Elastic alert frequency rule

[rahatUlAin]

I am writing an elastic alert rule in /opt/so/rule/playbook. It performs detection and alerts are available. I need to ask if the same can be done so that (perhaps in sigma) playbook show it as active play.
`alert:

• modules.so.playbook-es.PlaybookESAlerter
  elasticsearch_host:xyz
  play_title: Test login frequency
  play_id: test
  event.module: playbook
  event.dataset: playbook.alert
  event.severity: 4
  rule.category: process_creation
  play_url: abc
  kibana_pivot: >-
  adc
  soc_pivot: aec
  sigma_level: critical
  index: .ds-logs-*
  name: Example frequency rule
  type: frequency
  num_events: 50
  timeframe:
  hours: 1
  filter:
• eql: |
  any where (event.code : "4625" and winlog.channel : "Security")`

[InfosecGoon]

You built the rule manually in Elastalert rather than in Playbook, and now you want it in Playbook?

Unfortunately, it doesn't sync backwards like that -- you'd need to write the rule in Sigma in Playbook, make it active, and then make your frequency modifications to the resulting Elastalert YAML file.