
      • c- Event Normalization with ECS
    • 5. Alerting in ELK
    • 6. Building Detection Rules
    • 7. Metrics Reports & Dashboards
  • 🛡️A Primer to Detection Engineering Dimensions in a SOC Universe
    • Operationalization
    • Execution
    • Analytics
  • 😺GitHub Projects
    • ELK4QRadar
    • Automating ELK Health Check
  • 💾DFIR
    • DFIR-01 : $MFT
    • DFIR-02 : Journal Forensics
    • DFIR-03: RDP Authentication Artifacts
  • ☢️ DEATH : Detection Engineering And Threat Hunting
    • 🔑TA0006 : Credential Access
      • Detecting Remote Credentials Dumping via comsvcs.dll
    • 🦘TA0008 : Lateral Movement
      • Detecting Lateral Movement via Service Configuration Manager
      • Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
      • Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
  • 🔎Misc
    • Infosec Game-Sense
Powered by GitBook
On this page
  • Why using two alerting modules?
  • Installing ElastAlert
  • Cloning from repository
  • Install requirements
  • Modify Configuration File
  • Setup ElastAlert
  • Running ElastAlert as a service
  1. Building an Open SIEM From Scratch

3. Installing ElastAlert

ElastAlert is an alerting project for elasticsearch maintained by YELP on GitHub : https://github.com/Yelp/elastalert

Previous2. Installing OpenDistro for Elasticsearch PluginsNext4. ELK Stack: "L" is for Lord of the Stack

Last updated 4 years ago

Why using two alerting modules?

While Opendistro alerting plugin is similar to Watcher and can use some complicated queries, ElastAlert is a much simpler and straight forward tool, specially with its multiple supported destinations where you can send your alerts. .

ElastAlert can be useful to build a first layer of logic where you can apply some complex monitoring set of rules using Opendistro alerting plugin afterwards. The necessity of this combination is something we will be discussing in and .

Installing ElastAlert

Cloning from repository

As root go to /etc/ an then and clone the repository and install the required packages :

$ git clone https://github.com/Yelp/elastalert.git
$ apt install python3.6 python-dev libffi-dev libssl-dev python3-pip python-pip

Install requirements

$ pip3 install -r /etc/elastalert/requirements.txt

Modify Configuration File

vi /etc/elastalert/config.yaml
rules_folder: rules
run_every:
  minutes: 1
buffer_time:
  minutes: 15
es_host: localhost
es_port: 9200
use_ssl: True
verify_certs: False
es_username: admin
es_password: admin
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
alert_time_limit:
  days: 2

Make sure the rulesfolder exists in the repository

Setup ElastAlert

$ cd /etc/elastalert/
$ python3 setup.py install

Check if the installation is successful then run the following command to create the elastalertindex at elasticsearch level.

/etc/elastalert$ elastalert-create-index

You should see the created indices in Kibana as so:

Running ElastAlert as a service

In order to start elastalert as a service please create the file below by pasting the following lines as shown in these snippets of code:

$ vi /lib/systemd/system/elastalert.service
[Unit]
Description=elastalert
After=multi-user.target

[Service]
Type=simple
WorkingDirectory=/etc/elastalert
ExecStart=/usr/local/bin/elastalert --config /etc/elastalert/config.yaml --verbose                                                                                                                                   
StandardOutput=syslog
StandardError=syslog
KillSignal=SIGKILL
PIDFile=/var/run/elastalert.pid

[Install]
WantedBy=multi-user.target
$ ln -s /lib/systemd/system/elastalert.service /etc/systemd/system/elastalert.service 
$ systemctl daemon-reload
$ systemctl enable elastalert.service
$ systemctl start elastalert.service
$ systemctl status elastalert.service

Elastalert should be up an running.

🧞
See documentation
5.Alerting with ELK
6.Building Detection Rules
Creation of ElastAlert Indices