From 29174566f3f7a8307a92eaac2073f108eddedc57 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Thu, 8 Feb 2024 09:44:56 -0700
Subject: [PATCH] WIP: Updated Detection Mappings, Changed Engine to Language

Detection mappings updated to include the removal of Note and the addition of Tags, Ruleset, and Language.

SOC defaults updated to use language based queries rather than engine and show the language column instead of the engine column in results.
---
 .../component/so/detection-mappings.json       | 10 +++++++++-
 salt/soc/defaults.yaml                         | 18 +++++++++---------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/salt/elasticsearch/templates/component/so/detection-mappings.json b/salt/elasticsearch/templates/component/so/detection-mappings.json
index df53308f2..596236703 100644
--- a/salt/elasticsearch/templates/component/so/detection-mappings.json
+++ b/salt/elasticsearch/templates/component/so/detection-mappings.json
@@ -47,13 +47,21 @@
             "isCommunity": {
               "type": "boolean"
             },
-            "note": {
+            "tags": {
               "type": "text"
             },
+            "ruleset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "engine": {
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "language": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "overrides": {
               "properties": {
                 "type": {
diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 6811529bf..cc6b417e6 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1769,7 +1769,7 @@ soc:
             default:
               - so_detection.title
               - so_detection.isEnabled
-              - so_detection.engine
+              - so_detection.language
               - "@timestamp"
           queries:
             - name: "All Detections"
@@ -1781,11 +1781,11 @@ soc:
             - name: "Disabled"
               query: "so_detection.isEnabled:false"
             - name: "Suricata"
-              query: "so_detection.engine:suricata"
-            - name: "ElastAlert"
-              query: "so_detection.engine:elastalert"
-            - name: "Strelka"
-              query: "so_detection.engine:strelka"
+              query: "so_detection.language:suricata"
+            - name: "Sigma"
+              query: "so_detection.language:sigma"
+            - name: "Yara"
+              query: "so_detection.language:yara"
         detection:
           presets:
             severity:
@@ -1797,12 +1797,12 @@ soc:
                   - medium
                   - high
                   - critical
-            engine:
+            language:
                 customEnabled: false
                 labels:
                   - suricata
-                  - elastalert
-                  - strelka
+                  - sigma
+                  - yara
           severityTranslations:
             minor: low
             major: high