Adding email alert rule example

cisagov · Nov 4, 2024 · ea1fed3 · ea1fed3
1 parent e76459d
commit ea1fed3
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/config/elastalert2/misc/smtp_auth.yml b/config/elastalert2/misc/smtp_auth.yml
@@ -0,0 +1,2 @@
+user: "[email protected]"
+password: "giyq caym zqiw chje" #this is your app password if using gmail
diff --git a/config/elastalert2/rules/example-email-rule.yml b/config/elastalert2/rules/example-email-rule.yml
@@ -0,0 +1,21 @@
+name: EMAIL
+type: frequency
+index: wazuh-*
+num_events: 1
+timeframe: 
+  minutes: 1
+filter:
+- query:
+    match_phrase:
+      agent.ip: "10.1.0.4"
+alert: email
+alert_text: "ASDFASDF"
+alert_text_type: alert_text_only
+email:
+  - "[email protected]"
+smtp_ssl: true
+smtp_port: 465
+smtp_host: "smtp.gmail.com"
+from_addr: "[email protected]"
+smtp_auth_file: /opt/elastalert/misc/smtp_auth.yml
+
diff --git a/quadlet/lme-elastalert.container b/quadlet/lme-elastalert.container
@@ -24,6 +24,7 @@ Network=lme
 PodmanArgs=--network-alias lme-elastalert2
 Volume=lme_elastalert2_logs:/opt/elastalert/logs
 Volume=/opt/lme/config/elastalert2/rules:/opt/elastalert/rules:ro
+Volume=/opt/lme/config/elastalert2/misc:/opt/elastalert/misc:ro
 Volume=/opt/lme/config/elastalert2/config.yaml:/opt/elastalert/config.yaml:ro
 Volume=lme_certs:/etc/wazuh-manager/certs:ro
 Volume=/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		user: "[email protected]"
		password: "giyq caym zqiw chje" #this is your app password if using gmail