Is something similar or newer than 'Playbooks' coming up on an update post Security Onion 2.4.80?

[bouncebackbrownie]

I was using Security Onion Version 2.4.60 for my labs of preparing Cloud SOC on AWS. I was making a report for a playbook-based detection experiment for some days at the end of last month (June 2024). Around that period, I was notified that a new version of Security Onion had been released a version 2.4.80.

I already had a snapshot of version 2.4.60, so I went ahead and updated it. However, I was surprised to see that the Tools → Playbook section has been removed!

I went through the documentation at #https://blog.securityonion.net/2024/06/security-onion-2480-now-available.html to see that playbooks has been removed in preparation for the new 'detection' module. Can someone clarify more on this, whether my knowledge and experiments would be useful in future now that 'Playbooks' have been removed?

I found this alert detection feature very useful always. Any news of it coming back, or what shall we need to be prepared of to upskill on our 'detection-engineering' skills?

[kawaiipantsu]

You should take a look at the following:
#12905

Or TL;DR just click here: https://www.youtube.com/watch?v=oxR4q53N6OI
(Sneak Peek: New Detections Feature coming in Security Onion 2.4.70!)

I'm guessing even though it says 2.4.70 that it's what your after their new "Detection" feature.
If you want to read up on 2.4.80 you can do so here, they have updated the "Detection" even more.
https://blog.securityonion.net/2024/06/security-onion-2480-now-available.html
(Security Onion 2.4.80 now available including improvements to our new Detections interface and much more!)

PS. IMO - Detection looks pretty neat. Even though I was also happy with playbooks UI (when i finally found out how to use it), but it took some real long and dinky learning curve for me to use properly :) Hopefully the new Detection solution is going to be perfect.

[bouncebackbrownie]

Thank you for sharing these details and resources @kawaiipantsu ! I have completed my detection engineering projects as of now, will need to start playing around with 'detections' after some time I guess :)

[Carlos-mb]

Hi @bouncebackbrownie

I'm new in SO too and I eared about playbook. I understood that it was able to do actions (like send an email) when an alert is created. Now, in Detections feature, I'm not able to find something similar.

You told something about "alert detection feature". Was it a functionality similar to that I say. If so, Is it possible thand the new Detections Feature has less features than old Playbook?

I'll thank so much your opinion because I'm trying to learn SO and it's being very hard to me because of outdated information in the net.

Thanks!

[TOoSmOotH]

Detections is a replacement for playbook. The original playbook was using redmine and was held together with a bunch of shell scripts. Playbook was basically a crude front end for converting sigma to elastalert. Detections pulled all of that into SOC so it can be tightly integrated. As you can see from #5867 email alerts were never supported in playbook. You can manually configure elastalert to send emails just like in 2.3 and earlier versions of 2.4. We introduced a pro feature that can do that for you and also adds support for other alerters that never worked under 2.3 or 2.4.(also some cool stuff coming in 100 for pro users using notifications) If you want to do this manually just drop your rules into the elastalert custom directory. These rules will have to be managed outside of detections. For rules you don't want notified on you can use detections.

[bouncebackbrownie]

Hello @Carlos-mb @TOoSmOotH , I never really played with the email alert feature. I did enjoy playing around with SIGMA rules to create custom alerts, but I am yet to explore the new 'Detections' feature due to a lack of time. I am looking forward to it!

[Carlos-mb]

I see that I have to investigate elastalert.

Thank you.