From 1454201505712a640859278344d37618b03bfa12 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 30 Sep 2020 15:26:29 -0400
Subject: [PATCH] Disable thehivealerter

---
 .../soctopus/files/templates/generic.template | 24 --------------
 .../soctopus/files/templates/osquery.template | 31 -------------------
 salt/soctopus/init.sls                        |  1 +
 3 files changed, 1 insertion(+), 55 deletions(-)

diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template
index 2dd2c96c7..07bd25d54 100644
--- a/salt/soctopus/files/templates/generic.template
+++ b/salt/soctopus/files/templates/generic.template
@@ -1,30 +1,6 @@
 {% set es = salt['pillar.get']('global:url_base', '') %}
-{% set hivehost = salt['pillar.get']('global:managerip', '') %}
-{% set hivekey = salt['pillar.get']('global:hivekey', '') %}
 alert:
 - "modules.so.playbook-es.PlaybookESAlerter"
-- "hivealerter"
-
-hive_connection:
-  hive_host: http://{{hivehost}}
-  hive_port: 9000/thehive
-  hive_apikey: {{hivekey}}
-  
-hive_proxies:
-  http: ''
-  https: ''
-
-hive_alert_config:
-  title: "{rule[name]} - "
-  type: 'playbook'
-  source: 'SecurityOnion'
-  description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))>  \n\n `Raw Data:` {match[message]}"
-  severity: 2
-  tags: ['playbook']
-  tlp: 3
-  status: 'New'
-  follow: True
-  caseTemplate: '5000'
 
 elasticsearch_host: "{{ es }}:9200"
 play_title: ""
diff --git a/salt/soctopus/files/templates/osquery.template b/salt/soctopus/files/templates/osquery.template
index 9c770fc6f..0410cb288 100644
--- a/salt/soctopus/files/templates/osquery.template
+++ b/salt/soctopus/files/templates/osquery.template
@@ -1,37 +1,6 @@
 {% set es = salt['pillar.get']('global:url_base', '') %}
-{% set hivehost = salt['pillar.get']('global:managerip', '') %}
-{% set hivekey = salt['pillar.get']('global:hivekey', '') %}
 alert:
 - "modules.so.playbook-es.PlaybookESAlerter"
-- "hivealerter"
-
-hive_connection:
-  hive_host: http://{{hivehost}}
-  hive_port: 9000/thehive
-  hive_apikey: {{hivekey}}
-  
-hive_proxies:
-  http: ''
-  https: ''
-
-hive_observable_data_mapping:
-  - ip: '{match[osquery][EndpointIP1]}'
-  - ip: '{match[osquery][EndpointIP2]}'
-  - other: '{match[osquery][hostIdentifier]}'
-  - other: '{match[osquery][hostname]}'
-
-hive_alert_config:
-  title: "{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}"
-  type: 'osquery'
-  source: 'SecurityOnion'
-  description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))>  \n\n `Hostname:` __{match[osquery][hostname]}__  `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:`  __{match[osquery][name]}__ `Data:` {match[osquery][columns]}"
-  severity: 2
-  tags: ['playbook','osquery']
-  tlp: 3
-  status: 'New'
-  follow: True
-  caseTemplate: '5000'
-  
  
 elasticsearch_host: "{{ es }}:9200"
 play_title: ""
diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index 5633ccf2b..2c9e721ac 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -63,6 +63,7 @@ so-soctopus:
     - binds:
       - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro
       - /opt/so/log/soctopus/:/var/log/SOCtopus/:rw
+      - /opt/so/rules/elastalert/playbook:/etc/playbook-rules:rw
       - /opt/so/conf/navigator/nav_layer_playbook.json:/etc/playbook/nav_layer_playbook.json:rw
       {% if ISAIRGAP is sameas true %}
       - /nsm/repo/rules/sigma:/soctopus/sigma