From b73eb76c948df22a819279a3575dd101c83f6dbc Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 7 Dec 2021 11:51:02 -0500 Subject: [PATCH 01/15] Make case module dynamic --- salt/soc/files/soc/soc.json | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 02128fd3c..dbe8218c3 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -27,6 +27,8 @@ {%- set ES_PASS = '' %} {%- endif %} {%- set ES_INDEX_PATTERNS = salt['pillar.get']('soc:es_index_patterns', '*:so-*') %} +{%- set CASE_MODULE = salt['pillar.get']('soc:case_module', 'soc') %} +{%- set GENERIC_CASE_CONFIG = salt['pillar.get']('soc:generic_case_config', '') %} { "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", "server": { @@ -57,9 +59,10 @@ {%- endif %} "username": "{{ ES_USER }}", "password": "{{ ES_PASS }}", - "index": "{{ ES_INDEX_PATTERNS }}", + "index": "{{ ES_INDEX_PATTERNS }}", "cacheMs": {{ ES_FIELDCAPS_CACHE }}, "verifyCert": false, + "casesEnabled": {{ 'true' if CASEMODULE == 'soc' else 'false' }}, "timeoutMs": {{ API_TIMEOUT }} }, "influxdb": { @@ -77,12 +80,22 @@ "refreshIntervalMs": 30000, "offlineThresholdMs": 900000 }, -{% if THEHIVEKEY != '' %} +{% if CASEMODULE == 'thehive' and THEHIVEKEY != '' %} "thehive": { "hostUrl": "http://{{ MANAGERIP }}:9000/thehive", "key": "{{ THEHIVEKEY }}", "verifyCert": false }, +{% elif CASEMODULE == 'elasticcases' %} + "elasticcases": { + "hostUrl": "https://{{ MANAGERIP }}:5601", + "username": "{{ ES_USER }}", + "password": "{{ ES_PASS }}", + }, +{% elif CASEMODULE == 'generichttp' %} + "generichttp": { + {{ GENERIC_CASE_CONFIG }} + }, {% endif %} "statickeyauth": { "anonymousCidr": "{{ DNET }}/24", @@ -139,7 +152,8 @@ "relativeTimeUnit": 30, "mostRecentlyUsedLimit": 5, "ackEnabled": false, - "escalateEnabled": {{ 'true' if THEHIVEKEY != '' else 'false' }}, + "escalateEnabled": true, + "escalateRelatedEventsEnabled": {{ 'true' if CASEMODULE == 'soc' else 'false' }}, "eventFields": {{ hunt_eventfields | json }}, "queryBaseFilter": "", "queryToggleFilters": [], @@ -159,7 +173,8 @@ "relativeTimeUnit": 30, "mostRecentlyUsedLimit": 5, "ackEnabled": true, - "escalateEnabled": {{ 'true' if THEHIVEKEY != '' else 'false' }}, + "escalateEnabled": true, + "escalateRelatedEventsEnabled": {{ 'true' if CASEMODULE == 'soc' else 'false' }}, "eventFields": {{ alerts_eventfields | json }}, "queryBaseFilter": "event.dataset:alert", "queryToggleFilters": [ From a9b7b9ee9222260845b8f220d7cadcce531e6f24 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Dec 2021 17:41:48 -0500 Subject: [PATCH 02/15] Jinjafy case params --- salt/soc/files/soc/cases.eventfields.json | 3 ++ salt/soc/files/soc/cases.queries.json | 5 +++ salt/soc/files/soc/presets.category.json | 7 ++++ salt/soc/files/soc/presets.pap.json | 9 ++++++ salt/soc/files/soc/presets.severity.json | 9 ++++++ salt/soc/files/soc/presets.tag.json | 8 +++++ salt/soc/files/soc/presets.tlp.json | 9 ++++++ salt/soc/files/soc/soc.json | 39 +++++++++++++++++++++-- 8 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 salt/soc/files/soc/cases.eventfields.json create mode 100644 salt/soc/files/soc/cases.queries.json create mode 100644 salt/soc/files/soc/presets.category.json create mode 100644 salt/soc/files/soc/presets.pap.json create mode 100644 salt/soc/files/soc/presets.severity.json create mode 100644 salt/soc/files/soc/presets.tag.json create mode 100644 salt/soc/files/soc/presets.tlp.json diff --git a/salt/soc/files/soc/cases.eventfields.json b/salt/soc/files/soc/cases.eventfields.json new file mode 100644 index 000000000..901c34345 --- /dev/null +++ b/salt/soc/files/soc/cases.eventfields.json @@ -0,0 +1,3 @@ +{ + "default": ["soc_timestamp", "case.title", "case.status", "case.severity", "case.createTime"] +} \ No newline at end of file diff --git a/salt/soc/files/soc/cases.queries.json b/salt/soc/files/soc/cases.queries.json new file mode 100644 index 000000000..f407d3ebe --- /dev/null +++ b/salt/soc/files/soc/cases.queries.json @@ -0,0 +1,5 @@ +[ + { "name": "New Cases", "query": "!case.status:closed" }, + { "name": "Closed Cases", "query": "case.status:closed" }, + { "name": "Templates", "query": "case.category:template" } +] \ No newline at end of file diff --git a/salt/soc/files/soc/presets.category.json b/salt/soc/files/soc/presets.category.json new file mode 100644 index 000000000..0f48a8e82 --- /dev/null +++ b/salt/soc/files/soc/presets.category.json @@ -0,0 +1,7 @@ +{ + "labels": [ + "General", + "Template" + ], + "customEnabled": true +} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.pap.json b/salt/soc/files/soc/presets.pap.json new file mode 100644 index 000000000..f1e8570dd --- /dev/null +++ b/salt/soc/files/soc/presets.pap.json @@ -0,0 +1,9 @@ +{ + "labels": [ + "White", + "Green", + "Amber", + "Red" + ], + "customEnabled": false +} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.severity.json b/salt/soc/files/soc/presets.severity.json new file mode 100644 index 000000000..f04574787 --- /dev/null +++ b/salt/soc/files/soc/presets.severity.json @@ -0,0 +1,9 @@ +{ + "labels": [ + "Low", + "Medium", + "High", + "Critical" + ], + "customEnabled": false +} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.tag.json b/salt/soc/files/soc/presets.tag.json new file mode 100644 index 000000000..545b513f8 --- /dev/null +++ b/salt/soc/files/soc/presets.tag.json @@ -0,0 +1,8 @@ +{ + "labels": [ + "false-positive", + "confirmed", + "pending" + ], + "customEnabled": true +} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.tlp.json b/salt/soc/files/soc/presets.tlp.json new file mode 100644 index 000000000..f1e8570dd --- /dev/null +++ b/salt/soc/files/soc/presets.tlp.json @@ -0,0 +1,9 @@ +{ + "labels": [ + "White", + "Green", + "Amber", + "Red" + ], + "customEnabled": false +} \ No newline at end of file diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index dbe8218c3..92cb75329 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -18,6 +18,11 @@ {%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %} {%- import_json "soc/files/soc/menu.actions.json" as menu_actions %} {%- import_json "soc/files/soc/tools.json" as tools %} +{%- import_json "soc/files/soc/presets.category.json" as presets_category %} +{%- import_json "soc/files/soc/presets.pap.json" as presets_pap %} +{%- import_json "soc/files/soc/presets.severity.json" as presets_severity %} +{%- import_json "soc/files/soc/presets.tag.json" as presets_tag %} +{%- import_json "soc/files/soc/presets.tlp.json" as presets_tlp %} {%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} @@ -182,8 +187,38 @@ { "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true, "enablesToggles":["acknowledged"] } ], "queries": {{ alerts_queries | json }}, - "actions": {{ menu_actions | json }} - } + "actions": {{ menu_actions | json }} + }, + "cases": { + "advanced": false, + "groupItemsPerPage": 50, + "groupFetchLimit": 100, + "eventItemsPerPage": 50, + "eventFetchLimit": 500, + "relativeTimeValue": 12, + "relativeTimeUnit": 60, + "mostRecentlyUsedLimit": 5, + "ackEnabled": false, + "escalateEnabled": false, + "escalateRelatedEventsEnabled": false, + "viewEnabled": true, + "eventFields": {{ cases_eventfields | json }}, + "queryBaseFilter": "_index:so-case AND kind:case", + "queryToggleFilters": [ + ], + "queries": {{ cases_queries | json }}, + "actions": {{ menu_actions | json }} + }, + "case": { + "mostRecentlyUsedLimit": 5, + "presets": { + "category": {{ presets_category | json }}, + "pap": {{ presets_pap | json }}, + "severity": {{ presets_severity | json }}, + "tag": {{ presets_tag | json }}, + "tlp": {{ presets_tlp | json }} + } + } } } } From 2761662eb97c0a61e8df22d1e687c107e09fb21c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Dec 2021 13:09:56 -0500 Subject: [PATCH 03/15] Add status presets --- salt/soc/files/soc/cases.queries.json | 6 +++--- salt/soc/files/soc/presets.status.json | 8 ++++++++ salt/soc/files/soc/soc.json | 4 +++- 3 files changed, 14 insertions(+), 4 deletions(-) create mode 100644 salt/soc/files/soc/presets.status.json diff --git a/salt/soc/files/soc/cases.queries.json b/salt/soc/files/soc/cases.queries.json index f407d3ebe..bec5f2f18 100644 --- a/salt/soc/files/soc/cases.queries.json +++ b/salt/soc/files/soc/cases.queries.json @@ -1,5 +1,5 @@ [ - { "name": "New Cases", "query": "!case.status:closed" }, - { "name": "Closed Cases", "query": "case.status:closed" }, - { "name": "Templates", "query": "case.category:template" } + { "name": "New Cases", "query": "!case.status:Closed" }, + { "name": "Closed Cases", "query": "case.status:Closed" }, + { "name": "Templates", "query": "case.category:Template" } ] \ No newline at end of file diff --git a/salt/soc/files/soc/presets.status.json b/salt/soc/files/soc/presets.status.json new file mode 100644 index 000000000..b8b3ca2a2 --- /dev/null +++ b/salt/soc/files/soc/presets.status.json @@ -0,0 +1,8 @@ +{ + "labels": [ + "New", + "In Progress", + "Closed", + ], + "customEnabled": false +} \ No newline at end of file diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 92cb75329..1b64b7e6d 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -21,6 +21,7 @@ {%- import_json "soc/files/soc/presets.category.json" as presets_category %} {%- import_json "soc/files/soc/presets.pap.json" as presets_pap %} {%- import_json "soc/files/soc/presets.severity.json" as presets_severity %} +{%- import_json "soc/files/soc/presets.status.json" as presets_status %} {%- import_json "soc/files/soc/presets.tag.json" as presets_tag %} {%- import_json "soc/files/soc/presets.tlp.json" as presets_tlp %} {%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} @@ -214,7 +215,8 @@ "presets": { "category": {{ presets_category | json }}, "pap": {{ presets_pap | json }}, - "severity": {{ presets_severity | json }}, + "severity": {{ presets_severity | json }}, + "status": {{ presets_status | json }}, "tag": {{ presets_tag | json }}, "tlp": {{ presets_tlp | json }} } From 83d86aebb14cf7b9870751ff62ab9d3ae12898c7 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Dec 2021 15:04:00 -0500 Subject: [PATCH 04/15] Perform full email match --- salt/common/tools/sbin/so-user | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index cf9fc91c0..72b1b9a64 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -310,7 +310,7 @@ function listUsers() { users=$(echo "${response}" | jq -r ".[] | .verifiable_addresses[0].value" | sort) for user in $users; do - roles=$(grep "$user" "$elasticRolesFile" | cut -d: -f1 | tr '\n' ' ') + roles=$(grep ":$user\$" "$elasticRolesFile" | cut -d: -f1 | tr '\n' ' ') echo "$user: $roles" done } @@ -341,7 +341,7 @@ function adjustUserRole() { filename="$socRolesFile" hasRole=0 - grep "$role:" "$socRolesFile" | grep -q "$identityId" && hasRole=1 + grep "^$role:" "$socRolesFile" | grep -q "$identityId" && hasRole=1 if [[ "$op" == "add" ]]; then if [[ "$hasRole" == "1" ]]; then echo "User '$email' already has the role: $role" From d4f395b7f4d154df0294652c3b5aee9e3f8e61af Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 15 Dec 2021 20:02:35 -0500 Subject: [PATCH 05/15] Fix query name for open cases --- salt/soc/files/soc/cases.queries.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/cases.queries.json b/salt/soc/files/soc/cases.queries.json index bec5f2f18..ecc40fd76 100644 --- a/salt/soc/files/soc/cases.queries.json +++ b/salt/soc/files/soc/cases.queries.json @@ -1,5 +1,5 @@ [ - { "name": "New Cases", "query": "!case.status:Closed" }, + { "name": "Open Cases", "query": "!case.status:Closed" }, { "name": "Closed Cases", "query": "case.status:Closed" }, { "name": "Templates", "query": "case.category:Template" } ] \ No newline at end of file From b0d36f2ed23dad88f364ddb2a85c18a55ffa41f8 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 21 Dec 2021 13:38:35 -0500 Subject: [PATCH 06/15] Ensure update timestamp is updated when changing passwords; this ensures the sync will automatically follow --- salt/common/tools/sbin/so-user | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 72b1b9a64..e47da4369 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -147,7 +147,7 @@ function updatePassword() { # Generate password hash passwordHash=$(hashPassword "$password") # Update DB with new hash - echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB) where identity_id='${identityId}';" | sqlite3 "$databasePath" + echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}';" | sqlite3 "$databasePath" [[ $? != 0 ]] && fail "Unable to update password" fi } From ab3319b4729848d91f8059d7af8162fb4ab59251 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Dec 2021 10:49:10 -0500 Subject: [PATCH 07/15] Add artifact support --- salt/soc/files/soc/soc.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 1b64b7e6d..2531827d1 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -18,6 +18,7 @@ {%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %} {%- import_json "soc/files/soc/menu.actions.json" as menu_actions %} {%- import_json "soc/files/soc/tools.json" as tools %} +{%- import_json "soc/files/soc/presets.artifacttype.json" as presets_artifacttype %} {%- import_json "soc/files/soc/presets.category.json" as presets_category %} {%- import_json "soc/files/soc/presets.pap.json" as presets_pap %} {%- import_json "soc/files/soc/presets.severity.json" as presets_severity %} @@ -213,11 +214,12 @@ "case": { "mostRecentlyUsedLimit": 5, "presets": { + "artifactType": {{ presets_artifacttype | json }}, "category": {{ presets_category | json }}, "pap": {{ presets_pap | json }}, "severity": {{ presets_severity | json }}, "status": {{ presets_status | json }}, - "tag": {{ presets_tag | json }}, + "tags": {{ presets_tag | json }}, "tlp": {{ presets_tlp | json }} } } From 7140255d95cb7a8faf2ea329a0cd21e99ddf4d5b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Dec 2021 12:27:04 -0500 Subject: [PATCH 08/15] Add missing presets file --- salt/soc/files/soc/presets.artifacttype.json | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 salt/soc/files/soc/presets.artifacttype.json diff --git a/salt/soc/files/soc/presets.artifacttype.json b/salt/soc/files/soc/presets.artifacttype.json new file mode 100644 index 000000000..40e970882 --- /dev/null +++ b/salt/soc/files/soc/presets.artifacttype.json @@ -0,0 +1,20 @@ +"activityType": { + "labels": [ + "autonomous-system", + "domain", + "file", + "filename", + "fqdn", + "hash", + "ip", + "mail", + "mail_subject", + "other", + "regexp", + "registry", + "uri_path", + "url", + "user-agent" + ], + "customEnabled": true +}, From 789719d25e9ae1460a38c1a551306ebff2cd3b2b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Dec 2021 13:21:13 -0500 Subject: [PATCH 09/15] Correct preset file syntax --- salt/soc/files/soc/presets.artifacttype.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/presets.artifacttype.json b/salt/soc/files/soc/presets.artifacttype.json index 40e970882..64b9ee05b 100644 --- a/salt/soc/files/soc/presets.artifacttype.json +++ b/salt/soc/files/soc/presets.artifacttype.json @@ -1,4 +1,4 @@ -"activityType": { +{ "labels": [ "autonomous-system", "domain", From 0a255e57657027e699ab8d5ff914bfd1a4584e10 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Dec 2021 15:15:33 -0500 Subject: [PATCH 10/15] Resolve syntax error --- salt/soc/files/soc/presets.artifacttype.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/presets.artifacttype.json b/salt/soc/files/soc/presets.artifacttype.json index 64b9ee05b..4afa16c28 100644 --- a/salt/soc/files/soc/presets.artifacttype.json +++ b/salt/soc/files/soc/presets.artifacttype.json @@ -17,4 +17,4 @@ "user-agent" ], "customEnabled": true -}, +} From ae7a4b65283d320c67f8aa19c32b15350a0b206d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Dec 2021 16:18:12 -0500 Subject: [PATCH 11/15] More syntax corrections --- salt/soc/files/soc/presets.status.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/presets.status.json b/salt/soc/files/soc/presets.status.json index b8b3ca2a2..06bab7e94 100644 --- a/salt/soc/files/soc/presets.status.json +++ b/salt/soc/files/soc/presets.status.json @@ -2,7 +2,7 @@ "labels": [ "New", "In Progress", - "Closed", + "Closed" ], "customEnabled": false } \ No newline at end of file From 09626deb05efdf8e192932069c920f49b259bbce Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Dec 2021 18:01:15 -0500 Subject: [PATCH 12/15] Correct var names for jinja --- salt/soc/files/soc/soc.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 2531827d1..76f78bf2c 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -69,7 +69,7 @@ "index": "{{ ES_INDEX_PATTERNS }}", "cacheMs": {{ ES_FIELDCAPS_CACHE }}, "verifyCert": false, - "casesEnabled": {{ 'true' if CASEMODULE == 'soc' else 'false' }}, + "casesEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, "timeoutMs": {{ API_TIMEOUT }} }, "influxdb": { @@ -87,19 +87,19 @@ "refreshIntervalMs": 30000, "offlineThresholdMs": 900000 }, -{% if CASEMODULE == 'thehive' and THEHIVEKEY != '' %} +{% if CASE_MODULE == 'thehive' and THEHIVEKEY != '' %} "thehive": { "hostUrl": "http://{{ MANAGERIP }}:9000/thehive", "key": "{{ THEHIVEKEY }}", "verifyCert": false }, -{% elif CASEMODULE == 'elasticcases' %} +{% elif CASE_MODULE == 'elasticcases' %} "elasticcases": { "hostUrl": "https://{{ MANAGERIP }}:5601", "username": "{{ ES_USER }}", "password": "{{ ES_PASS }}", }, -{% elif CASEMODULE == 'generichttp' %} +{% elif CASE_MODULE == 'generichttp' %} "generichttp": { {{ GENERIC_CASE_CONFIG }} }, @@ -160,7 +160,7 @@ "mostRecentlyUsedLimit": 5, "ackEnabled": false, "escalateEnabled": true, - "escalateRelatedEventsEnabled": {{ 'true' if CASEMODULE == 'soc' else 'false' }}, + "escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, "eventFields": {{ hunt_eventfields | json }}, "queryBaseFilter": "", "queryToggleFilters": [], @@ -181,7 +181,7 @@ "mostRecentlyUsedLimit": 5, "ackEnabled": true, "escalateEnabled": true, - "escalateRelatedEventsEnabled": {{ 'true' if CASEMODULE == 'soc' else 'false' }}, + "escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, "eventFields": {{ alerts_eventfields | json }}, "queryBaseFilter": "event.dataset:alert", "queryToggleFilters": [ From 194e4119f07e3c20fce001eab5f3f53c35b56f18 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Dec 2021 20:36:28 -0500 Subject: [PATCH 13/15] Correct missing json vars --- salt/soc/files/soc/cases.queries.json | 4 ++-- salt/soc/files/soc/soc.json | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/cases.queries.json b/salt/soc/files/soc/cases.queries.json index ecc40fd76..6d49a89e1 100644 --- a/salt/soc/files/soc/cases.queries.json +++ b/salt/soc/files/soc/cases.queries.json @@ -1,5 +1,5 @@ [ - { "name": "Open Cases", "query": "!case.status:Closed" }, - { "name": "Closed Cases", "query": "case.status:Closed" }, + { "name": "Open Cases", "query": "!case.status:Closed AND !case.category:Template" }, + { "name": "Closed Cases", "query": "case.status:Closed AND !case.category:Template" }, { "name": "Templates", "query": "case.category:Template" } ] \ No newline at end of file diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 76f78bf2c..d35735f02 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -16,6 +16,8 @@ {%- import_json "soc/files/soc/alerts.eventfields.json" as alerts_eventfields %} {%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %} {%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %} +{%- import_json "soc/files/soc/cases.queries.json" as cases_queries %} +{%- import_json "soc/files/soc/cases.eventfields.json" as cases_eventfields %} {%- import_json "soc/files/soc/menu.actions.json" as menu_actions %} {%- import_json "soc/files/soc/tools.json" as tools %} {%- import_json "soc/files/soc/presets.artifacttype.json" as presets_artifacttype %} From f335670b3f395b1e1c4e4182114552672a2cdb8c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Dec 2021 21:53:30 -0500 Subject: [PATCH 14/15] Add new client-side param for cases --- salt/soc/files/soc/soc.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index d35735f02..068c19687 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -135,6 +135,7 @@ "webSocketTimeoutMs": {{ WEBSOCKET_TIMEOUT }}, "tipTimeoutMs": {{ TIP_TIMEOUT }}, "cacheExpirationMs": {{ CACHE_EXPIRATION }}, + "casesEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, "inactiveTools": [ {%- if PLAYBOOK == 0 %} "toolPlaybook", From 5a4473ecd65c9f2371d3c9fe3e4078ff02632d26 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Dec 2021 08:33:31 -0500 Subject: [PATCH 15/15] fix indent --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 068c19687..064a781df 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -68,7 +68,7 @@ {%- endif %} "username": "{{ ES_USER }}", "password": "{{ ES_PASS }}", - "index": "{{ ES_INDEX_PATTERNS }}", + "index": "{{ ES_INDEX_PATTERNS }}", "cacheMs": {{ ES_FIELDCAPS_CACHE }}, "verifyCert": false, "casesEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }},