How to show alerts from not default sources #12801

ByteAndBits · 2024-04-16T15:27:28Z

ByteAndBits
Apr 16, 2024

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

128

RAM

1TB

Storage for /

30TB

Storage for /nsm

60TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Is it possible to show not default warings in alerts (no suricata, windows logs).

we want to get an alert if anybody has a wrong login to the firewall. For this we created some datafilds:
event.provider: auth, auth.satus: failed

If this happens we need an alert.

I think via playbook it is not possible. But how can we show warnings like that in the alerts section of SecOnion

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by InfosecGoon

Apr 19, 2024

Create a new Play in Playbook with this Sigma in it, then make it active.

title: Firewall Login Failure
status: experimental
description: Detects when there are bad logins to the firewall.
author: InfosecGoon
logsource:
    product: firewall
    service: syslog
detection:
    selection:
        data_stream.dataset: firewall.syslog
        event.provider: auth
        auth.status: failed
    condition: selection
level: high

View full answer

petiepooo · 2024-04-16T15:38:23Z

petiepooo
Apr 16, 2024

Have you read through this section?
https://docs.securityonion.net/en/2.3/soc-customization.html#custom-queries

This is one of the settings that still require copying a default file to the local tree and modifying it manually.

0 replies

InfosecGoon · 2024-04-18T20:11:03Z

InfosecGoon
Apr 18, 2024

You would need to write that alert in Playbook using Sigma.

Can you provide a sample of the event you want to alert on so we can see all of the field names and values? Stuff like IPs and usernames can be redacted if necessary.

0 replies

ByteAndBits · 2024-04-19T07:02:39Z

ByteAndBits
Apr 19, 2024
Author

data_stream.dataset: firewall.syslog
event.provider: auth
auth.status: failed

if this three things happens we need the alert

2 replies

InfosecGoon Apr 19, 2024

Create a new Play in Playbook with this Sigma in it, then make it active.

title: Firewall Login Failure
status: experimental
description: Detects when there are bad logins to the firewall.
author: InfosecGoon
logsource:
    product: firewall
    service: syslog
detection:
    selection:
        data_stream.dataset: firewall.syslog
        event.provider: auth
        auth.status: failed
    condition: selection
level: high

Answer selected by ByteAndBits

ByteAndBits Apr 24, 2024
Author

Works perfect. Thank´s a lot.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

How to show alerts from not default sources #12801

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

How to show alerts from not default sources #12801

Uh oh!

ByteAndBits Apr 16, 2024

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 3 comments · 2 replies

Uh oh!

petiepooo Apr 16, 2024

Uh oh!

InfosecGoon Apr 18, 2024

Uh oh!

ByteAndBits Apr 19, 2024 Author

Uh oh!

InfosecGoon Apr 19, 2024

Uh oh!

ByteAndBits Apr 24, 2024 Author

ByteAndBits
Apr 16, 2024

Replies: 3 comments 2 replies

petiepooo
Apr 16, 2024

InfosecGoon
Apr 18, 2024

ByteAndBits
Apr 19, 2024
Author

ByteAndBits Apr 24, 2024
Author