Merge pull request #13958 from Security-Onion-Solutions/2.4/autoenablesigma

More flexibility for AutoEnable Sigma rules

salt/soc/defaults.yaml

@@ -1327,16 +1327,49 @@ soc:
           showAiSummaries: true
           autoUpdateEnabled: true
           autoEnabledSigmaRules:
-            default:
+            default: []
-              - core+critical
+            so-eval: []
-              - securityonion-resources+critical
+            so-import: []
-              - securityonion-resources+high
+          enabledSigmaRules:
-            so-eval:
+            default: |-
-              - securityonion-resources+critical
+              # SOS - resources ruleset
-              - securityonion-resources+high
+              - ruleset: ["securityonion-resources"]
-            so-import:
+                level: ["critical", "high"]
-              - securityonion-resources+critical
+                product: ["*"]
-              - securityonion-resources+high
+                category: ["*"]
+                service: ["*"]
+              # SigmaHQ - Core ruleset - Logsource: System events supported by Elastic Agent
+              - ruleset: ["core"]
+                level: ["critical"]
+                product: ["*"]
+                category: ["process_creation", "file_event", "registry_event", "network_connection", "dns_query"]
+                service: ["*"]
+              # SigmaHQ - Core ruleset - Logsource: Windows eventlogs
+              - ruleset: ["core"]
+                level: ["critical"]
+                product: ["windows"]
+                category: ["*"]
+                service: ["security", "system", "dns-client", "application"]
+              # SigmaHQ - Core ruleset - Logsource: misc
+              - ruleset: ["core"]
+                level: ["critical"]
+                product: ["*"]
+                category: ["antivirus"]
+                service: ["*"]
+            so-eval: |-
+              # SOS - resources ruleset
+              - ruleset: ["securityonion-resources"]
+                level: ["critical", "high"]
+                product: ["*"]
+                category: ["*"]
+                service: ["*"]
+            so-import: |-
+              # SOS - resources ruleset
+              - ruleset: ["securityonion-resources"]
+                level: ["critical", "high"]
+                product: ["*"]
+                category: ["*"]
+                service: ["*"]
           communityRulesImportFrequencySeconds: 86400
           communityRulesImportErrorSeconds: 300
           failAfterConsecutiveErrorCount: 10

salt/soc/merged.map.jinja

@@ -35,13 +35,21 @@
 {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
 {% do SOCMERGED.config.server.modules.pop('cases') %}
 
-{# set Sigma rules based on role if defined and default if not #}
+{# set enabled Sigma rules based on role if defined and default if not #}
+{# this particular config is deprecated as of 2.4.120 - use enabledSigmaRules instead #}
 {% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules %}
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules[GLOBALS.role]}) %}
 {% else %}
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %}
 {% endif %}
 
+{# set enabled Sigma rules based on role if defined and default if not #}
+{% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.enabledSigmaRules %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'enabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.enabledSigmaRules[GLOBALS.role]}) %}
+{% else %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'enabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.enabledSigmaRules.default}) %}
+{% endif %}
+
 {# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #}
 {% if GLOBALS.airgap %}
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %}

salt/soc/soc_soc.yaml

@@ -215,9 +215,20 @@ soc:
               duplicates: True
               forcedType: string
               jinjaEscaped: True
+          enabledSigmaRules:
+            default: &enabledSigmaRules
+              description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.'
+              global: True
+              helpLink: sigma.html
+              multiline: True
+              syntax: yaml
+              forcedType: string
+              jinjaEscaped: True
+            so-eval: *enabledSigmaRules
+            so-import: *enabledSigmaRules
           autoEnabledSigmaRules:
             default: &autoEnabledSigmaRules
-              description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.'
+              description: 'DEPRECATED: Will be removed in a future release - use enabledSigmaRules instead.'
               global: True
               advanced: True
               helpLink: sigma.html