From 1a561f6b12a10c7d5af345ff762184b73bc20a21 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 1 Oct 2020 15:18:34 -0400 Subject: [PATCH] soc.json stuff --- salt/soc/files/soc/alerts.queries.default.yaml | 11 +++++++++++ salt/soc/files/soc/soc.json | 12 +++--------- 2 files changed, 14 insertions(+), 9 deletions(-) create mode 100644 salt/soc/files/soc/alerts.queries.default.yaml diff --git a/salt/soc/files/soc/alerts.queries.default.yaml b/salt/soc/files/soc/alerts.queries.default.yaml new file mode 100644 index 000000000..69514fe94 --- /dev/null +++ b/salt/soc/files/soc/alerts.queries.default.yaml @@ -0,0 +1,11 @@ +soc: + alerts: + queries: [ + { "name": "Group By Name, Module", "query": "* | groupby rule.name rule.uuid event.module event.severity_label" }, + { "name": "Group By Sensor, Source IP/Port, Destination IP/Port, Name", "query": "* | groupby observer.name source.ip source.port destination.ip destination.port rule.name rule.uuid network.community_id event.severity_label" }, + { "name": "Group By Source IP, Name", "query": "* | groupby source.ip rule.name rule.uuid event.severity_label" }, + { "name": "Group By Source Port, Name", "query": "* | groupby source.port rule.name rule.uuid event.severity_label" }, + { "name": "Group By Destination IP, Name", "query": "* | groupby destination.ip rule.name rule.uuid event.severity_label" }, + { "name": "Group By Destination Port, Name", "query": "* | groupby destination.port rule.name rule.uuid event.severity_label" }, + { "name": "Ungroup", "query": "*" } + ] \ No newline at end of file diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index bc800050e..3a1fef61c 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -2,6 +2,7 @@ {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') -%} {%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') -%} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} +{% import_yaml "soc/files/soc/alerts.queries.default.yaml" as alerts_queries %} { "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", "server": { @@ -179,15 +180,8 @@ { "name": "acknowledged", "filter": "event.acknowledged:true", "enabled": false, "exclusive": true }, { "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true } ], - "queries": [ - { "name": "Group By Name, Module", "query": "* | groupby rule.name rule.uuid event.module event.severity_label" }, - { "name": "Group By Sensor, Source IP/Port, Destination IP/Port, Name", "query": "* | groupby observer.name source.ip source.port destination.ip destination.port rule.name rule.uuid network.community_id event.severity_label" }, - { "name": "Group By Source IP, Name", "query": "* | groupby source.ip rule.name rule.uuid event.severity_label" }, - { "name": "Group By Source Port, Name", "query": "* | groupby source.port rule.name rule.uuid event.severity_label" }, - { "name": "Group By Destination IP, Name", "query": "* | groupby destination.ip rule.name rule.uuid event.severity_label" }, - { "name": "Group By Destination Port, Name", "query": "* | groupby destination.port rule.name rule.uuid event.severity_label" }, - { "name": "Ungroup", "query": "*" } - ], + "queries": {{ alert_queries.soc.alerts.queries}} + , "actions": [ { "name": "", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "_blank" }, { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "_blank" },