Email notification for suricata alerts w/o Pro-license?

[ejgh-oe]

Hi,
While the Alert interface is a perfect tool for getting an almost real time view into what's happening attackwise you need to be sitting in front of your screen to get notified ;-)

In order go get notifications while AFK I'm looking for a way to send out email notifications for types of alerts. So for example getting email notifications for suricata "high" alerts or notifications for a certain suricata SID.

While I understand that this seems to be a "Pro" feature (https://docs.securityonion.net/en/2.4/notifications.html#notifications) going to a Pro license doesn't make sense in my context, since we don't need all the other features of Pro like OpenID connect, Kafka, FIPS, STIG etc.

Is there any way to get email notifications for suricata alerts without a Pro license? Has anybody out there got that running? Please note that I'm running S.O. 2.4.100, so the old "Playbook"-feature is no longer available.

Thanks much in advance for any clue.

[cm-ops]

You have to do this manually from the CLI. Your rules will go into /opt/so/saltstack/local/salt/elastalert/files/custom with the alerter you want to use.

[Novotny-Martin]

The documentation says /opt/so/rules/elastalert/rules/custom/ , so what is correct?

[cm-ops]

I stand corrected, the documentation is correct --> /opt/so/rules/elastalert/rules/custom/ for custom rules.