CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-09 18:52:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14623 from Security-Onion-Solutions/cogburn/playbooks

Browse Source 
Cogburn/playbooks
This commit is contained in:
coreyogburn
2025-05-15 13:27:02 -06:00
committed by GitHub
parent 70339b9a94 df103b3dca
commit 2768722132
5 changed files with 105 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/elasticsearch/files/ingest/global@custom
View File

@@ -22,7 +22,7 @@
{ "date": { "if": "ctx.event?.module == 'system'", "field": "event.created", "target_field": "@timestamp","ignore_failure": true, "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSX","yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"] } }, { "date": { "if": "ctx.event?.module == 'system'", "field": "event.created", "target_field": "@timestamp","ignore_failure": true, "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSX","yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"] } },
{ "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } },
{ "set": { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } }, { "set": { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } },
{ "rename": { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } }, { "rename": { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } },
{ "set": { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } }, { "set": { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
] ]

2
salt/elasticsearch/files/ingest/suricata.alert
View File

@@ -11,4 +11,4 @@
{ "rename":{ "field": "message2.payload_printable", "target_field": "network.data.decoded", "ignore_failure": true } }, { "rename":{ "field": "message2.payload_printable", "target_field": "network.data.decoded", "ignore_failure": true } },
{ "pipeline": { "name": "common.nids" } } { "pipeline": { "name": "common.nids" } }
] ]
} }

8
salt/soc/defaults.yaml
View File

@@ -1456,6 +1456,14 @@ soc:
org: Security Onion org: Security Onion
bucket: telegraf/so_short_term bucket: telegraf/so_short_term
verifyCert: false verifyCert: false
playbook:
autoUpdateEnabled: true
playbookImportFrequencySeconds: 86400
playbookImportErrorSeconds: 600
playbookRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources
playbookRepoBranch: playbook-stable
playbookRepoPath: /opt/sensoroni/playbooks/
playbookPathInRepo: playbook/dev
salt: salt:
queueDir: /opt/sensoroni/queue queueDir: /opt/sensoroni/queue
timeoutMs: 45000 timeoutMs: 45000

1
salt/soc/enabled.sls
View File

@@ -35,6 +35,7 @@ so-soc:
- /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/conf/soc/ai_summary_repos:/opt/sensoroni/ai_summary_repos:rw - /opt/so/conf/soc/ai_summary_repos:/opt/sensoroni/ai_summary_repos:rw
- /opt/so/conf/navigator/layers/:/opt/sensoroni/navigator/:rw - /opt/so/conf/navigator/layers/:/opt/sensoroni/navigator/:rw
- /opt/so/conf/soc/playbooks/:/opt/sensoroni/playbooks/:rw
{% if SOCMERGED.telemetryEnabled and not GLOBALS.airgap %} {% if SOCMERGED.telemetryEnabled and not GLOBALS.airgap %}
- /opt/so/conf/soc/analytics.js:/opt/sensoroni/html/js/analytics.js:ro - /opt/so/conf/soc/analytics.js:/opt/sensoroni/html/js/analytics.js:ro
{% endif %} {% endif %}

97
salt/soc/files/soc/sigma_so_pipeline.yaml
View File

@@ -1,6 +1,45 @@
name: Security Onion Baseline Pipeline name: Security Onion Baseline Pipeline
priority: 90 priority: 90
transformations: transformations:
vars:
document_id:
- '{soc_id}'
hostname:
- '{event_data.host.name}'
ProcessGuid:
- '{event_data.process.entity_id}'
User:
- '{user.name}'
private_ip:
- '{network.private.ip}'
public_ip:
- '{network.public.ip}'
related_ip:
- '{event_data.related.ip}'
related.hosts:
- '{event_data.related.hosts'
CurrentDirectory:
- '{event_data.process.working_directory}'
ParentProcessGuid:
- '{ParentProcessGuid}'
Image:
- '{process.executable}'
community_id:
- '{network.community_id}'
transformations:
- type: value_placeholders
include:
- 'community_id'
- 'document_id'
- 'ProcessGuid'
- 'hostname'
- 'User'
- 'CurrentDirectory'
- 'ParentProcessGuid'
- 'Image'
- 'related_ip'
- 'private_ip'
- 'public_ip'
- id: baseline_field_name_mapping - id: baseline_field_name_mapping
type: field_name_mapping type: field_name_mapping
mapping: mapping:
@@ -12,12 +51,27 @@ transformations:
sid: rule.uuid sid: rule.uuid
answer: answers answer: answers
query: dns.query.name query: dns.query.name
src_ip: source.ip.keyword src_ip: source.ip
src_port: source.port src_port: source.port
dst_ip: destination.ip.keyword dst_ip: destination.ip
dst_port: destination.port dst_port: destination.port
winlog.event_data.User: user.name winlog.event_data.User: user.name
logtype: event.code # OpenCanary logtype: event.code # OpenCanary
## Start Temp Linux Mappings ##
ProcessGuid: process.entity_id
ProcessId: process.pid
Image: process.executable
CommandLine: process.command_line
CurrentDirectory: process.working_directory
ParentProcessGuid: process.parent.entity_id
ParentProcessId: process.parent.pid"
ParentImage: process.parent.executable
ParentCommandLine: process.parent.command_line
## End Temp Linux Mappings ##
rule.type: event.module
related_ip: related.ip
community_id: network.community_id
event_dataset: event.dataset
# Maps "opencanary" product to SO IDH logs # Maps "opencanary" product to SO IDH logs
- id: opencanary_idh_add-fields - id: opencanary_idh_add-fields
type: add_condition type: add_condition
@@ -126,4 +180,41 @@ transformations:
event.type: 'creation' event.type: 'creation'
rule_conditions: rule_conditions:
- type: logsource - type: logsource
category: file_event category: file_event
category: file_event
# Maps network_connection rules to endpoint network creation logs
# This is an OS-agnostic mapping, to account for logs that don't specify source OS
- id: endpoint_network_connection_add-fields
type: add_condition
conditions:
event.category: 'network'
event.type: 'start'
rule_conditions:
- type: logsource
category: network_connection
# Maps "alert" category to SO Alert events
- id: alert_so_add-fields
type: add_condition
conditions:
tags: 'alert'
rule_conditions:
- type: logsource
category: alert
# Maps "network + connection" to SO connection logs
- id: network_connection_so_add-fields
type: add_condition
conditions:
tags: 'conn'
rule_conditions:
- type: logsource
category: network
service: connection
# Maps "network + dns" to SO DNS logs
- id: network_dns_so_add-fields
type: add_condition
conditions:
tags: 'dns'
rule_conditions:
- type: logsource
category: network
service: dns