From 26c6a98b45369e522d3a396b7e92623a0a81eb6c Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Mon, 6 May 2024 08:43:01 -0400 Subject: [PATCH] Initial airgap support for detections --- salt/soc/soc_soc.yaml | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 4b88a5f84..a9d6bac08 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -107,7 +107,7 @@ soc: advanced: True helpLink: sigma.html rulesRepos: - description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.' + description: 'Custom Git repos to pull Sigma rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.' global: True advanced: True forcedType: "[]{}" @@ -117,8 +117,8 @@ soc: global: True advanced: False helpLink: sigma.html - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.' + airgapEnabled: + description: 'This setting dynamically changes to the current status of Airgap on this system and is used during the Sigma ruleset update process.' global: True advanced: True helpLink: sigma.html @@ -185,31 +185,27 @@ soc: advanced: True strelkaengine: allowRegex: - description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' + description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.' global: True advanced: True helpLink: yara.html - autoEnabledYaraRules: - description: 'Yara rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' + autoEnabledYARARules: + description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' global: True advanced: True helpLink: sigma.html - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.' - global: True - advanced: True denyRegex: - description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' + description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.' global: True advanced: True helpLink: yara.html communityRulesImportFrequencySeconds: - description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.' + description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.' global: True advanced: True helpLink: yara.html rulesRepos: - description: 'Custom Git repos to pull Yara rules from. License field is required' + description: 'Custom Git repos to pull YARA rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.'' global: True advanced: True forcedType: "[]{}" @@ -220,10 +216,6 @@ soc: global: True advanced: True helpLink: suricata.html - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.' - global: True - advanced: True denyRegex: description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' global: True