Custom Playbook Alert only shows up if Alerts set to "Unsorted"

[DebianGuru]

Version

2.4.50

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

20

RAM

18GB

Storage for /

166G

Storage for /nsm

3.4TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Let me preface this by saying, "Yes, I know what I'm trying to do sounds silly, but that does not negate the issue I'm having". I'm required to have a "Critical level" alert sent out at a certain time each day, so we can verify that alerting is working as we expect. I've done this by setting up a cron job that runs "/usr/bin/curl "http://testmynids.org/uid/index.html" " at a particular time. As I've learned, you can't get a "critical" alert from Suricata. Currently, we're not importing any outside logs or beats into SO which I can use to trigger Wazuh or Playbook. So, I thought I'd make a custom play (with a critical level), to just look for that rule.uuid that I'm triggering.

I went into Playbook and made a new rule that looks like this:

The play was generated and the appropriate (AFAIK) elastalert was created:

When the cron job runs or I manually run: /usr/bin/curl "http://testmynids.org/uid/index.html" I can see this in my elastalert.log file 2024-02-27 12:36:28,040 INFO elastalert Ran TestNIDS - 4a8e9ba5f from 2024-02-27 12:26 UTC to 2024-02-27 12:36 UTC: 1 query hits (0 already seen), 1 matches, 1 alerts sent
Which appears as though an alert has been sent to somewhere? I'm expecting that to be sent to the Alerts tab, but it does not appear there. The alert from suricata is there, but not from Playbook.

If I drop down the view in the alerts to "Ungroup" instead of the default of "Group by Name,Module", then the alerts are visible:

I suspect it's something (a field perhaps) that is preventing it from being viewed when grouped? I've tried looking thorugh various logs and looking for errors, but I've been unsuccessful. Also, I was hoping that making a "critical" alert from this play would kick off another elastalert yaml file that looks for alerts and runs a script. (This portion I know works, if I change the string from "critical" to "high" or "medium", I can get the command to execute to run fine.

I'm not sure if this failure to work is related to the behavior I see in the Alerts part of SO or if this is just not possible to run a a custom elastalert from something triggered by Playbook. It sounds possible to me.

Thanks in advance for your help.

### Guidelines

- [X] I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.