From 56d6857cd6dbfd5878857071dd0772743bbd52b4 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Mon, 18 Nov 2024 09:03:17 -0500 Subject: [PATCH 1/5] Addl customization for autoenable sigma --- salt/soc/defaults.yaml | 52 ++++++++++++++++++++++++++++++++++-------- salt/soc/soc_soc.yaml | 7 +++++- 2 files changed, 48 insertions(+), 11 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 6147af73b..552cd7020 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1327,16 +1327,48 @@ soc: showAiSummaries: true autoUpdateEnabled: true autoEnabledSigmaRules: - default: - - core+critical - - securityonion-resources+critical - - securityonion-resources+high - so-eval: - - securityonion-resources+critical - - securityonion-resources+high - so-import: - - securityonion-resources+critical - - securityonion-resources+high + default: |- + Enabled_On_Import: + # SOS - resources ruleset + - ruleset: ["securityonion-resources"] + level: ["critical", "high"] + product: ["*"] + category: ["*"] + service: ["*"] + # SigmaHQ - Core ruleset - Logsource: System events supported by Elastic Agent + - ruleset: ["core"] + level: ["critical"] + product: ["*"] + category: ["process_creation", "file_event", "registry_event", "network_connection", "dns_query"] + service: ["*"] + # SigmaHQ - Core ruleset - Logsource: Windows eventlogs + - ruleset: ["core"] + level: ["critical"] + product: ["windows"] + category: ["*"] + service: ["security", "system", "dns-client", "application"] + # SigmaHQ - Core ruleset - Logsource: misc + - ruleset: ["core"] + level: ["critical"] + product: ["*"] + category: ["antivirus"] + service: ["*"] + so-eval: |- + Enabled_On_Import: + # SOS - resources ruleset + - ruleset: ["securityonion-resources"] + level: ["critical", "high"] + product: ["*"] + category: ["*"] + service: ["*"] + so-import: |- + Enabled_On_Import: + # SOS - resources ruleset + - ruleset: ["securityonion-resources"] + level: ["critical", "high"] + product: ["*"] + category: ["*"] + service: ["*"] communityRulesImportFrequencySeconds: 86400 communityRulesImportErrorSeconds: 300 failAfterConsecutiveErrorCount: 10 diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index c27228ab6..180ef96e4 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -217,10 +217,15 @@ soc: jinjaEscaped: True autoEnabledSigmaRules: default: &autoEnabledSigmaRules - description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.' + description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.' global: True advanced: True helpLink: sigma.html + multiline: True + syntax: yaml + duplicates: True + forcedType: string + jinjaEscaped: True so-eval: *autoEnabledSigmaRules so-import: *autoEnabledSigmaRules communityRulesImportFrequencySeconds: From 3fcf197bc14d844bac8c069385fb7fced12fd188 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Tue, 19 Nov 2024 11:54:15 -0500 Subject: [PATCH 2/5] Tweak structure --- salt/soc/defaults.yaml | 75 ++++++++++++++++++++---------------------- 1 file changed, 36 insertions(+), 39 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 552cd7020..d9a5d4cb3 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1328,47 +1328,44 @@ soc: autoUpdateEnabled: true autoEnabledSigmaRules: default: |- - Enabled_On_Import: - # SOS - resources ruleset - - ruleset: ["securityonion-resources"] - level: ["critical", "high"] - product: ["*"] - category: ["*"] - service: ["*"] - # SigmaHQ - Core ruleset - Logsource: System events supported by Elastic Agent - - ruleset: ["core"] - level: ["critical"] - product: ["*"] - category: ["process_creation", "file_event", "registry_event", "network_connection", "dns_query"] - service: ["*"] - # SigmaHQ - Core ruleset - Logsource: Windows eventlogs - - ruleset: ["core"] - level: ["critical"] - product: ["windows"] - category: ["*"] - service: ["security", "system", "dns-client", "application"] - # SigmaHQ - Core ruleset - Logsource: misc - - ruleset: ["core"] - level: ["critical"] - product: ["*"] - category: ["antivirus"] - service: ["*"] + # SOS - resources ruleset + - ruleset: ["securityonion-resources"] + level: ["critical", "high"] + product: ["*"] + category: ["*"] + service: ["*"] + # SigmaHQ - Core ruleset - Logsource: System events supported by Elastic Agent + - ruleset: ["core"] + level: ["critical"] + product: ["*"] + category: ["process_creation", "file_event", "registry_event", "network_connection", "dns_query"] + service: ["*"] + # SigmaHQ - Core ruleset - Logsource: Windows eventlogs + - ruleset: ["core"] + level: ["critical"] + product: ["windows"] + category: ["*"] + service: ["security", "system", "dns-client", "application"] + # SigmaHQ - Core ruleset - Logsource: misc + - ruleset: ["core"] + level: ["critical"] + product: ["*"] + category: ["antivirus"] + service: ["*"] so-eval: |- - Enabled_On_Import: - # SOS - resources ruleset - - ruleset: ["securityonion-resources"] - level: ["critical", "high"] - product: ["*"] - category: ["*"] - service: ["*"] + # SOS - resources ruleset + - ruleset: ["securityonion-resources"] + level: ["critical", "high"] + product: ["*"] + category: ["*"] + service: ["*"] so-import: |- - Enabled_On_Import: - # SOS - resources ruleset - - ruleset: ["securityonion-resources"] - level: ["critical", "high"] - product: ["*"] - category: ["*"] - service: ["*"] + # SOS - resources ruleset + - ruleset: ["securityonion-resources"] + level: ["critical", "high"] + product: ["*"] + category: ["*"] + service: ["*"] communityRulesImportFrequencySeconds: 86400 communityRulesImportErrorSeconds: 300 failAfterConsecutiveErrorCount: 10 From 8958da83b30a2876ccdb5760334675c973e24aa4 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Wed, 20 Nov 2024 18:00:26 -0500 Subject: [PATCH 3/5] Deprecate instead --- salt/soc/defaults.yaml | 4 ++++ salt/soc/merged.map.jinja | 10 +++++++++- salt/soc/soc_soc.yaml | 12 ++++++++++-- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index d9a5d4cb3..4c2f07aff 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1327,6 +1327,10 @@ soc: showAiSummaries: true autoUpdateEnabled: true autoEnabledSigmaRules: + default: [] + so-eval: [] + so-import: [] + enabledSigmaRules: default: |- # SOS - resources ruleset - ruleset: ["securityonion-resources"] diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 38794c903..25b62683c 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -35,13 +35,21 @@ {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #} {% do SOCMERGED.config.server.modules.pop('cases') %} -{# set Sigma rules based on role if defined and default if not #} +{# set enabled Sigma rules based on role if defined and default if not #} +{# this particular config is deprecated as of 2.4.120 - use enabledSigmaRules instead #} {% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules %} {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules[GLOBALS.role]}) %} {% else %} {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %} {% endif %} +{# set enabled Sigma rules based on role if defined and default if not #} +{% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.enabledSigmaRules %} +{% do SOCMERGED.config.server.modules.elastalertengine.update({'enabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.enabledSigmaRules[GLOBALS.role]}) %} +{% else %} +{% do SOCMERGED.config.server.modules.elastalertengine.update({'enabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.enabledSigmaRules.default}) %} +{% endif %} + {# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #} {% if GLOBALS.airgap %} {% do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 180ef96e4..e8875ce14 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -215,8 +215,8 @@ soc: duplicates: True forcedType: string jinjaEscaped: True - autoEnabledSigmaRules: - default: &autoEnabledSigmaRules + enabledSigmaRules: + default: &enabledSigmaRules description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.' global: True advanced: True @@ -226,6 +226,14 @@ soc: duplicates: True forcedType: string jinjaEscaped: True + so-eval: *enabledSigmaRules + so-import: *enabledSigmaRules + autoEnabledSigmaRules: + default: &autoEnabledSigmaRules + description: 'DEPRECATED: Will be removed in a future release - use enabledSigmaRules instead.' + global: True + advanced: True + helpLink: sigma.html so-eval: *autoEnabledSigmaRules so-import: *autoEnabledSigmaRules communityRulesImportFrequencySeconds: From b1c4e32123ebd4842dcc80357028f30a557e9194 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 21 Nov 2024 09:11:44 -0500 Subject: [PATCH 4/5] Remove duplicate option --- salt/soc/soc_soc.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index e8875ce14..697c3b647 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -223,7 +223,6 @@ soc: helpLink: sigma.html multiline: True syntax: yaml - duplicates: True forcedType: string jinjaEscaped: True so-eval: *enabledSigmaRules From f61bf1bd67689897f1746a015a49b35bb2d5a85d Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 21 Nov 2024 09:15:29 -0500 Subject: [PATCH 5/5] Remove adv --- salt/soc/soc_soc.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 697c3b647..3149bafa5 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -219,7 +219,6 @@ soc: default: &enabledSigmaRules description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.' global: True - advanced: True helpLink: sigma.html multiline: True syntax: yaml