Custom Playbook

[Mav1814]

Version

Other (please provide detail below)

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

32

Storage for /

104G

Storage for /nsm

206G

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Hello again guys!

I've been trying to create a playbook to detect brute force attempts on logins.
I don't get any errors when converting sigma to ElastAlert Config, it shows the conversion.
After creating the playbook and making it active, what are the steps to take? How do I know it's working or if it's failing?
I've already made a few failed attempts on one of my endpoints and no alerts have appeared.

thank you in advance
cheers

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[Taishinto]

I like this idea, and may be interested as well.
Would you mind sharing the code - I'd first look at what/how the alert is triggered and what the threshold is for that trigger.

[Mav1814]

I didn't put the status as experimental because on the documentation they say " You may also want to avoid others with a status of experimental."

I will test your playbook.

[Mav1814]

I tested, same result. :(
so if for you it generate a alert, the problem is not the playbook itself. I dont know how to fix this.

[jaypfe]

The play is set to active? A new Elastalert rule was built in /opt/so/rule?
If you test the EQL do you get hits?
Can you see that the rule is running?

Any errors when running a highstate?
You may try restarting the grid.

You dont have any custom pipes or data streams do you?

Beyond this, I think one of the onion lords themselves would have to look at it. They would probably know immediately.

[Mav1814]

Hello!
The behavior is exactly the same as I had with the previous playbook.
Answers

Is the play set to active?
A: yes

Has a new Elastalert rule been created in /opt/so/rule?
A: yes

If you test EQL, do you get results?
A: yes

Can you see that the rule is being executed?
A: yes, and is triggered and "alert sent"

Any errors when running a highstate?
You may try restarting the grid.
A: didn't try yet.

You dont have any custom pipes or data streams do you?
A: nop, nothing. I only have 2 endpoints with agents. I didn't change or customize anything yet.

Beyond this, I think one of the onion lords themselves would have to look at it. They would probably know immediately.
A: I wish :/

Much thanks for everything.

PS: I feel like I've been wasting a lot of time understanding security onion, trying to explore its features and trying to understand how it can be useful, but all I find are difficulties and unsolved problems. It's been quite frustrating, I've been doing this for a long time.
As much as I try to dig deeper, it becomes difficult, I think I've read the available documentation a couple of times, often without an answer. I even understand that it's natural, since there's a free part and a paid part, but... I think this solution has a lot of potential and can solve a lot of problems, and for sure thats an incredible work, but I've really found it difficult to exploit. It was just an aside, I'm sorry.

[Mav1814]

@jaypfe Can you show me the configuration that u did when creating the play? What did you put on "Group"?

[jaypfe]

Sure, I did not fill any of those fields out in my example.

If you can download community plays and they work as they should, it HAS to be something that is either being done/ not being done in the creation.

[jaypfe]

No that is not what should happen. It will give a large amount of output for each container running on the nodes. It takes a bit of time to complete.

That is also why when creating the post it asks you to run it, as it can give you good clues as to what is happening.

[Mav1814]

Sorry, i missed that :/.

Everything rebooted and up and running. My questions are

1- If i run sudo salt * state.highstate the output is the same as above.
2 - if i run sudo salt-call * state.highstate it says that 'Security Onion is not available', (dont know why it never happened) so i logged as root xD
The final output after running in root was:

I dont know if its the same command or not.

[jaypfe]

That looks more like the output you should expect. Honestly, I am not sure on the command differences.
But just for grins, does the play work now?

[Mav1814]

Hi @jaypfe

The result is the same.

2023-10-23 10:18:12,295     INFO apscheduler.executors.default Running job "Rule: Failed Windows Login - 72de8056a (trigger: interval[0:03:00], next run at: 2023-10-23 10:21:16 UTC)" (scheduled at 2023-10-23 10:18:12.294521+00:00)
2023-10-23 10:18:12,504     INFO           elastalert Queried rule Failed Windows Login - 72de8056a from 2023-10-23 10:08 UTC to 2023-10-23 10:18 UTC: 3 / 3 hits
2023-10-23 10:18:12,695     INFO           elastalert Ran Failed Windows Login - 72de8056a from 2023-10-23 10:08 UTC to 2023-10-23 10:18 UTC: 3 query hits (0 already seen), 3 matches, 3 alerts sent
2023-10-23 10:18:12,695     INFO           elastalert Failed Windows Login - 72de8056a range 600
2023-10-23 10:18:12,695     INFO apscheduler.executors.default Job "Rule: Failed Windows Login - 72de8056a (trigger: interval[0:03:00], next run at: 2023-10-23 10:21:16 UTC)" executed successfully

And no alert is sent to Alerts on SO.

[Mav1814]

@jaypfe I did a reset on the playbooks. I can't re-import any playbook now, not even from sigma or the IDH. xD

But i tried to recreate the windows play for auth failed, and know it works, i don't know why. It's a bit weird, but know is working. :)

I have a question, i'm trying to do the same for linux, but no success, not even a match. Can you help me ? Sorry to bother you again.