Sigma Rule Alerts (old playbook) are are grayed out for "Tune Detection"

[sleepingbel]

Version

2.4.70

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

16 v-CPU

RAM

48 GB

Storage for /

250 GB

Storage for /nsm

1.66 TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hello all,

After the upgrade i wanted to tune a sigma rule that is creating a lot of noise, but the "Tune Detection" is grayed out.

It is also only for sigma rules, the suricata rules can be tuned

The status of all my rules is "OK"

I looked for a solution in the documentation but couldn't find it

Regards
Bart

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[defensivedepth]

This is expected. The old Playbook rules should no longer be active and should not be generating any more alerts.

[sleepingbel]

Yes ok but I think you mean this is NOT expected, because the old sigma rules are still generating alerts. How can i solve this.

Even if I want to search the rule in the detection tab with a so_detection.title column query, i can not find the rule.

Could it be the reason that this is a medium severity rule that was active before the upgrade and now only high, critical severity rules are active? The problem is not solved with activating core++ ruleset in sigmaRulePackages I tested this.

[defensivedepth]

The old Playbook rules should have been backed up and removed during the SOUP upgrade to 2.4.70.

Check /opt/so/rules/elastalert/playbook/ - are there still rules in there? They should have been backed up to /nsm/backup/detections-migration/sigma/rules/

[sleepingbel]

all the rules are still in the directory /opt/so/rules/elastalert/playbook/

Nothing is backed up

I have now manually backed up to /nsm/backup/detections-migration/sigma/rules/ and deleted all rules from /opt/so/rules/elastalert/playbook/ . I will check if the alerts come back

[defensivedepth]

Can you review the soup logs? It should have backed those files up and removed them:

sudo grep -nr Playbook /root/soup.log

[sleepingbel]

Regarding the soup log there was no error registered

But I think that my manually backed up worked, the alerts are not comming back

sudo cp /opt/so/rules/elastalert/playbook/* /nsm/backup/detections-migration/sigma/rules/
sudo rm /opt/so/rules/elastalert/playbook/*

[sleepingbel]

So I need to tune my rules again.
but is it possible to add a column "author" in the soc - detections? because now you can not filter on author anymore this was possible in playbook
I was using only the rules of Florian Roth

[defensivedepth]

Yes, all of these fields are able to be set as GroupBy -

[defensivedepth]

@sleepingbel Did you enable any Playbook Plays after soup? Im just trying to understand why it didnt back them up.

[defensivedepth]

And soup was successful, no errors? Can you upload the entire soup log from one of the systems? Just a text file.

[sleepingbel]

Yes soup was succesfull, here is the log

soup.log

[sleepingbel]

Hey josh,

Did you find someting?

[defensivedepth]

No nothing yet.

[defensivedepth]

@sleepingbel Do you recall what version you did the initial install from?

[sleepingbel]

Yes the original install was 2.4.50Met vriendelijke groeten Bart Van Hees Met vriendelijke groeten Bart Van Hees Op 11 jun. 2024 om 12:25 heeft Josh Brower ***@***.***> het volgende geschreven: @sleepingbel Do you recall what version you did the initial install from? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[defensivedepth]

How did you run soup? Interactively?

[sleepingbel]

Hey Josh,I aim not sure what you mean with interactively but I did a ssh to the server and entered the command sudo soup and waited until soup finished Met vriendelijke groeten Bart Van Hees Op 11 jun. 2024 om 13:56 heeft Josh Brower ***@***.***> het volgende geschreven: How did you run soup? Interactively? —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>

[defensivedepth]

Did you see this when you ran soup?

[defensivedepth]

And this?

[sleepingbel]

Did you see this when you ran soup?

I did not see this Josh, and I never disabled the playbook module

[sleepingbel]

And this?

This I have seen

[defensivedepth]

Thanks @sleepingbel !