How to move my Playbooks to detections

[nareshgarapati]

Version

2.4.190

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Distributed

Location

airgap

Hardware Specs

Meets minimum requirements

CPU

4

RAM

16

Storage for /

250

Storage for /nsm

50

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

I upgraded distributed Airgap sec onion setup from version 2.4.2 to 2.4.190 . I understand that playbooks are moved to detections, How do i reinstate my playbook rules to detections, are they not migrated automatically. I dont see any alerts in my Dashboard after the upgrade.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

How many playbook rules did you have?

There was a migration in soup for 2.4.70. If you look in your /root/soup.log do you see playbook_migration occur?

[nareshgarapati]

No, i don't see them there; i tried to move my yaml files (backup) to /opt/so/rules/elastalert/rules; but it crashed the elastalert. There are other files in that folder

[cm-ops]

Okay, looking at the code, the old Playbook rules are backed up but not imported into Detections. You would probably want to recreate them in Detections. This location should have the old plays - /nsm/backup/detections-migration/elastalert/ the sigma rules should be in /nsm/backup/detections-migration/sigma/rules/.

The migration piece in soup - https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/salt/manager/tools/sbin/soup#L1017-L1085

[nareshgarapati]

Thanks, Chris. Could you share any documentation or a help link on how to recreate playbooks within detections? Also, will they still be able to send alerts via email?

[cm-ops]

It is a manual process - https://docs.securityonion.net/en/2.4/sigma.html#adding-new-sigma-rules Add a new play, your playbook should be in yaml format already, keep the unique UUID that is generated when the template is created, and paste your playbool yaml into the new play. Adjust wording as necessary.

For email alerting, that is done with the Pro feature notifications - https://docs.securityonion.net/en/2.4/notifications.html