From 6b2219b7f26d5244f9f0285c90400769761e31c2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 May 2024 18:52:37 -0400 Subject: [PATCH 01/10] elastalert settings --- salt/elastalert/config.sls | 29 ++++++++++++++++ salt/elastalert/defaults.yaml | 2 +- salt/elastalert/enabled.sls | 2 ++ salt/elastalert/map.jinja | 21 ++++++++++-- salt/elastalert/soc_elastalert.yaml | 51 ++++++++++++++++++++++++++++- salt/soc/soc_soc.yaml | 2 +- salt/stig/soc_stig.yaml | 2 +- 7 files changed, 102 insertions(+), 7 deletions(-) diff --git a/salt/elastalert/config.sls b/salt/elastalert/config.sls index 252aa83c0..1251c9d19 100644 --- a/salt/elastalert/config.sls +++ b/salt/elastalert/config.sls @@ -82,6 +82,35 @@ elastasomodulesync: - group: 933 - makedirs: True +elastacustomdir: + file.directory: + - name: /opt/so/conf/elastalert/custom + - user: 933 + - group: 933 + - makedirs: True + +elastacustomsync: + file.recurse: + - name: /opt/so/conf/elastalert/custom + - source: salt://elastalert/files/custom + - user: 933 + - group: 933 + - makedirs: True + - template: jinja + - mode: 660 + - context: + elastalert: {{ ELASTALERTMERGED }} + - show_changes: False + +elastapredefinedsync: + file.recurse: + - name: /opt/so/conf/elastalert/predefined + - source: salt://elastalert/files/predefined + - user: 933 + - group: 933 + - makedirs: True + - show_changes: False + elastaconf: file.managed: - name: /opt/so/conf/elastalert/elastalert_config.yaml diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index 393932992..8021533ab 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -40,4 +40,4 @@ elastalert: level: INFO handlers: - file - propagate: false + propagate: False \ No newline at end of file diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index e4b3642db..6a1ff1440 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -30,6 +30,8 @@ so-elastalert: - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro - /opt/so/log/elastalert:/var/log/elastalert:rw - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro + - /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro + - /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %} diff --git a/salt/elastalert/map.jinja b/salt/elastalert/map.jinja index 3db17d32b..8d4e65652 100644 --- a/salt/elastalert/map.jinja +++ b/salt/elastalert/map.jinja @@ -14,7 +14,22 @@ {% set ELASTALERTMERGED = salt['pillar.get']('elastalert', ELASTALERTDEFAULTS.elastalert, merge=True) %} -{% set params = ELASTALERTMERGED.alerter_parameters | load_yaml %} -{% if params != None %} - {% do ELASTALERTMERGED.config.update(params) %} +{% if 'ntf' in salt['pillar.get']('features', []) %} + {% set params = ELASTALERTMERGED.alerter_parameters | load_yaml %} + {% if params != None %} + {% do ELASTALERTMERGED.config.update(params) %} + {% endif %} + + {% if ELASTALERTMERGED.smtp_user | length > 0 %} + {% do ELASTALERTMERGED.config.update({'smtp_auth_file': '/opt/elastalert/predefined/smtp_auth.yaml'}) %} + {% endif %} + + {% if ELASTALERTMERGED.smtp_user | length > 0 %} + {% do ELASTALERTMERGED.config.update({'smtp_auth_file': '/opt/elastalert/predefined/smtp_auth.yaml'}) %} + {% endif %} + + {% if ELASTALERTMERGED.jira_user | length > 0 or ELASTALERTMERGED.jira_key | length > 0 %} + {% do ELASTALERTMERGED.config.update({'jira_account_file': '/opt/elastalert/predefined/jira_auth.yaml'}) %} + {% endif %} + {% endif %} diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index eec3f3866..81df0541f 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -4,12 +4,61 @@ elastalert: helpLink: elastalert.html alerter_parameters: title: Alerter Parameters - description: Custom configuration parameters for additional, optional alerters that can be enabled for all Sigma rules. Filter for 'Additional Alerters' in this Configuration screen to find the setting that allows these alerters to be enabled within the SOC ElastAlert module. Use YAML format for these parameters, and reference the ElastAlert 2 documentation, located at https://elastalert2.readthedocs.io, for available alerters and their required configuration parameters. + description: Optional configuration parameters for additional alerters that can be enabled for all Sigma rules. Filter for 'Alerter' in this Configuration screen to find the setting that allows these alerters to be enabled within the SOC ElastAlert module. Use YAML format for these parameters, and reference the ElastAlert 2 documentation, located at https://elastalert2.readthedocs.io, for available alerters and their required configuration parameters. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key. global: True multiline: True syntax: yaml helpLink: elastalert.html forcedType: string + jira_api_key: + title: Jira API Key + description: Optional configuration parameter for Jira API Key, used instead of the Jira username and password. Requires a valid Security Onion license key. + global: True + sensitive: True + helpLink: elastalert.html + forcedType: string + jira_pass: + title: Jira Password + description: Optional configuration parameter for Jira password. Requires a valid Security Onion license key. + global: True + sensitive: True + helpLink: elastalert.html + forcedType: string + jira_user: + title: Jira Username + description: Optional configuration parameter for Jira username. Requires a valid Security Onion license key. + global: True + helpLink: elastalert.html + forcedType: string + smtp_pass: + title: SMTP Password + description: Optional configuration parameter for SMTP password, required for authenticating email servers. Requires a valid Security Onion license key. + global: True + sensitive: True + helpLink: elastalert.html + forcedType: string + smtp_user: + title: SMTP Username + description: Optional configuration parameter for SMTP username, required for authenticating email servers. Requires a valid Security Onion license key. + global: True + helpLink: elastalert.html + forcedType: string + opsgenie_key: + title: OpsGenie API Key + description: Optional configuration parameter for OpsGenie API Key. Requires a valid Security Onion license key. + global: True + sensitive: True + helpLink: elastalert.html + forcedType: string + files: + custom: + filename__ext: + title: Custom Parameter File + description: Optional configuration file that can be used to specify custom file contents, such as a SMTP certificate file. When used, the corresponding parameter must be set to this setting's filename.ext path inside the custom subdirectory. For example, if specifying the SMTP cert file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting for this certificate to be enabled, and assumes this duplicated setting has been named smtp__crt. Note that double underscores will be replaced with a period in the filename. + global: True + duplicating: True + file: True + helpLink: elastalert.html config: disable_rules_on_error: description: Disable rules on failure. diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index bc1c49185..7367c030d 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -85,7 +85,7 @@ soc: elastalertengine: additionalAlerters: title: Additional Alerters - description: Specify additional alerters to enable for all Sigma rules, one alerter name per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. Note that the configuration parameters for these alerters must be provided in the ElastAlert configuration section. Filter for 'Alerter Parameters' to find this related setting. + description: Specify additional alerters to enable for all Sigma rules, one alerter name per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. Note that the configuration parameters for these alerters must be provided in the ElastAlert configuration section. Filter for 'Alerter' to find this related setting. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key. global: True helpLink: sigma.html forcedType: "[]string" diff --git a/salt/stig/soc_stig.yaml b/salt/stig/soc_stig.yaml index 1fb030c31..597aab809 100644 --- a/salt/stig/soc_stig.yaml +++ b/salt/stig/soc_stig.yaml @@ -1,6 +1,6 @@ stig: enabled: - description: You can enable or disable the application of STIGS using oscap. Note that the actions performed by OSCAP are not automatically reversible. + description: You can enable or disable the application of STIGS using oscap. Note that the actions performed by OSCAP are not automatically reversible. Requires a valid Security Onion license key. forcedType: bool advanced: True run_interval: From c594168b650f83fb015b7d6cb8dd6180ba225294 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 May 2024 19:05:43 -0400 Subject: [PATCH 02/10] elastalert settings --- salt/elastalert/config.sls | 3 ++- salt/elastalert/files/custom/placeholder | 1 + salt/elastalert/files/predefined/jira_auth.yaml | 6 ++++++ salt/elastalert/files/predefined/smtp_auth.yaml | 2 ++ 4 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 salt/elastalert/files/custom/placeholder create mode 100644 salt/elastalert/files/predefined/jira_auth.yaml create mode 100644 salt/elastalert/files/predefined/smtp_auth.yaml diff --git a/salt/elastalert/config.sls b/salt/elastalert/config.sls index 1251c9d19..0583cadfd 100644 --- a/salt/elastalert/config.sls +++ b/salt/elastalert/config.sls @@ -97,7 +97,7 @@ elastacustomsync: - group: 933 - makedirs: True - template: jinja - - mode: 660 + - file_mode: 660 - context: elastalert: {{ ELASTALERTMERGED }} - show_changes: False @@ -109,6 +109,7 @@ elastapredefinedsync: - user: 933 - group: 933 - makedirs: True + - file_mode: 660 - show_changes: False elastaconf: diff --git a/salt/elastalert/files/custom/placeholder b/salt/elastalert/files/custom/placeholder new file mode 100644 index 000000000..42e4ae4f0 --- /dev/null +++ b/salt/elastalert/files/custom/placeholder @@ -0,0 +1 @@ +THIS IS A PLACEHOLDER FILE \ No newline at end of file diff --git a/salt/elastalert/files/predefined/jira_auth.yaml b/salt/elastalert/files/predefined/jira_auth.yaml new file mode 100644 index 000000000..3f537c92b --- /dev/null +++ b/salt/elastalert/files/predefined/jira_auth.yaml @@ -0,0 +1,6 @@ +{% if elastalert.jira_user | length > 0 %} +user: {{ elastalert.jira_user }} +password: {{ elastalert.jira_pass }} +{% else %} +apikey: {{ elastalert.jira_key }} +{% endif %} \ No newline at end of file diff --git a/salt/elastalert/files/predefined/smtp_auth.yaml b/salt/elastalert/files/predefined/smtp_auth.yaml new file mode 100644 index 000000000..483dd6810 --- /dev/null +++ b/salt/elastalert/files/predefined/smtp_auth.yaml @@ -0,0 +1,2 @@ +user: {{ elastalert.smtp_user }} +password: {{ elastalert.smtp_pass }} \ No newline at end of file From 8a3061fe3e2369a61e7d6c3a7b12752ac9a51528 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 May 2024 19:36:06 -0400 Subject: [PATCH 03/10] elastalert settings --- .../files/predefined/{jira_auth.yaml => jira_auth.yaml.jinja} | 0 .../files/predefined/{smtp_auth.yaml => smtp_auth.yaml.jinja} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename salt/elastalert/files/predefined/{jira_auth.yaml => jira_auth.yaml.jinja} (100%) rename salt/elastalert/files/predefined/{smtp_auth.yaml => smtp_auth.yaml.jinja} (100%) diff --git a/salt/elastalert/files/predefined/jira_auth.yaml b/salt/elastalert/files/predefined/jira_auth.yaml.jinja similarity index 100% rename from salt/elastalert/files/predefined/jira_auth.yaml rename to salt/elastalert/files/predefined/jira_auth.yaml.jinja diff --git a/salt/elastalert/files/predefined/smtp_auth.yaml b/salt/elastalert/files/predefined/smtp_auth.yaml.jinja similarity index 100% rename from salt/elastalert/files/predefined/smtp_auth.yaml rename to salt/elastalert/files/predefined/smtp_auth.yaml.jinja From e2d0b8f4c7caa825de0ae494ebad01b5d2454f6d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 May 2024 19:38:36 -0400 Subject: [PATCH 04/10] elastalert settings --- salt/elastalert/config.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/elastalert/config.sls b/salt/elastalert/config.sls index 0583cadfd..c435a212b 100644 --- a/salt/elastalert/config.sls +++ b/salt/elastalert/config.sls @@ -109,7 +109,10 @@ elastapredefinedsync: - user: 933 - group: 933 - makedirs: True + - template: jinja - file_mode: 660 + - context: + elastalert: {{ ELASTALERTMERGED }} - show_changes: False elastaconf: From f8ce039065e970dfce0a8fc47632b6395e9e1c65 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 May 2024 19:58:12 -0400 Subject: [PATCH 05/10] elastalert settings --- salt/elastalert/files/predefined/jira_auth.yaml.jinja | 4 ++-- salt/elastalert/files/predefined/smtp_auth.yaml.jinja | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/elastalert/files/predefined/jira_auth.yaml.jinja b/salt/elastalert/files/predefined/jira_auth.yaml.jinja index 3f537c92b..8ae240157 100644 --- a/salt/elastalert/files/predefined/jira_auth.yaml.jinja +++ b/salt/elastalert/files/predefined/jira_auth.yaml.jinja @@ -1,6 +1,6 @@ -{% if elastalert.jira_user | length > 0 %} +{% if elastalert.get('jira_user', '') | length > 0 and elastalert.get('jira_pass', '') | length > 0 %} user: {{ elastalert.jira_user }} password: {{ elastalert.jira_pass }} {% else %} -apikey: {{ elastalert.jira_key }} +apikey: {{ elastalert.get('jira_key', '') }} {% endif %} \ No newline at end of file diff --git a/salt/elastalert/files/predefined/smtp_auth.yaml.jinja b/salt/elastalert/files/predefined/smtp_auth.yaml.jinja index 483dd6810..0d488dd5c 100644 --- a/salt/elastalert/files/predefined/smtp_auth.yaml.jinja +++ b/salt/elastalert/files/predefined/smtp_auth.yaml.jinja @@ -1,2 +1,2 @@ -user: {{ elastalert.smtp_user }} -password: {{ elastalert.smtp_pass }} \ No newline at end of file +user: {{ elastalert.get('smtp_user', '') }} +password: {{ elastalert.get('smtp_pass', '') }} \ No newline at end of file From 02b4d37c11e8f162c358bd02929de41d9ce7c24c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 May 2024 20:00:31 -0400 Subject: [PATCH 06/10] elastalert settings --- .../files/predefined/{jira_auth.yaml.jinja => jira_auth.yaml} | 0 .../files/predefined/{smtp_auth.yaml.jinja => smtp_auth.yaml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename salt/elastalert/files/predefined/{jira_auth.yaml.jinja => jira_auth.yaml} (100%) rename salt/elastalert/files/predefined/{smtp_auth.yaml.jinja => smtp_auth.yaml} (100%) diff --git a/salt/elastalert/files/predefined/jira_auth.yaml.jinja b/salt/elastalert/files/predefined/jira_auth.yaml similarity index 100% rename from salt/elastalert/files/predefined/jira_auth.yaml.jinja rename to salt/elastalert/files/predefined/jira_auth.yaml diff --git a/salt/elastalert/files/predefined/smtp_auth.yaml.jinja b/salt/elastalert/files/predefined/smtp_auth.yaml similarity index 100% rename from salt/elastalert/files/predefined/smtp_auth.yaml.jinja rename to salt/elastalert/files/predefined/smtp_auth.yaml From b7a4f20c61be693f893c92c008831192a6fce1d0 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 May 2024 20:11:30 -0400 Subject: [PATCH 07/10] elastalert settings --- salt/elastalert/files/predefined/jira_auth.yaml | 2 +- salt/elastalert/files/predefined/smtp_auth.yaml | 2 +- salt/elastalert/soc_elastalert.yaml | 9 +-------- 3 files changed, 3 insertions(+), 10 deletions(-) diff --git a/salt/elastalert/files/predefined/jira_auth.yaml b/salt/elastalert/files/predefined/jira_auth.yaml index 8ae240157..9bf0425c0 100644 --- a/salt/elastalert/files/predefined/jira_auth.yaml +++ b/salt/elastalert/files/predefined/jira_auth.yaml @@ -2,5 +2,5 @@ user: {{ elastalert.jira_user }} password: {{ elastalert.jira_pass }} {% else %} -apikey: {{ elastalert.get('jira_key', '') }} +apikey: {{ elastalert.get('jira_api_key', '') }} {% endif %} \ No newline at end of file diff --git a/salt/elastalert/files/predefined/smtp_auth.yaml b/salt/elastalert/files/predefined/smtp_auth.yaml index 0d488dd5c..d09d101f1 100644 --- a/salt/elastalert/files/predefined/smtp_auth.yaml +++ b/salt/elastalert/files/predefined/smtp_auth.yaml @@ -1,2 +1,2 @@ user: {{ elastalert.get('smtp_user', '') }} -password: {{ elastalert.get('smtp_pass', '') }} \ No newline at end of file +password: {{ elastalert.get('smtp_pass', '') }} diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 81df0541f..ab315c482 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -43,20 +43,13 @@ elastalert: global: True helpLink: elastalert.html forcedType: string - opsgenie_key: - title: OpsGenie API Key - description: Optional configuration parameter for OpsGenie API Key. Requires a valid Security Onion license key. - global: True - sensitive: True - helpLink: elastalert.html - forcedType: string files: custom: filename__ext: title: Custom Parameter File description: Optional configuration file that can be used to specify custom file contents, such as a SMTP certificate file. When used, the corresponding parameter must be set to this setting's filename.ext path inside the custom subdirectory. For example, if specifying the SMTP cert file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting for this certificate to be enabled, and assumes this duplicated setting has been named smtp__crt. Note that double underscores will be replaced with a period in the filename. global: True - duplicating: True + duplicates: True file: True helpLink: elastalert.html config: From d315b95d77d5e9fed89f03d0bb21ada98d74d8a7 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 21 May 2024 07:15:19 -0400 Subject: [PATCH 08/10] elastalert settings --- salt/elastalert/config.sls | 3 -- salt/elastalert/soc_elastalert.yaml | 51 ++++++++++++++++++++++++++--- 2 files changed, 47 insertions(+), 7 deletions(-) diff --git a/salt/elastalert/config.sls b/salt/elastalert/config.sls index c435a212b..25d5bf5f8 100644 --- a/salt/elastalert/config.sls +++ b/salt/elastalert/config.sls @@ -96,10 +96,7 @@ elastacustomsync: - user: 933 - group: 933 - makedirs: True - - template: jinja - file_mode: 660 - - context: - elastalert: {{ ELASTALERTMERGED }} - show_changes: False elastapredefinedsync: diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index ab315c482..435c5be6a 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -45,11 +45,54 @@ elastalert: forcedType: string files: custom: - filename__ext: - title: Custom Parameter File - description: Optional configuration file that can be used to specify custom file contents, such as a SMTP certificate file. When used, the corresponding parameter must be set to this setting's filename.ext path inside the custom subdirectory. For example, if specifying the SMTP cert file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting for this certificate to be enabled, and assumes this duplicated setting has been named smtp__crt. Note that double underscores will be replaced with a period in the filename. + alertmanager_ca__crt: + description: Optional custom Certificate Authority for connecting to an AlertManager server. To utilize this custom file, the alertmanager_ca_certs key must be set to /opt/elastalert/custom/alertmanager_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. + global: True + file: True + helpLink: elastalert.html + gelf_ca__crt: + description: Optional custom Certificate Authority for connecting to a Graylog server. To utilize this custom file, the graylog_ca_certs key must be set to /opt/elastalert/custom/graylog_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. + global: True + file: True + helpLink: elastalert.html + http_post_ca__crt: + description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the legacy HTTP POST alerter. To utilize this custom file, the http_post_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. + global: True + file: True + helpLink: elastalert.html + http_post2_ca__crt: + description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the newer HTTP POST 2 alerter. To utilize this custom file, the http_post2_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. + global: True + file: True + helpLink: elastalert.html + ms_teams_ca__crt: + description: Optional custom Certificate Authority for connecting to Microsoft Teams server. To utilize this custom file, the ms_teams_ca_certs key must be set to /opt/elastalert/custom/ms_teams_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. + global: True + file: True + helpLink: elastalert.html + pagerduty_ca__crt: + description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the pagerduty_ca_certs key must be set to /opt/elastalert/custom/pagerduty_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. + global: True + file: True + helpLink: elastalert.html + rocket_chat_ca__crt: + description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the rocket_chart_ca_certs key must be set to /opt/elastalert/custom/rocket_chat_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. + global: True + file: True + helpLink: elastalert.html + smtp__crt: + description: Optional custom certificate for connecting to an SMTP server. To utilize this custom file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. + global: True + file: True + helpLink: elastalert.html + smtp__key: + description: Optional custom certificate key for connecting to an SMTP server. To utilize this custom file, the smtp_key_file key must be set to /opt/elastalert/custom/smtp.key in the Alerter Parameters setting. Requires a valid Security Onion license key. + global: True + file: True + helpLink: elastalert.html + slack_ca__crt: + description: Optional custom Certificate Authority for connecting to Slack. To utilize this custom file, the slack_ca_certs key must be set to /opt/elastalert/custom/slack_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. global: True - duplicates: True file: True helpLink: elastalert.html config: From 8ce19a93b96ff04d35f99b0c403bf6dc1ec0651b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 21 May 2024 13:29:20 -0400 Subject: [PATCH 09/10] exclude false positives related to detections --- salt/common/tools/sbin/so-log-check | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check index 5bee4d254..cf1691589 100755 --- a/salt/common/tools/sbin/so-log-check +++ b/salt/common/tools/sbin/so-log-check @@ -203,6 +203,8 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded" EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Error running query:" # Specific issues with detection rules EXCLUDED_ERRORS="$EXCLUDED_ERRORS|detect-parse" # Suricata encountering a malformed rule + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|integrity check failed" # Detections: Exclude false positive due to automated testing + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncErrors" # Detections: Not an actual error fi RESULT=0 From d57cc9627f1273401cf25fe515cf9c474100d088 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 21 May 2024 13:31:50 -0400 Subject: [PATCH 10/10] exclude false positives related to detections --- salt/elastalert/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index 8021533ab..393932992 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -40,4 +40,4 @@ elastalert: level: INFO handlers: - file - propagate: False \ No newline at end of file + propagate: false