Assistance Needed: Sigma Detection and Playbook Customization in Security Onion 2.4.110

[Chizan-Dolrocks]

Hello everyone,

I’m currently using Security Onion 2.4.110, and I’ve encountered a couple of issues while working with Sigma detection rules and playbooks. I’d appreciate your insights or guidance.

1. Sigma Detection Issue:

   • I’ve activated Sigma detection rules, and the corresponding datasource is available in Kibana.
   • Despite this, I’m not seeing any alerts generated, even though the playbook does detect some activity.

   Question: Is there an additional configuration or tuning required after enabling detection rules (e.g., mapping, thresholds, or other settings)?

2. Playbook Customization:

   • I’d like to modify playbooks for better prioritization or customization. For instance, I want to create a playbook where detections escalate from “Low” to “High.”

   Question: How can I modify existing playbooks or create new ones to implement such a flow?

Any suggestions, documentation links, or best practices are highly welcome!

Thank you in advance for your help!

Best regards,
Chireh MOHAMED

[defensivedepth]

Hello there - can you confirm what version you are on? Security Onion Playbook was deprecated & removed prior to 2.4.110.

[Chizan-Dolrocks]

currently it is at version 2.4.110

the details of the playbook is as follows :

N.B: The link is inaccessible

[Chizan-Dolrocks]

Hello, I still had the issue, how can I resolve it?

[Chizan-Dolrocks]

I got my answer and it was a problem related to the condition (the selection).