CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13223 from Security-Onion-Solutions/2.4/timeout

Browse Source 
Update defaults
This commit is contained in:
Josh Brower
2024-06-18 08:55:30 -04:00
committed by GitHub
parent c03096e806 521cccaed6
commit 3fbab7c3af
2 changed files with 15 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
View File

@@ -19,7 +19,7 @@ NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers")
for i in {1..30} for i in {1..30}
do do
ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys?perPage=100" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')
FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r '.item.host_urls[]' | paste -sd ',') FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r '.item.host_urls[]' | paste -sd ',')
if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi
done done

22
salt/soc/defaults.yaml
View File

@@ -1314,7 +1314,7 @@ soc:
reposFolder: /opt/sensoroni/sigma/repos reposFolder: /opt/sensoroni/sigma/repos
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
stateFilePath: /opt/sensoroni/fingerprints/elastalertengine.state stateFilePath: /opt/sensoroni/fingerprints/elastalertengine.state
integrityCheckFrequencySeconds: 600 integrityCheckFrequencySeconds: 1200
rulesRepos: rulesRepos:
default: default:
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources - repo: https://github.com/Security-Onion-Solutions/securityonion-resources
@@ -1393,7 +1393,7 @@ soc:
community: true community: true
yaraRulesFolder: /opt/sensoroni/yara/rules yaraRulesFolder: /opt/sensoroni/yara/rules
stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
integrityCheckFrequencySeconds: 600 integrityCheckFrequencySeconds: 1200
suricataengine: suricataengine:
allowRegex: '' allowRegex: ''
autoUpdateEnabled: true autoUpdateEnabled: true
@@ -1405,7 +1405,7 @@ soc:
denyRegex: '' denyRegex: ''
rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state
integrityCheckFrequencySeconds: 600 integrityCheckFrequencySeconds: 1200
client: client:
enableReverseLookup: false enableReverseLookup: false
docsUrl: /docs/ docsUrl: /docs/
@@ -2257,7 +2257,7 @@ soc:
templateDetections: templateDetections:
suricata: | suricata: |
# This is a Suricata rule template. Replace all template values with your own values. # This is a Suricata rule template. Replace all template values with your own values.
# The rule identifier (sid) is pregenerated and known to be unique for this Security Onion installation. # The rule identifier [sid] is pregenerated and known to be unique for this Security Onion installation.
# Docs: https://docs.suricata.io/en/latest/rules/intro.html # Docs: https://docs.suricata.io/en/latest/rules/intro.html
# Delete these comments before attempting to "Create" the rule # Delete these comments before attempting to "Create" the rule
@@ -2272,7 +2272,7 @@ soc:
rule Example // This identifier _must_ be unique rule Example // This identifier _must_ be unique
{ {
meta: meta:
description="Generic YARA Rule" description = "Generic YARA Rule"
author = "@SecurityOnion" author = "@SecurityOnion"
date = "YYYY-MM-DD" date = "YYYY-MM-DD"
reference = "https://local.invalid" reference = "https://local.invalid"
@@ -2295,6 +2295,7 @@ soc:
status: 'experimental' status: 'experimental'
description: | description: |
This should be a detailed description of what this Detection focuses on: what we are trying to find and why we are trying to find it. This should be a detailed description of what this Detection focuses on: what we are trying to find and why we are trying to find it.
For example, from rule 97a80ec7-0e2f-4d05-9ef4-65760e634f6b: "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt."
references: references:
- 'https://local.invalid' - 'https://local.invalid'
author: '@SecurityOnion' author: '@SecurityOnion'
@@ -2306,8 +2307,11 @@ soc:
category: process_creation category: process_creation
product: windows product: windows
detection: detection:
selection: selection_img:
Image: 'whoami.exe' - Image|endswith: '\whoami.exe'
User: 'backup' - OriginalFileName: 'whoami.exe'
condition: selection selection_cli:
CommandLine|contains|windash:
- ' -priv'
condition: all of selection_*
level: 'high' # info | low | medium | high | critical level: 'high' # info | low | medium | high | critical