Playbook no longer generating alerts

[mskarshinski]

Hello, and thanks once again for the ABSOLUTELY TERRIFIC product that is Security Onion. I feel so much more in control of my networks than I ever have. Always room for more security but this tool is indispensable.

I am having trouble with Playbook, it is no longer alerting. I have gone through and disabled all of the rules that I previously created, figuring one of them must have broken it, but I have no idea where to start diagnosing. Can you point me toward a sound diagnostic path: Playbook logs, Playbook configuration files location, and how to monitor Elastalert's interactions with Playbook. I'm sure I did something but after a year and a half, I still struggle with finding things in Docker and am a bit unclear on the /opt structure, when something should be in a pillar and when something should be in salt, and whether I should be looking in default vs local. I "kind of" understand it, but I spend a lot of time combing through /opt, any newbie pointers would be great. Though not a total noob, I tend to work really hard at developing solutions vertically, and sometimes miss out on the base, horizontal knowledge.

Thank you!

[btdewey]

Try running sudo so-playbook-sync on the manager. If it errors there will be a 9 digit code directly above the "warning" statement. Go back into playbook and add a "rule id" filter. Paste that 9 digit code into the filter box and press apply. This should show a single rule. That rule will have a syntax error in it. If that doesn't work try deleting all the .yaml files in "/opt/so/rules/elastalert/playbook/". Then run the sudo so-playbook-sync. There is a third thing you can try, but I can't remember the exact command off the top of my head. It's a "so-playbook-" command and it recreates the play from the base sigma rule.

Background is that we have seen plays get written or updated with a syntax error and it can break the playbook update process. It causes things to stop working correctly until that bad file or rule is fixed. I'm working on trying to update the SO documentation with these steps, but haven't quite gotten it finished.

[mskarshinski]

Thank you for your quick response. I ran the -sync process and it came back with a RuleID I was unable to locate. While I was in there, I ordered by date and the first half of my customized rules. I re-ran -sync and came back with dozens of RuleIDs, however... Playbook is working again! I have maybe 10 custom rules, based on standard rules, I'm going to copy the Sigma out of those and then run the -reset command (I'm assuming this will wipe out all rules correct?). I'll then redefine my rules a few at a time to see which was broken. Is there a Sigma syntax checker that I can run? Alternatively an Elastalert checker? Thank you for your help!

[mskarshinski]

I think I'm good, I was searching RuleID instead of PlayID, I'm finding the missing configs now. Would still love to know if there is a way I can syntax check my Sigma

[btdewey]

The custom rule creation process has a checker. You click the create new rule at the top. This opens a window with two boxes. Sigma on the left then click convert and it will either show an error or the elastic alert on the right. Bill

…

On Thu, Sep 1, 2022, 08:36 mskarshinski ***@***.***> wrote: I think I'm good, I was searching RuleID instead of PlayID, I'm finding the missing configs now. Would still love to know if there is a way I can syntax check my Sigma — Reply to this email directly, view it on GitHub <#8634 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AY5BU74KRIZJRMPYA63QMK3V4DEOXANCNFSM6AAAAAAQARKBCY> . You are receiving this because you commented.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/8634/comments/3528290 @github.com>

[mskarshinski]

Thank Bill, I think I'm running into problems when I later edit the rules, can I check from the edit screen? I don't see an option but I maybe blind.

[btdewey]

Just editing an existing play does not check for syntax. Cut and pasting between the create new and the play edit is the best method I have found. Bill

…

On Thu, Sep 1, 2022, 11:18 mskarshinski ***@***.***> wrote: Thank Bill, I think I'm running into problems when I later edit the rules, can I check from the edit screen? I don't see an option but I maybe blind. — Reply to this email directly, view it on GitHub <#8634 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AY5BU7YMAJV5FWG3IIOBG7LV4DXODANCNFSM6AAAAAAQARKBCY> . You are receiving this because you commented.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/8634/comments/3529560 @github.com>

[mskarshinski]

Thanks Bill, I think I'm good, plays are working again. I am still getting errors on some of the community plays, but I don't really have time to trace through them right now. I'm assuming maybe syntax changes have broken some of the older plays. Will circle back to this at some point. Thanks for your help!

[btdewey]

Welcome!

…

On Tue, Sep 6, 2022 at 5:43 AM mskarshinski ***@***.***> wrote: Thanks Bill, I think I'm good, plays are working again. I am still getting errors on some of the community plays, but I don't really have time to trace through them right now. I'm assuming maybe syntax changes have broken some of the older plays. Will circle back to this at some point. Thanks for your help! — Reply to this email directly, view it on GitHub <#8634 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AY5BU742ZUDUYZDDF2V47CLV44363ANCNFSM6AAAAAAQARKBCY> . You are receiving this because you commented.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/8634/comments/3569704 @github.com>