Documentation update for Playbook #1535
-
|
Great work on the release of GA it is a major achievement and things can only get even better from here. I fully understand that documentation is a never ending task and I'm sure you're working on it, I just wanted to point out a few gaps I've discovered relating to Playbook as that is what I'm trying to learn at the moment. https://docs.securityonion.net/en/2.3/playbook.html The section for Adding Additional Rulesets seems to be redundant as it appears that all rulesets are already being imported. The /opt/so/conf/soctopus/SOCtopus.conf file has nothing next to playbook_rulesets and seems to get overwritten when soctopus is restarted. The documentation suggests that all of the pre-loaded plays rely on Sysmon/Osquery data but it appears there are a number of network plays as well. Is there any way to make it clear what data each play relies on? For example say I don't have Osquery rolled out to all my hosts and I enable a play that relies on it obviously that play will never trigger but I would never know. Is it typical that people will check each and every rule before activating it? There are over 600 so I'm kind of inclined to just activating all of them for coverage but not sure if that is the preferred method. In the Playbook page on SO 2.3 itself if you go to Sigma Editor the link for documentation takes you to 2.0 (totally minor I know, just thought I'd point it out, perhaps make a dynamic reference to SO version?). |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
hey there @greatapoc I have updated the documentation based on what you posted. Please let me know if there is something else in particular that we need to get update/documented. As you said, documentation is a never-ending task. The current default plays rely only on Sysmon & Windows Eventlogs - you are seeing network Plays because Sysmon can generate network-related logs (Event ID 3). The I have also created an issue for the docs link, thanks for pointing that out: #1552 Finally - please be aware of the performance implications of enabling large numbers of Plays (For each Play, elastalert is running an Elasticsearch query every 3 min): https://docs.securityonion.net/en/2.3/playbook.html#putting-a-play-into-production |
Beta Was this translation helpful? Give feedback.
hey there @greatapoc
I have updated the documentation based on what you posted. Please let me know if there is something else in particular that we need to get update/documented. As you said, documentation is a never-ending task.
The current default plays rely only on Sysmon & Windows Eventlogs - you are seeing network Plays because Sysmon can generate network-related logs (Event ID 3). The
Rulesetfield on a Play corresponds to it's top-level category from the community ruleset we pull from (https://github.com/Neo23x0/sigma/tree/master/rules) - currently justwindowsI have also created an issue for the docs link, thanks for pointing that out: #1552
Finally - please be aware of the perfo…