Playbook ElastAlert Syntax

[NexusChak]

Security Onion: v2.4.20

I was starting to test out the playbook feature by activating a community play. Everything looks fine, but I know that the playbook feature is actually supported by ElastAlert2, and I was curious about what the actual query string looks like when it got converted from a Sigma rule.

I then checked out the "convert" feature on SO, and here the questions come. First, the converted so-called "SO Elasticsearch Query" is not a Elasticsearch supported query, it's actually based on OQL (Onion Query Language). But even when I apply this search on the "Hunt" page, which is not supposed to find anything that would match this criteria, it is doing a accurate search. Instead, the "Hunt" page returned me a bunch of irrelevant results. I'm not sure if this is expected.

But then I was thinking, maybe this "convert" feature is for rule testing purpose on "Hunt" page only. I try to check out the ElastAlert rule files under /opt/so/rules/elastalert/playbook and the "ElastAlert Config" section on "Playbook" page.

For the config shown on "Playbook" page, it applied the OQL query for ElastAlert, which I'm sure if it would work. And some parts even got highlighted in red, which I'm not sure if this indicates any syntax error:

Then the actual config file under /opt/so/rules/elastalert/playbook looks like this, which looks a little bit different from a regular ElastAlert config file to me:

alert:                                                                                                                                                                                       
- "modules.so.playbook-es.PlaybookESAlerter"                                                                                                                                                 
                                                                                                                                                                                             
elasticsearch_host: "111.111.111.111:1111"                                                                                                                                                      
play_title: "Potential Crypto Mining Activity"                                                                                                                                               
play_id: "9acb398d2"                                                                                                                                                                         
event.module: "playbook"                                                                                                                                                                     
event.dataset: "playbook.alert"                                                                                                                                                              
event.severity: 3                                                                                                                                                                            
rule.category: "process_creation"                                                                                                                                                            
play_url: "https://111.111.111.111/playbook/issues/1634"                                                                                                                                        
kibana_pivot: "https://111.111.111.111/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))"           
soc_pivot: "https://111.111.111.111/#/hunt"                                                                                                                                                     
sigma_level: "high"                                                                                                                                                                          
                                                                                                                                                                                             
                                                                                                                                                                                             
index: '.ds-logs-*'                                                                                                                                                                          
name: "Potential Crypto Mining Activity - 9acb398d2"                                                                                                                                         
priority: 3                                                                                                                                                                                  
realert:                                                                                                                                                                                     
  minutes: 0                                                                                                                                                                                 
type: any                                                                                                                                                                                    
filter:                                                                                                                                                                                      
- eql: >                                                                                                                                                                                     
   any where ( not (process.command_line : ("* pool.c *","* pool.o *","*gcc -*")) and process.command_line : ("* --cpu-priority=*","*--donate-level=0*","* -o pool.*","* --nicehash*","* --al
go=rx/0 *","*stratum+tcp://*","*stratum+udp://*","*LS1kb25hdGUtbGV2ZWw9*","*0tZG9uYXRlLWxldmVsP*","*tLWRvbmF0ZS1sZXZlbD*","*c3RyYXR1bSt0Y3A6Ly*","*N0cmF0dW0rdGNwOi8v*","*zdHJhdHVtK3RjcDovL*
","*c3RyYXR1bSt1ZHA6Ly*","*N0cmF0dW0rdWRwOi8v*","*zdHJhdHVtK3VkcDovL*"))

I'm wondering what would be the recommended way to handle this or in general to create and debug a play that would work? Are we supposed to modify the generated ElastAlert config in some sense?

[defensivedepth]

The generated query is actually EQL. This is a change from 2.3 where it was Lucene.