Merge pull request #13453 from Security-Onion-Solutions/cogburn/ai-summaries

Cogburn/ai summaries
2025-12-11 11:42:50 +01:00 · 2024-08-08 14:55:11 -06:00
parent 09f7329a21 c71b9f6e8f
commit 02c7de6b1a
3 changed files with 65 additions and 1 deletions
--- a/salt/soc/config.sls
+++ b/salt/soc/config.sls
@@ -90,7 +90,7 @@ filedetectionsbackup:

 crondetectionsruntime:
  cron.present:
-    - name: /usr/sbin/so-detections-runtime-status cron 
+    - name: /usr/sbin/so-detections-runtime-status cron
    - identifier: detections-runtime-status
    - user: root
    - minute: '*/10'
@@ -190,6 +190,13 @@ socsigmarepo:
    - group: 939
    - mode: 775

+socsensoronirepos:
+  file.directory:
+    - name: /opt/sensoroni/repos
+    - user: 939
+    - group: 939
+    - mode: 775
+
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1312,6 +1312,10 @@ soc:
        kratos:
          hostUrl:
        elastalertengine:
+          aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources
+          aiRepoBranch: generated-summaries-stable
+          aiRepoPath: /opt/sensoroni/repos
+          showAiSummaries: true
          autoUpdateEnabled: true
          autoEnabledSigmaRules:
            default:
@@ -1391,6 +1395,10 @@ soc:
          userFiles:
            - rbac/users_roles
        strelkaengine:
+          aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources
+          aiRepoBranch: generated-summaries-stable
+          aiRepoPath: /opt/sensoroni/repos
+          showAiSummaries: true
          autoEnabledYaraRules:
            - securityonion-yara
          autoUpdateEnabled: true
@@ -1412,6 +1420,10 @@ soc:
          stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
          integrityCheckFrequencySeconds: 1200
        suricataengine:
+          aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources
+          aiRepoBranch: generated-summaries-stable
+          aiRepoPath: /opt/sensoroni/repos
+          showAiSummaries: true
          autoUpdateEnabled: true
          communityRulesImportFrequencySeconds: 86400
          communityRulesImportErrorSeconds: 300
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -87,6 +87,21 @@ soc:
        global: True
      modules:
        elastalertengine:
+          aiRepoUrl:
+            description: URL to the AI repository. This is used to pull in AI models for use in ElastAlert rules.
+            global: True
+            advanced: True
+          aiRepoBranch:
+            description: The branch to pull from the AI repository. Leaving this blank will pull the default branch.
+            global: True
+            advanced: True
+          aiRepoPath:
+            description: Path to the AI repository. This is used to pull in AI models for use in ElastAlert rules.
+            global: True
+            advanced: True
+          showAiSummaries:
+            description: Show AI summaries for ElastAlert rules.
+            global: True
          additionalAlerters:
            title: Additional Alerters
            description: Specify additional alerters to enable for all Sigma rules, one alerter name per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. Note that the configuration parameters for these alerters must be provided in the ElastAlert configuration section. Filter for 'Alerter' to find this related setting. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key.
@@ -193,6 +208,21 @@ soc:
            advanced: True
            forcedType: int
        strelkaengine:
+          aiRepoUrl:
+            description: URL to the AI repository. This is used to pull in AI models for use in Strelka rules.
+            global: True
+            advanced: True
+          aiRepoBranch:
+            description: The branch to pull from the AI repository. Leaving this blank will pull the default branch.
+            global: True
+            advanced: True
+          aiRepoPath:
+            description: Path to the AI repository. This is used to pull in AI models for use in Strelka rules.
+            global: True
+            advanced: True
+          showAiSummaries:
+            description: Show AI summaries for Strelka rules.
+            global: True
          autoEnabledYaraRules:
            description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
            global: True
@@ -216,6 +246,21 @@ soc:
              helpLink: yara.html
            airgap: *serulesRepos
        suricataengine:
+          aiRepoUrl:
+            description: URL to the AI repository. This is used to pull in AI models for use in Suricata rules.
+            global: True
+            advanced: True
+          aiRepoBranch:
+            description: The branch to pull from the AI repository. Leaving this blank will pull the default branch.
+            global: True
+            advanced: True
+          aiRepoPath:
+            description: Path to the AI repository. This is used to pull in AI models for use in Suricata rules.
+            global: True
+            advanced: True
+          showAiSummaries:
+            description: Show AI summaries for Suricata rules.
+            global: True
          communityRulesImportFrequencySeconds:
            description: 'How often to check for new Suricata rules (in seconds).'
            global: True