Playbook triggering incorrectly #9488
Replies: 1 comment 2 replies
-
|
What does the elastalert rule look like? It is more than likely a logsource mapping issue. |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
Well, tis corresponds to the sigma rule... alert:
- "modules.so.playbook-es.PlaybookESAlerter"
elasticsearch_host: "XXXXXXXXXXXXX:9200"
play_title: "MSExchange Transport Agent Installation - Builtin"
play_id: "3f78de7af"
event.module: "playbook"
event.dataset: "alert"
event.severity: 2
rule.category: "builtin/msexchange"
play_url: "https://XXXXXXXXXXXXX/playbook/issues/39"
kibana_pivot: "https://XXXXXXXXXXXXX/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))"
soc_pivot: "https:/XXXXXXXXXXXXX/#/hunt"
sigma_level: "medium"
filter:
- query:
query_string:
query: Install\-TransportAgent
index: '*:so-*'
name: MSExchange Transport Agent Installation - Builtin - 3f78de7af
priority: 3
realert:
minutes: 0
``` |
Beta Was this translation helpful? Give feedback.
-
|
Ok, will need to check a couple things on my end |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
In my distributed SO env; the playbook 39 is always dected (1200+ hits in 1h).
The weird thing is that the playbook content and the actual logs are 2 completely different stuff.
Here is the log. It is an event log about adding a new root certificate to a machine (as highlighted):
And here is the sigma definition:
Beta Was this translation helpful? Give feedback.
All reactions