Documentation for so-rule #3354
-
|
I like the addition of the so-rule script. I see in the documentation here: https://docs.securityonion.net/en/2.3/managing-alerts.html#so-rule you go over the so-rule method for disabling an SID, and give the example for manually modifying a SID. Is it possible to include an example of how you would use the new so-rule script to modify a SID? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
I've updated the documentation to include an example of modifying a SID: |
Beta Was this translation helpful? Give feedback.
-
|
I appreciate the addition. Are we able to do things like thresholding (or filtering my source IP for example) with this script? Or does all of that still need to be done manually? |
Beta Was this translation helpful? Give feedback.
-
|
Thresholding will still need to be done manually. |
Beta Was this translation helpful? Give feedback.
I've updated the documentation to include an example of modifying a SID:
https://docs.securityonion.net/en/2.3/managing-alerts.html#modify-the-sid