Playbook custom filters #9947
-
|
Hello. I'm trying to figure out how to effectively tune Playbook plays. I've read the SO documentation on tuning plays, which briefly mentions adding a custom filter using the syntax "sofilter". I've tried this and I don't see a change in either the play detection behavior or in the Elasticalert query generated from the Sigma. Can anyone provide more detail or examples of how to effectively tune plays? Thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Can you show us your play, along with the sofilter you're attempting to add to the play? |
Beta Was this translation helpful? Give feedback.
-
|
Hi @robbiemarshall, thanks for the reply. I think I may have figured out what I was doing wrong. I missed the part about adding the "sofilter" filter to the "Custom Filter" field. I was adding it directly to the sigma. I've updated a few rules and now see them in the ElastAlert config. Hopefully it will be reflected in my actual SO alerts. I'll reply with an update in either scenario. Thanks again. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, this resolved the issue. |
Beta Was this translation helpful? Give feedback.
Hi @robbiemarshall, thanks for the reply.
I think I may have figured out what I was doing wrong. I missed the part about adding the "sofilter" filter to the "Custom Filter" field. I was adding it directly to the sigma. I've updated a few rules and now see them in the ElastAlert config. Hopefully it will be reflected in my actual SO alerts. I'll reply with an update in either scenario. Thanks again.