Open b-u-g-s opened 9 years ago
pevma
commented
9 years ago Currently e-mail notifications are not possible - it would be a nice feature I agree. However the approach of contacting a user for confirmation of a certain usage or activities is not optimal or feasible in bigger environments.
Zedoki
commented
9 years ago I found some time before this project https://github.com/Yelp/elastalert that can be used to send mail from data obtain in Elasticsearch. I haven't tried yet.
I don't know if it fit your needs but it can help, maybe.
2015-07-21 10:16 GMT+02:00 Peter Manev notifications@github.com:
Currently e-mail notifications are not possible - it would be a nice feature I agree. However the approach of contacting a user for confirmation of a certain usage or activities is not optimal or feasible in bigger environments.
— Reply to this email directly or view it on GitHub https://github.com/StamusNetworks/scirius/issues/32#issuecomment-123209228 .
Thierry Tran Élève Ingénieur EFREI - P2015
b-u-g-s
commented
9 years ago Thanks Zedoki, will look into that! I think Regit might also be looking into that (as per IRC chat)
Hi,
Is it possible to get automated alerts and summary through emails?
What I am after is:
Daily/Weekly/Monthly Summary Similar to what other NSM offers (happy to provide a copy) it would be useful to get a regular email to display info such as: Total number of High/Medium/Low alerts Top 10 Alerts with count Top 10 Source address for those alerts Top 10 Destination for the alerts As plain text would be enough. The "cherry on the top" would be to also include the timeline graph, so it gives you an idea of when those alert did take place in the day/week/month.
I found this useful as once your NSM is all setup nicely, you can kind of forget about it... and just check that daily email to see what were the top 10 alerts. If for example you see an alert related to a Windows EXE installation file and you have actually updated your windows server that day, then you know you can ignore it.... on the other hand if there was no update that might be the reason to connect to your SELKS environment and investigate further.
Ad-Hoc email for specific alert It would be really helpful if you could set an email alert if a specific security alert (Suricata ID) occurs. Look at this scenario (which happened to me!): You get an alert that keep recurring at random time, coming from a phone device, claiming there is a Kazaa download You only find that alert when you connect to your NSM, you identify the device, check the device and there is nothing on it that should be running Kazaa!! Everytime you see the alert in your NSM, it is too late, the user doesnt remember exactly what he did 2h ago. Instead, you setup an email alert that sends you an email as soon as the suricata rule is triggered on that specific event. This time you receive the alert within a minute of the event occuring, you contact the user, who tells you he is currently using Skype... through a bit more troubelshooting you can find out that it is a false positive and that in fact Skype traffic can sometimes be confused for Kazaa traffic. Thanks, B.