CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial airgap support for detections

Browse Source
This commit is contained in:
DefensiveDepth
2024-05-06 08:43:01 -04:00
parent 6d5ff59657
commit 26c6a98b45
1 changed files with 9 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
salt/soc/soc_soc.yaml
View File

@@ -107,7 +107,7 @@ soc:
advanced: True advanced: True
helpLink: sigma.html helpLink: sigma.html
rulesRepos: rulesRepos:
description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.' description: 'Custom Git repos to pull Sigma rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.'
global: True global: True
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
@@ -117,8 +117,8 @@ soc:
global: True global: True
advanced: False advanced: False
helpLink: sigma.html helpLink: sigma.html
autoUpdateEnabled: airgapEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.' description: 'This setting dynamically changes to the current status of Airgap on this system and is used during the Sigma ruleset update process.'
global: True global: True
advanced: True advanced: True
helpLink: sigma.html helpLink: sigma.html
@@ -185,31 +185,27 @@ soc:
advanced: True advanced: True
strelkaengine: strelkaengine:
allowRegex: allowRegex:
description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
global: True global: True
advanced: True advanced: True
helpLink: yara.html helpLink: yara.html
autoEnabledYaraRules: autoEnabledYARARules:
description: 'Yara rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
global: True global: True
advanced: True advanced: True
helpLink: sigma.html helpLink: sigma.html
autoUpdateEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
global: True
advanced: True
denyRegex: denyRegex:
description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
global: True global: True
advanced: True advanced: True
helpLink: yara.html helpLink: yara.html
communityRulesImportFrequencySeconds: communityRulesImportFrequencySeconds:
description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.' description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.'
global: True global: True
advanced: True advanced: True
helpLink: yara.html helpLink: yara.html
rulesRepos: rulesRepos:
description: 'Custom Git repos to pull Yara rules from. License field is required' description: 'Custom Git repos to pull YARA rules from. "license" field is required, "folder" is optional. "community" disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled.''
global: True global: True
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
@@ -220,10 +216,6 @@ soc:
global: True global: True
advanced: True advanced: True
helpLink: suricata.html helpLink: suricata.html
autoUpdateEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
global: True
advanced: True
denyRegex: denyRegex:
description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
global: True global: True