From fc896049823685ad15a564a2832c353ab2dc6c29 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 6 Aug 2024 11:23:00 -0600 Subject: [PATCH 1/7] New Config Values/Annotations for Ai Summaries Each engine pulls the same repo into the same location and shows the summaries. Which repo and where to keep them is advanced, but turning AI summaries on or off is not. --- salt/soc/defaults.yaml | 9 +++++++++ salt/soc/soc_soc.yaml | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index b9cd3148d..2fac7dbb6 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1312,6 +1312,9 @@ soc: kratos: hostUrl: elastalertengine: + aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources + aiRepoPath: /opt/sensoroni/repos + showAiSummaries: true autoUpdateEnabled: true autoEnabledSigmaRules: default: @@ -1391,6 +1394,9 @@ soc: userFiles: - rbac/users_roles strelkaengine: + aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources + aiRepoPath: /opt/sensoroni/repos + showAiSummaries: true autoEnabledYaraRules: - securityonion-yara autoUpdateEnabled: true @@ -1412,6 +1418,9 @@ soc: stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state integrityCheckFrequencySeconds: 1200 suricataengine: + aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources + aiRepoPath: /opt/sensoroni/repos + showAiSummaries: true autoUpdateEnabled: true communityRulesImportFrequencySeconds: 86400 communityRulesImportErrorSeconds: 300 diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index da0f5de99..9ab329438 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -87,6 +87,17 @@ soc: global: True modules: elastalertengine: + aiRepoUrl: + description: URL to the AI repository. This is used to pull in AI models for use in ElastAlert rules. + global: True + advanced: True + aiRepoPath: + description: Path to the AI repository. This is used to pull in AI models for use in ElastAlert rules. + global: True + advanced: True + showAiSummaries: + description: Show AI summaries for ElastAlert rules. + global: True additionalAlerters: title: Additional Alerters description: Specify additional alerters to enable for all Sigma rules, one alerter name per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. Note that the configuration parameters for these alerters must be provided in the ElastAlert configuration section. Filter for 'Alerter' to find this related setting. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key. @@ -193,6 +204,17 @@ soc: advanced: True forcedType: int strelkaengine: + aiRepoUrl: + description: URL to the AI repository. This is used to pull in AI models for use in ElastAlert rules. + global: True + advanced: True + aiRepoPath: + description: Path to the AI repository. This is used to pull in AI models for use in ElastAlert rules. + global: True + advanced: True + showAiSummaries: + description: Show AI summaries for ElastAlert rules. + global: True autoEnabledYaraRules: description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' global: True @@ -216,6 +238,17 @@ soc: helpLink: yara.html airgap: *serulesRepos suricataengine: + aiRepoUrl: + description: URL to the AI repository. This is used to pull in AI models for use in Suricata rules. + global: True + advanced: True + aiRepoPath: + description: Path to the AI repository. This is used to pull in AI models for use in Suricata rules. + global: True + advanced: True + showAiSummaries: + description: Show AI summaries for Suricata rules. + global: True communityRulesImportFrequencySeconds: description: 'How often to check for new Suricata rules (in seconds).' global: True From ccd7d863022e8e71b3cc2d05739de4eefea55b86 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 8 Aug 2024 10:46:41 -0600 Subject: [PATCH 2/7] More AI Summaries Config/Annotations Added aiRepoBranch to all 3 detection engines. Added showUnreviewedAiSummaries to client parameters. Added annotations. --- salt/soc/defaults.yaml | 4 ++++ salt/soc/soc_soc.yaml | 15 +++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 2fac7dbb6..67add3456 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1313,6 +1313,7 @@ soc: hostUrl: elastalertengine: aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources + aiRepoBranch: generated-summaries aiRepoPath: /opt/sensoroni/repos showAiSummaries: true autoUpdateEnabled: true @@ -1395,6 +1396,7 @@ soc: - rbac/users_roles strelkaengine: aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources + aiRepoBranch: generated-summaries aiRepoPath: /opt/sensoroni/repos showAiSummaries: true autoEnabledYaraRules: @@ -1419,6 +1421,7 @@ soc: integrityCheckFrequencySeconds: 1200 suricataengine: aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources + aiRepoBranch: generated-summaries aiRepoPath: /opt/sensoroni/repos showAiSummaries: true autoUpdateEnabled: true @@ -2261,6 +2264,7 @@ soc: query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled" description: Show Detections that have Overrides detection: + showUnreviewedAiSummaries: false presets: severity: customEnabled: false diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 9ab329438..719ac7b7c 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -91,6 +91,10 @@ soc: description: URL to the AI repository. This is used to pull in AI models for use in ElastAlert rules. global: True advanced: True + aiRepoBranch: + description: The branch to pull from the AI repository. Leaving this blank will pull the default branch. + global: True + advanced: True aiRepoPath: description: Path to the AI repository. This is used to pull in AI models for use in ElastAlert rules. global: True @@ -208,6 +212,10 @@ soc: description: URL to the AI repository. This is used to pull in AI models for use in ElastAlert rules. global: True advanced: True + aiRepoBranch: + description: The branch to pull from the AI repository. Leaving this blank will pull the default branch. + global: True + advanced: True aiRepoPath: description: Path to the AI repository. This is used to pull in AI models for use in ElastAlert rules. global: True @@ -242,6 +250,10 @@ soc: description: URL to the AI repository. This is used to pull in AI models for use in Suricata rules. global: True advanced: True + aiRepoBranch: + description: The branch to pull from the AI repository. Leaving this blank will pull the default branch. + global: True + advanced: True aiRepoPath: description: Path to the AI repository. This is used to pull in AI models for use in Suricata rules. global: True @@ -345,6 +357,9 @@ soc: dashboards: *appSettings detections: *appSettings detection: + showUnreviewedAiSummaries: + description: Show AI summaries in detections even if they have not yet been reviewed by a human. + global: True templateDetections: suricata: description: The template used when creating a new Suricata detection. [publicId] will be replaced with an unused Public Id. From 712f904c433718196fc6883c615fbb24133e0126 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 8 Aug 2024 10:57:07 -0600 Subject: [PATCH 3/7] Config for Repo Folder The folder we checkout the AI Summary repo into should definitely exist. --- salt/soc/config.sls | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/soc/config.sls b/salt/soc/config.sls index 8d1f0f694..23f08014c 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -90,7 +90,7 @@ filedetectionsbackup: crondetectionsruntime: cron.present: - - name: /usr/sbin/so-detections-runtime-status cron + - name: /usr/sbin/so-detections-runtime-status cron - identifier: detections-runtime-status - user: root - minute: '*/10' @@ -190,6 +190,13 @@ socsigmarepo: - group: 939 - mode: 775 +socsensoronirepos: + file.directory: + - name: /opt/sensoroni/repos + - user: 939 + - group: 939 + - mode: 775 + {% else %} {{sls}}_state_not_allowed: From 5328f55322e2e30aff5127162d370309c33bd4be Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 8 Aug 2024 11:43:15 -0600 Subject: [PATCH 4/7] Remove new config value --- salt/soc/defaults.yaml | 1 - salt/soc/soc_soc.yaml | 3 --- 2 files changed, 4 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 67add3456..2640b4bb8 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2264,7 +2264,6 @@ soc: query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled" description: Show Detections that have Overrides detection: - showUnreviewedAiSummaries: false presets: severity: customEnabled: false diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 719ac7b7c..dd2f42a3e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -357,9 +357,6 @@ soc: dashboards: *appSettings detections: *appSettings detection: - showUnreviewedAiSummaries: - description: Show AI summaries in detections even if they have not yet been reviewed by a human. - global: True templateDetections: suricata: description: The template used when creating a new Suricata detection. [publicId] will be replaced with an unused Public Id. From 5ee15c8b41e49bb361086840b5733a597ad3f766 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 8 Aug 2024 12:00:07 -0600 Subject: [PATCH 5/7] Tweak value --- salt/soc/defaults.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 2640b4bb8..b38ebf856 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1313,7 +1313,7 @@ soc: hostUrl: elastalertengine: aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources - aiRepoBranch: generated-summaries + aiRepoBranch: final-summaries aiRepoPath: /opt/sensoroni/repos showAiSummaries: true autoUpdateEnabled: true @@ -1396,7 +1396,7 @@ soc: - rbac/users_roles strelkaengine: aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources - aiRepoBranch: generated-summaries + aiRepoBranch: final-summaries aiRepoPath: /opt/sensoroni/repos showAiSummaries: true autoEnabledYaraRules: @@ -1421,7 +1421,7 @@ soc: integrityCheckFrequencySeconds: 1200 suricataengine: aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources - aiRepoBranch: generated-summaries + aiRepoBranch: final-summaries aiRepoPath: /opt/sensoroni/repos showAiSummaries: true autoUpdateEnabled: true From 8c1feccbe01d1a6e4e822da85d0920466411473b Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 8 Aug 2024 12:53:51 -0600 Subject: [PATCH 6/7] Tweak value --- salt/soc/defaults.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index b38ebf856..dd3ea4374 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1313,7 +1313,7 @@ soc: hostUrl: elastalertengine: aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources - aiRepoBranch: final-summaries + aiRepoBranch: generated-summaries-stable aiRepoPath: /opt/sensoroni/repos showAiSummaries: true autoUpdateEnabled: true @@ -1396,7 +1396,7 @@ soc: - rbac/users_roles strelkaengine: aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources - aiRepoBranch: final-summaries + aiRepoBranch: generated-summaries-stable aiRepoPath: /opt/sensoroni/repos showAiSummaries: true autoEnabledYaraRules: @@ -1421,7 +1421,7 @@ soc: integrityCheckFrequencySeconds: 1200 suricataengine: aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources - aiRepoBranch: final-summaries + aiRepoBranch: generated-summaries-stable aiRepoPath: /opt/sensoroni/repos showAiSummaries: true autoUpdateEnabled: true From c71b9f6e8f4dd4516310168f047ac9d793872c18 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 8 Aug 2024 13:31:08 -0600 Subject: [PATCH 7/7] Fix CopyPasta Strelka annotations referenced ElastAlert. Fixed. --- salt/soc/soc_soc.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index dd2f42a3e..d2f63e4ad 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -209,7 +209,7 @@ soc: forcedType: int strelkaengine: aiRepoUrl: - description: URL to the AI repository. This is used to pull in AI models for use in ElastAlert rules. + description: URL to the AI repository. This is used to pull in AI models for use in Strelka rules. global: True advanced: True aiRepoBranch: @@ -217,11 +217,11 @@ soc: global: True advanced: True aiRepoPath: - description: Path to the AI repository. This is used to pull in AI models for use in ElastAlert rules. + description: Path to the AI repository. This is used to pull in AI models for use in Strelka rules. global: True advanced: True showAiSummaries: - description: Show AI summaries for ElastAlert rules. + description: Show AI summaries for Strelka rules. global: True autoEnabledYaraRules: description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'