mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Merge pull request #13223 from Security-Onion-Solutions/2.4/timeout
Update defaults
This commit is contained in:
Josh Brower
GitHub
@@ -19,7 +19,7 @@ NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers")
|
||||
|
||||
for i in {1..30}
|
||||
do
|
||||
ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')
|
||||
ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys?perPage=100" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')
|
||||
FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r '.item.host_urls[]' | paste -sd ',')
|
||||
if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi
|
||||
done
|
||||
|
||||
@@ -1314,7 +1314,7 @@ soc:
|
||||
reposFolder: /opt/sensoroni/sigma/repos
|
||||
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
|
||||
stateFilePath: /opt/sensoroni/fingerprints/elastalertengine.state
|
||||
integrityCheckFrequencySeconds: 600
|
||||
integrityCheckFrequencySeconds: 1200
|
||||
rulesRepos:
|
||||
default:
|
||||
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources
|
||||
@@ -1393,7 +1393,7 @@ soc:
|
||||
community: true
|
||||
yaraRulesFolder: /opt/sensoroni/yara/rules
|
||||
stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
|
||||
integrityCheckFrequencySeconds: 600
|
||||
integrityCheckFrequencySeconds: 1200
|
||||
suricataengine:
|
||||
allowRegex: ''
|
||||
autoUpdateEnabled: true
|
||||
@@ -1405,7 +1405,7 @@ soc:
|
||||
denyRegex: ''
|
||||
rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
|
||||
stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state
|
||||
integrityCheckFrequencySeconds: 600
|
||||
integrityCheckFrequencySeconds: 1200
|
||||
client:
|
||||
enableReverseLookup: false
|
||||
docsUrl: /docs/
|
||||
@@ -2257,7 +2257,7 @@ soc:
|
||||
templateDetections:
|
||||
suricata: |
|
||||
# This is a Suricata rule template. Replace all template values with your own values.
|
||||
# The rule identifier (sid) is pregenerated and known to be unique for this Security Onion installation.
|
||||
# The rule identifier [sid] is pregenerated and known to be unique for this Security Onion installation.
|
||||
# Docs: https://docs.suricata.io/en/latest/rules/intro.html
|
||||
# Delete these comments before attempting to "Create" the rule
|
||||
|
||||
@@ -2295,6 +2295,7 @@ soc:
|
||||
status: 'experimental'
|
||||
description: |
|
||||
This should be a detailed description of what this Detection focuses on: what we are trying to find and why we are trying to find it.
|
||||
For example, from rule 97a80ec7-0e2f-4d05-9ef4-65760e634f6b: "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt."
|
||||
references:
|
||||
- 'https://local.invalid'
|
||||
author: '@SecurityOnion'
|
||||
@@ -2306,8 +2307,11 @@ soc:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image: 'whoami.exe'
|
||||
User: 'backup'
|
||||
condition: selection
|
||||
selection_img:
|
||||
- Image|endswith: '\whoami.exe'
|
||||
- OriginalFileName: 'whoami.exe'
|
||||
selection_cli:
|
||||
CommandLine|contains|windash:
|
||||
- ' -priv'
|
||||
condition: all of selection_*
|
||||
level: 'high' # info | low | medium | high | critical
|
||||
Reference in New Issue
Block a user