CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-28 19:03:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move In Day

Browse Source
This commit is contained in:
Mike Reeves
2022-09-07 09:06:25 -04:00
parent dcb7b49dbe
commit 2bd9dd80e2
611 changed files with 8015 additions and 16211 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
salt/soc/defaults.map.jinja Normal file
View File

@@ -0,0 +1,23 @@
{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% for module, application_url in GLOBALS.application_urls.items() %}
{% do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %}
{% endfor %}
{# add nodes from the logstash:nodes pillar to soc.server.modules.elastic.remoteHostUrls #}
{% for node_type, minions in salt['pillar.get']('logstash:nodes', {}).items() %}
{% for m in minions.keys() %}
{% do SOCDEFAULTS.soc.server.modules.elastic.remoteHostUrls.append(m) %}
{% endfor %}
{% endfor %}
{% do SOCDEFAULTS.soc.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}
{% if GLOBALS.role != 'so-import' %}
{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':8086'}) %}
{% endif %}
{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': GLOBALS.docker_range, 'apiKey': pillar.sensoroni.sensoronikey}) %}
{% set SOCDEFAULTS = SOCDEFAULTS.soc %}

1153
salt/soc/defaults.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

712
salt/soc/files/soc/default.annotation.yaml Normal file
View File

@@ -0,0 +1,712 @@
### Elasticsearch Nodes ###
elasticsearch.esheap:
default: 4192
global: false
type: int
nodes:
- manager
- searchnode
elasticsearch.config.node.attr.box_type:
default: hot
global: false
type: bool
options:
- hot
- warm
nodes:
- manager
- searchnode
## Elasticsearch Global ##
elasticsearch.config.cluster.name:
default: securityonion
global: true
type: string
elasticsearch.config.cluster.routing.allocation.disk.threshold_enabled:
default: true
global: true
type: bool
options:
- true
- false
elasticsearch.config.cluster.routing.allocation.disk.watermark.low:
elasticsearch.config.cluster.routing.allocation.disk.watermark.high:
elasticsearch.config.cluster.routing.allocation.disk.watermark.flood_stage:
elasticsearch:"\
config:"\
cluster:"\
name: $ESCLUSTERNAME"\
routing:"\
allocation:"\
" disk:"\
" threshold_enabled: true"\
" watermark:"\
" low: 80%"\
" high: 85%"\
" flood_stage: 90%"\
" script:"\
" max_compilations_rate: 20000/1m"\
" indices:"\
" query:"\
" bool:"\
" max_clause_count: 3500"\
" index_settings:"\
" so-aws:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-azure:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-barracuda:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-beats:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-bluecoat:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cef:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-checkpoint:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cisco:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cyberark:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cylance:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-elasticsearch:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-endgame:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-f5:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-firewall:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-fortinet:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-gcp:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-google_workspace:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-ids:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-imperva:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-import:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-infoblox:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-juniper:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-kibana:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-logstash:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-microsoft:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-misp:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-netflow:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-netscout:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-o365:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-okta:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-osquery:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-proofpoint:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-radware:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-redis:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-snort:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-snyk:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-sonicwall:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-sophos:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-strelka:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-syslog:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-tomcat:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-zeek:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-zscaler:"\
" warm: 7"\
" close: 30"\
" delete: 365"
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\

258
salt/soc/files/soc/soc.json
View File

@@ -1,258 +0,0 @@
{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %}
{%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %}
{%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') %}
{%- set THEHIVEURL = salt['pillar.get']('global:hiveurl', '') %}
{%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
{%- set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
{%- set API_TIMEOUT = salt['pillar.get']('sensoroni:api_timeout_ms', 0) %}
{%- set WEBSOCKET_TIMEOUT = salt['pillar.get']('sensoroni:websocket_timeout_ms', 0) %}
{%- set TIP_TIMEOUT = salt['pillar.get']('sensoroni:tip_timeout_ms', 0) %}
{%- set CACHE_EXPIRATION = salt['pillar.get']('sensoroni:cache_expiration_ms', 0) %}
{%- set ES_FIELDCAPS_CACHE = salt['pillar.get']('sensoroni:es_fieldcaps_cache_ms', '300000') %}
{%- import_json "soc/files/soc/alerts.queries.json" as alerts_queries %}
{%- import_json "soc/files/soc/alerts.eventfields.json" as alerts_eventfields %}
{%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %}
{%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %}
{%- import_json "soc/files/soc/dashboards.queries.json" as dashboards_queries %}
{%- import_json "soc/files/soc/cases.queries.json" as cases_queries %}
{%- import_json "soc/files/soc/cases.eventfields.json" as cases_eventfields %}
{%- import_json "soc/files/soc/menu.actions.json" as menu_actions %}
{%- import_json "soc/files/soc/tools.json" as tools %}
{%- import_json "soc/files/soc/presets.artifacttype.json" as presets_artifacttype %}
{%- import_json "soc/files/soc/presets.category.json" as presets_category %}
{%- import_json "soc/files/soc/presets.pap.json" as presets_pap %}
{%- import_json "soc/files/soc/presets.severity.json" as presets_severity %}
{%- import_json "soc/files/soc/presets.status.json" as presets_status %}
{%- import_json "soc/files/soc/presets.tag.json" as presets_tag %}
{%- import_json "soc/files/soc/presets.tlp.json" as presets_tlp %}
{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %}
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
{%- else %}
{%- set ES_USER = '' %}
{%- set ES_PASS = '' %}
{%- endif %}
{%- set ES_INDEX_PATTERNS = salt['pillar.get']('soc:es_index_patterns', '*:so-*') %}
{%- set CASE_MODULE = salt['pillar.get']('soc:case_module', 'soc') %}
{%- set HTTPCASE_CONFIG = salt['pillar.get']('soc:httpcase_config', '') %}
{
"logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
"server": {
"bindAddress": "0.0.0.0:9822",
"baseUrl": "/",
"maxPacketCount": 5000,
"htmlDir": "html",
{%- if ISAIRGAP is sameas true %}
"airgapEnabled": true,
{%- else %}
"airgapEnabled": false,
{%- endif %}
"modules": {
"filedatastore": {
"jobDir": "jobs"
},
"kratos": {
"hostUrl": "http://{{ MANAGERIP }}:4434/"
},
"elastic": {
"hostUrl": "https://{{ MANAGERIP }}:9200",
{%- if salt['pillar.get']('nodestab', {}) %}
"remoteHostUrls": [
{%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
"https://{{ SN.split('_')|first }}:9200"{{ "," if not loop.last else ""}}
{%- endfor %}
],
{%- endif %}
"username": "{{ ES_USER }}",
"password": "{{ ES_PASS }}",
"index": "{{ ES_INDEX_PATTERNS }}",
"cacheMs": {{ ES_FIELDCAPS_CACHE }},
"verifyCert": false,
"casesEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }},
"timeoutMs": {{ API_TIMEOUT }}
},
"influxdb": {
{%- if grains['role'] in ['so-import'] or (grains['role'] == 'so-eval' and GRAFANA == 0) %}
"hostUrl": "",
{%- else %}
"hostUrl": "https://{{ MANAGERIP }}:8086",
{%- endif %}
"token": "",
"org": "",
"bucket": "telegraf",
"verifyCert": false
},
"sostatus": {
"refreshIntervalMs": 30000,
"offlineThresholdMs": 900000
},
{%- if CASE_MODULE == 'thehive' and THEHIVEKEY != '' %}
"thehive": {
"hostUrl": "http://{{ HIVEURL }}:9000/thehive",
"key": "{{ THEHIVEKEY }}",
"verifyCert": false
},
{%- elif CASE_MODULE == 'elasticcases' %}
"elasticcases": {
"hostUrl": "https://{{ MANAGERIP }}:5601",
"username": "{{ ES_USER }}",
"password": "{{ ES_PASS }}",
},
{%- elif CASE_MODULE == 'httpcase' %}
"httpcase": {
{{ HTTPCASE_CONFIG }}
},
{%- endif %}
"statickeyauth": {
"anonymousCidr": "{{ DNET }}/24",
"apiKey": "{{ SENSORONIKEY }}"
},
"staticrbac": {
"roleFiles": [
"rbac/permissions",
"rbac/roles",
"rbac/custom_roles"
],
"userFiles": [
"rbac/users_roles"
]
}
},
"client": {
{%- if ISAIRGAP is sameas true %}
"docsUrl": "/docs/",
"cheatsheetUrl": "/docs/cheatsheet.pdf",
"releaseNotesUrl": "/docs/#release-notes",
{%- else %}
"docsUrl": "https://docs.securityonion.net/en/2.3/",
"cheatsheetUrl": "https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf",
"releaseNotesUrl": "https://docs.securityonion.net/en/2.3/release-notes",
{%- endif %}
"apiTimeoutMs": {{ API_TIMEOUT }},
"webSocketTimeoutMs": {{ WEBSOCKET_TIMEOUT }},
"tipTimeoutMs": {{ TIP_TIMEOUT }},
"cacheExpirationMs": {{ CACHE_EXPIRATION }},
"casesEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }},
"inactiveTools": [
{%- if PLAYBOOK == 0 %}
"toolPlaybook",
{%- endif %}
{%- if not FLEETMANAGER and not FLEETNODE %}
"toolFleet",
{%- endif %}
{%- if GRAFANA == 0 %}
"toolGrafana",
{%- endif %}
"toolUnused"
],
"tools": {{ tools | json }},
"hunt": {
"advanced": true,
"groupItemsPerPage": 10,
"groupFetchLimit": 10,
"eventItemsPerPage": 10,
"eventFetchLimit": 100,
"relativeTimeValue": 24,
"relativeTimeUnit": 30,
"mostRecentlyUsedLimit": 5,
"ackEnabled": false,
"escalateEnabled": true,
"escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }},
"aggregationActionsEnabled": true,
"eventFields": {{ hunt_eventfields | json }},
"queryBaseFilter": "",
"queryToggleFilters": [
{ "name": "caseExcludeToggle", "filter": "NOT _index:\"*:so-case*\"", "enabled": true }
],
"queries": {{ hunt_queries | json }},
"actions": {{ menu_actions | json }}
},
"dashboards": {
"advanced": true,
"groupItemsPerPage": 10,
"groupFetchLimit": 10,
"eventItemsPerPage": 10,
"eventFetchLimit": 100,
"relativeTimeValue": 24,
"relativeTimeUnit": 30,
"mostRecentlyUsedLimit": 0,
"ackEnabled": false,
"escalateEnabled": true,
"escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }},
"aggregationActionsEnabled": false,
"eventFields": {{ hunt_eventfields | json }},
"queryBaseFilter": "",
"queryToggleFilters": [
{ "name": "caseExcludeToggle", "filter": "NOT _index:\"*:so-case*\"", "enabled": true }
],
"queries": {{ dashboards_queries | json }},
"actions": {{ menu_actions | json }}
},
"job": {
"actions": {{ menu_actions | json }}
},
"alerts": {
"advanced": false,
"groupItemsPerPage": 50,
"groupFetchLimit": 500,
"eventItemsPerPage": 50,
"eventFetchLimit": 500,
"relativeTimeValue": 24,
"relativeTimeUnit": 30,
"mostRecentlyUsedLimit": 5,
"ackEnabled": true,
"escalateEnabled": true,
"escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }},
"aggregationActionsEnabled": true,
"eventFields": {{ alerts_eventfields | json }},
"queryBaseFilter": "event.dataset:alert",
"queryToggleFilters": [
{ "name": "acknowledged", "filter": "event.acknowledged:true", "enabled": false, "exclusive": true },
{ "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true, "enablesToggles":["acknowledged"] }
],
"queries": {{ alerts_queries | json }},
"actions": {{ menu_actions | json }}
},
"cases": {
"advanced": false,
"groupItemsPerPage": 50,
"groupFetchLimit": 100,
"eventItemsPerPage": 50,
"eventFetchLimit": 500,
"relativeTimeValue": 12,
"relativeTimeUnit": 60,
"mostRecentlyUsedLimit": 5,
"ackEnabled": false,
"escalateEnabled": false,
"escalateRelatedEventsEnabled": false,
"aggregationActionsEnabled": false,
"viewEnabled": true,
"createLink": "/case/create",
"eventFields": {{ cases_eventfields | json }},
"queryBaseFilter": "_index:\"*:so-case\" AND so_kind:case",
"queryToggleFilters": [
],
"queries": {{ cases_queries | json }},
"actions": {{ menu_actions | json }}
},
"case": {
"mostRecentlyUsedLimit": 5,
"renderAbbreviatedCount": 30,
"analyzerNodeId": "{{ grains.host | lower }}",
"presets": {
"artifactType": {{ presets_artifacttype | json }},
"category": {{ presets_category | json }},
"pap": {{ presets_pap | json }},
"severity": {{ presets_severity | json }},
"status": {{ presets_status | json }},
"tags": {{ presets_tag | json }},
"tlp": {{ presets_tlp | json }}
}
}
}
}
}

2
salt/soc/files/soc/soc.json.jinja Normal file
View File

@@ -0,0 +1,2 @@
{% from 'soc/merged.map.jinja' import SOCMERGED -%}
{{ SOCMERGED | json(sort_keys=True, indent=4 * ' ') }}

4
salt/soc/init.sls
View File

@@ -29,6 +29,7 @@ soclogdir:
- group: 939
- makedirs: True
socactions:
file.managed:
- name: /opt/so/conf/soc/menu.actions.json
@@ -38,10 +39,11 @@ socactions:
- mode: 600
- template: jinja
socconfig:
file.managed:
- name: /opt/so/conf/soc/soc.json
- source: salt://soc/files/soc/soc.json
- source: salt://soc/files/soc/soc.json.jinja
- user: 939
- group: 939
- mode: 600

42
salt/soc/merged.map.jinja Normal file
View File

@@ -0,0 +1,42 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %}
{% set SOCMERGED = salt['pillar.get']('soc', SOCDEFAULTS, merge=true) %}
{# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #}
{% if SOCMERGED.server.modules.cases != 'soc' %}
{% do SOCMERGED.server.modules.elastic.update({'casesEnabled': false}) %}
{% do SOCMERGED.client.update({'casesEnabled': false}) %}
{% do SOCMERGED.client.hunt.update({'escalateRelatedEventsEnabled': false}) %}
{% do SOCMERGED.client.alerts.update({'escalateRelatedEventsEnabled': false}) %}
{% if SOCMERGED.server.modules.cases == 'elasticcases' %}
{% do SOCMERGED.server.modules.update({
'elasticcases': {
'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':5601',
'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user,
'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass,
}
}) %}
{% endif %}
{% endif %}
{# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
{% do SOCMERGED.server.modules.pop('cases') %}
{# change some options if this is airgap #}
{% if GLOBALS.airgap %}
{% do SOCMERGED.client.update({
'docsUrl': '/docs/',
'cheatsheetUrl': '/docs/cheatsheet.pdf',
'releaseNotesUrl': '/docs/#release-notes'
})
%}
{% endif %}
{% if pillar.manager.playbook == 0 %}
{% do SOCMERGED.client.inactiveTools.append('toolPlaybook') %}
{% endif %}
{% do SOCMERGED.client.inactiveTools.append('toolFleet') %}
{% if pillar.manager.grafana == 0 %}
{% do SOCMERGED.client.inactiveTools.append('toolGrafana') %}
{% endif %}