Disable thehivealerter

2025-12-07 17:52:46 +01:00 · 2020-09-30 15:26:29 -04:00
parent 3af6e9e1fe
commit 1454201505
3 changed files with 1 additions and 55 deletions
--- a/salt/soctopus/files/templates/generic.template
+++ b/salt/soctopus/files/templates/generic.template
@@ -1,30 +1,6 @@
 {% set es = salt['pillar.get']('global:url_base', '') %}
-{% set hivehost = salt['pillar.get']('global:managerip', '') %}
-{% set hivekey = salt['pillar.get']('global:hivekey', '') %}
 alert:
 - "modules.so.playbook-es.PlaybookESAlerter"
- "hivealerter"
-
-hive_connection:
-  hive_host: http://{{hivehost}}
-  hive_port: 9000/thehive
-  hive_apikey: {{hivekey}}
-  
-hive_proxies:
-  http: ''
-  https: ''
-
-hive_alert_config:
-  title: "{rule[name]} - "
-  type: 'playbook'
-  source: 'SecurityOnion'
-  description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))>  \n\n `Raw Data:` {match[message]}"
-  severity: 2
-  tags: ['playbook']
-  tlp: 3
-  status: 'New'
-  follow: True
-  caseTemplate: '5000'

 elasticsearch_host: "{{ es }}:9200"
 play_title: ""
--- a/salt/soctopus/files/templates/osquery.template
+++ b/salt/soctopus/files/templates/osquery.template
@@ -1,37 +1,6 @@
 {% set es = salt['pillar.get']('global:url_base', '') %}
-{% set hivehost = salt['pillar.get']('global:managerip', '') %}
-{% set hivekey = salt['pillar.get']('global:hivekey', '') %}
 alert:
 - "modules.so.playbook-es.PlaybookESAlerter"
- "hivealerter"
-
-hive_connection:
-  hive_host: http://{{hivehost}}
-  hive_port: 9000/thehive
-  hive_apikey: {{hivekey}}
-  
-hive_proxies:
-  http: ''
-  https: ''
-
-hive_observable_data_mapping:
-  - ip: '{match[osquery][EndpointIP1]}'
-  - ip: '{match[osquery][EndpointIP2]}'
-  - other: '{match[osquery][hostIdentifier]}'
-  - other: '{match[osquery][hostname]}'
-
-hive_alert_config:
-  title: "{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}"
-  type: 'osquery'
-  source: 'SecurityOnion'
-  description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))>  \n\n `Hostname:` __{match[osquery][hostname]}__  `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:`  __{match[osquery][name]}__ `Data:` {match[osquery][columns]}"
-  severity: 2
-  tags: ['playbook','osquery']
-  tlp: 3
-  status: 'New'
-  follow: True
-  caseTemplate: '5000'
-  
 
 elasticsearch_host: "{{ es }}:9200"
 play_title: ""
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -63,6 +63,7 @@ so-soctopus:
    - binds:
      - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro
      - /opt/so/log/soctopus/:/var/log/SOCtopus/:rw
+      - /opt/so/rules/elastalert/playbook:/etc/playbook-rules:rw
      - /opt/so/conf/navigator/nav_layer_playbook.json:/etc/playbook/nav_layer_playbook.json:rw
      {% if ISAIRGAP is sameas true %}
      - /nsm/repo/rules/sigma:/soctopus/sigma