New SO 2.4 Grid produces no alerts from endpoint/windows event modules. #12105
Replies: 1 comment 2 replies
-
|
You'll want to checkout https://docs.securityonion.net/en/2.4/playbook.html?highlight=playbook#playbook. Then you'll enable plays that are relevant to your environment and that are critical enough for you to engage in incident response. We'd advise against just enabling all plays as that will result in lots of noise and performance impact. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks reyesj2, So does 2.4 not have any "built-in/already-on" alerts for windows event modules anymore? If not that's fine... I love the playbook management approach to this if that's how they are all managed now. I did notice the list of playbooks looks a lot longer now, so that would make sense. Also... yea I usually enable most critial/high plays then sprinkle in other stuff based on what we want to be alerted on. We're also planning on trying to build some custom plays for this deployment to keep an eye on specific files in the environment. |
Beta Was this translation helpful? Give feedback.
-
|
Correct, they are not enabled by default since each environment is different. If you have more than just windows endpoints. You may also want to download additional rule sets for playbook and look at enabling some of those as well. https://docs.securityonion.net/en/2.4/playbook.html?highlight=playbook#adding-additional-rulesets You'll notice in your SOC Dashboard there is a prebuilt search named 'host overview' that will give you a good overview of the host data for you to start threat hunting from. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
We have SO 2.3 and 2.4 running concurrently in our environment as we transition and work out the kinks on 2.4.
A typical alerts page for our 2.3 deployment looks like this below the "events module"
The alert page for our 2.4 deployment looks like this:
I have deployed over 100 Elastic Fleet Agents successfully for the 2.4 grid (used intune to deploy); they are all communicating with a Fleet node with interfaces on their respective domain networks and showing up in the Elastic Fleet Interface/Tool.
On SO 2.3 we have winlogbeats used for host visibility, lots of routine activities trigger alerts, like audit failures, logon success, Software Protection service scheduled successfully, logoff, Windows Application error event .... This was good as it set a baseline for "normal" in the environment and we knew what to expect and what was likely new and unusual activity. In 2.4, there's nothing... no alerts for any of the activity from windows computers.
What am I missing here? Do I need to enable something? Is there an event engine that is disabled by default, or a different way of generating events in SO 2.4 from windows even logs? It appears that SO is ingesting the windows even logs:
Just not generating any alerts from any of it....
What am I missing here? It's probably something silly that I missed. Any help greatly appreciated!
Beta Was this translation helpful? Give feedback.
All reactions