Linux Authentication Failure - Playbook Help

[Mav1814]

Hi again.

After reading the documentation suggested by @nasbench and doing a few examples, I managed to create a playbook for windows to send alerts when authentication fails.

Now I'm trying to replicate it for Linux. I've tried several ways, and I still can't generate alerts.

The sigma playbook is converted into an elasticsearch query. But for some reason I can't get this information from kibana when I run the playbook and try to generate the alert. But if I put the result of the query into kibana, I get the desired result.

Two examples of the sigma playbook.

title: Linux Authentication Failure
id: 4589aefa-7e55-11ee-b962-0242ac120002
status: test
description: Detects authentication failure in linux
author: mav1814
logsource:
    product: linux
    service: auth
detection:
    selection:
        message: 
            - "authentication failure"
    condition: selection
falsepositives:
    - Unknown
level: high

And

title: Linux Authentication Failure
id: 4589aefa-7e55-11ee-b962-0242ac120002
status: test
description: Detects authentication failure in linux
author: mav1814
logsource:
    product: linux
    service: auth
detection:
    keywords:
            - "authentication failure"
    condition: keywords
falsepositives:
    - Unknown
level: high

I don't know what I'm missing here.

I appreciate some insights/help.
Cheers

[nasbench]

Hi @Mav1814

This seems to be an issue in your mapping and conversion. You might be storing the linux logs in a different index and you don't have the correct mapping to map the logsource :) So best take a look at that. And make sure that you're manual query looks like the converted query.

Also as a side note the Sigma discussion here in this repo are related to discussion around Sigma rules and related ideas. If you have issues with conversion and you're using an open source backend, you can take it up there.