CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 02:02:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' into vertlybimp

Browse Source
This commit is contained in:
m0duspwnens
2024-10-29 08:32:39 -04:00
parent feb700393e 6a3e5415cf
commit 0c4426a55e
2 changed files with 29 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
salt/elasticsearch/templates/component/so/detection-mappings.json
View File

@@ -21,10 +21,10 @@
"properties": { "properties": {
"publicId": { "publicId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"title": { "title": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"severity": { "severity": {
@@ -38,15 +38,15 @@
"description": { "description": {
"type": "text" "type": "text"
}, },
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"product": { "product": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"service": { "service": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -64,7 +64,7 @@
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"ruleset": { "ruleset": {
"ignore_above": 1024, "ignore_above": 1024,
@@ -97,6 +97,9 @@
"updatedAt": { "updatedAt": {
"type": "date" "type": "date"
}, },
"note": {
"type": "text"
},
"regex": { "regex": {
"type": "text" "type": "text"
}, },

20
salt/soc/files/soc/sigma_so_pipeline.yaml
View File

@@ -106,3 +106,23 @@ transformations:
- type: include_fields - type: include_fields
fields: fields:
- event.code - event.code
# Maps process_creation rules to endpoint process creation logs
# This is an OS-agnostic mapping, to account for logs that don't specify source OS
- id: endpoint_process_create_windows_add-fields
type: add_condition
conditions:
event.category: 'process'
event.type: 'start'
rule_conditions:
- type: logsource
category: process_creation
# Maps file_event rules to endpoint file creation logs
# This is an OS-agnostic mapping, to account for logs that don't specify source OS
- id: endpoint_file_create_add-fields
type: add_condition
conditions:
event.category: 'file'
event.type: 'creation'
rule_conditions:
- type: logsource
category: file_event