Sigma Playbooks

Initial installation of Security onion - Sigma Playbooks

Source post with resolution - https://github.com/Security-Onion-Solutions/securityonion/discussions/11707

When installing Security onion initially, all nodes will be in running status and good condition. Which is correct, but the issue is sigma playbooks preconfigured didn’t properly download to the Security onion management node in my case with a fresh install

Note – I Fixed it prior to making this documentation, but pretend the image below is blank and has no output of information for any sigma playbook rules. This does not matter even if you are logged into playbooks as nobody or an admin, it will not display information. See photo below as rules are downloaded from a non-logged in user account. This interface should be accessible regardless unless the container is offline.

To verify the Playbooks container is running, please input the following command below on your Security onion Manager:

Command - sudo so-status

Expected output:

If you however are noticing an error from the playbooks container running, check and verify the logs as presented below. Or if it’s still not running, the directory path as we read on here should be presented still in theory for the salt master output.

Location of log output - /opt/so/log/playbook/

Source - https://docs.securityonion.net/en/2.4/playbook.html#diagnostic-logging

Small screenshot for reference of a known good output:

After going through the logs not being presented, I then thought about how the data is sent and downloaded. I then went to the security onion github discussions and someone stated about the API links missing along with the integration for all the operating systems Sigma Playbooks by default downloads

Source of github - https://github.com/Security-Onion-Solutions/securityonion/discussions/11707

Deleting the value of the Automation API Key located in the salt master for playbooks /opt/so/saltstack/local/pillar/secrets.sls then reloading playbooks did however obtain an API Key, but was not downloading any playbooks still.

Expected screenshot prior to reloading the saltmaster for sigma playbooks:

After running so-playbooks-reset I was still not seeing any playbooks downloaded as stated before.

I then moved toward the saltmaster configuration where the initial configuraiton of the type of playbooks should be being pulled from the API

Location of the configuration for the saltmaster of sigma playbooks - /opt/so/saltstack/local/pillar/soctopus

After opening the saltmaster of the configuration input the following within the configuration file. Yours will be blank for the rulesets most likely

Location in Security onion Docs - https://docs.securityonion.net/en/2.4/playbook.html#adding-additional-rulesets

Input the following:

soctopus:

enabled: true

playbook:

rulesets:

- windows,application,category,cloud,compliance,linux,macos,network,web

Expected configuration:

Press Esc key and type :wq to save it

Run the command below to restart the Playbooks container and apply the changes from the salt master to the salt minion

sudo so-playbook-restart

Expected output should be showing the changes are properly applied:

Open your Security onion Console and Select Playbooks

Sigma Playbooks will begin to slowly start downloading and presenting itself within the Playbooks web user interface even if you aren’t signed in.

Photo below of all Sigma Playbooks rules (5498 roughly at the time of this article):