Playbook Alerts #14213

Bigelow-Brown · 2025-02-11T15:07:59Z

Bigelow-Brown
Feb 11, 2025

• Security Onion version: 2.4.80
• Is this a cloud deployment or on-prem? On Prem w/internet access
• Did you install from our Security Onion ISO image or did you perform a network installation? I don’t know
• If network installation, what distro and version did you install on?
• How many nodes do you have? 1
• What are the hardware specs of each of those nodes? I don’t know
• How are each of those nodes configured? (ex. manager with 2 search nodes and 3 forward nodes)
• Are you experiencing issues monitoring network traffic? No
• Does so-status show all services running? Yes
• Do you get any failures when you run sudo salt-call state.highstate? No
• Does the SOC Grid page show any failures? No
• Explain your issue:

I just inherited a standalone install of Security Onion and I am new to the platform so bear with me… From what I have discovered playbook was replaced with Detections, however under Alerts I see several alerts have been triggered with event.module: playbook. If I try to click on the rule name, the Tune Detection option is greyed out, and if I try to find the alert in Detections they are not there. I can use the Tune Detection option for suricata alerts and I can see lots of suricata, yara, and sigma rules under Detections. Am I missing something here?

UPDATE I found the YAML files for these alerts on the server, can/should I edit those files to suppress/filter the alerts for false positives?

Answered by cm-ops

Feb 14, 2025

Check /nsm/backup/detections-migration/ to see if the rules were backed up in the upgrade to/past 2.4.70 that includes Detections. The old Playbook rules should have been backed up and removed.

View full answer

cm-ops · 2025-02-14T20:13:13Z

cm-ops
Feb 14, 2025
Maintainer

Check /nsm/backup/detections-migration/ to see if the rules were backed up in the upgrade to/past 2.4.70 that includes Detections. The old Playbook rules should have been backed up and removed.

2 replies

Bigelow-Brown Feb 14, 2025
Author

Thanks for the reply! It looks like the old rules were not backed up and removed. The /nsmbackup/detections-migration/sigma/rules folder is empty, and the /opt/so/rules/elastalert/playbook folder has all of the .yaml files in it still.

After seeing your response I found another thread where someone else had the same issue and manually backed up/removed the playbook files. Is this the best way forward?

sudo cp /opt/so/rules/elastalert/playbook/* /nsm/backup/detections-migration/sigma/rules/
sudo rm /opt/so/rules/elastalert/playbook/*

cm-ops Feb 19, 2025
Maintainer

It is, that is what the soup script pretty much did when upgraded to 2.4.70.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Playbook Alerts #14213

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Playbook Alerts #14213

Uh oh!

Uh oh!

Bigelow-Brown Feb 11, 2025

Replies: 1 comment · 2 replies

Uh oh!

cm-ops Feb 14, 2025 Maintainer

Uh oh!

Bigelow-Brown Feb 14, 2025 Author

Uh oh!

cm-ops Feb 19, 2025 Maintainer

Bigelow-Brown
Feb 11, 2025

Replies: 1 comment 2 replies

cm-ops
Feb 14, 2025
Maintainer

Bigelow-Brown Feb 14, 2025
Author

cm-ops Feb 19, 2025
Maintainer