Playbook: Elastalert config is not adapted to the sigma rule and SO filter

[sleepingbel]

Hello All,

I applied a SO filter a while back, now I added some values ​​to the filter, but I don't see these values ​​appear in the field "ElastAlert Config". I see the Elastalert config without the added new values.

Even if I remove the complete SO filter, the elastalert config is not modified. This means that another rule contains an error that blocks or stops the script.

I also discovered in the playbook sync log that multiple rules are without a elastalert config (5). I'm sure these rules had a config because some of them have a SO filter, so they have triggered a false positive in the past.

You will not get any visual errors in playbook if the elastalert script does not convert the sigma rule correct to elastalert config.

I've already searched the following logs:
Playbook:

• playbook
• sync
• update

Elastalert:

• elastalert
• stderr
• stdout

Where can I find which rule causes this? witch log source?

Regards
Bart

[InfosecGoon]

Could you expand on "I applied a SO filter a while back" a bit? What kind of filter? On which Playbook play?

[sleepingbel]

It was the "User with Privileges Logon" play and I added acceptions for the SubjectUserSid.
This elastalert config is placed in the play.
Now a few day's ago I added a new userid and this new userid does not appear in the elastalert config. The elastalert config stay's the one that was initial created with the first so filter.