Using Playbook #12088

widdleavi · 2023-12-28T19:47:27Z

widdleavi
Dec 28, 2023

I am new to security onion. Just got it setup on my network. So in playbook, it seems like all the items are set to draft to start. How do you decide which ones to change to active? I went it and did all Critical, High, and medium items and am getting overloaded with alerts.

dougburks · 2023-12-29T17:00:14Z

dougburks
Dec 29, 2023
Maintainer

I went it and did all Critical, High, and medium items and am getting overloaded with alerts.

We recommend against enabling all Critical, High, and Medium items. In particular, one of the High severity plays (Malicious Nishang PowerShell Commandlets) can cause performance issues and should be avoided. From https://docs.securityonion.net/en/2.4/playbook.html#putting-a-play-into-production:

How do you decide which ones to change to active?

First, you need to know your environment. Then, you should only enable those plays which are relevant to your environment AND which would be critical enough for you to engage the incident response process.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Using Playbook #12088

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Using Playbook #12088

Uh oh!

widdleavi Dec 28, 2023

Replies: 1 comment

Uh oh!

dougburks Dec 29, 2023 Maintainer

widdleavi
Dec 28, 2023

dougburks
Dec 29, 2023
Maintainer