From fee5a7bea9d3e3ed1e5793f490511a8bafa1ef56 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 23 Sep 2022 16:29:55 -0400 Subject: [PATCH] initial quick OCD pass --- salt/elastalert/soc_elastalert.yaml | 6 +-- salt/elasticsearch/soc_elasticsearch.yaml | 4 +- salt/firewall/soc_firewall.yaml | 34 +++++++-------- salt/grafana/soc_grafana.yaml | 14 +++--- salt/idstools/soc_idstools.yaml | 20 ++++----- salt/kibana/soc_kibana.yaml | 2 +- salt/nginx/soc_nginx.yaml | 8 ++-- salt/pcap/soc_pcap.yaml | 10 ++--- salt/soc/soc_soc.yaml | 12 +++--- salt/suricata/soc_suricata.yaml | 52 +++++++++++------------ salt/zeek/soc_zeek.yaml | 22 +++++++--- 11 files changed, 96 insertions(+), 88 deletions(-) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 0e1d15c5a..fe01f2458 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -24,7 +24,7 @@ elastalert: global: True helpLink: elastalert.html max_query_size: - description: The maximum number of documents that will be downloaded from Elasticsearch in a single query. + description: The maximum number of documents that will be returned from Elasticsearch in a single query. global: True helpLink: elastalert.html alert_time_limit: @@ -34,10 +34,10 @@ elastalert: helpLink: elastalert.html index_settings: shards: - description: The amount of shards to use for elastalert. + description: The number of shards for elastalert indices. global: True helpLink: elastalert.html replicas: - description: The amount of replicas for the Elastalert index. + description: The number of replicas for elastalert indices. global: True helpLink: elastalert.html diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index d82c4adfa..d9de9343e 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -72,7 +72,7 @@ elasticsearch: global: True helpLink: elasticsearch.html number_of_replicas: - description: Number of replicas required for this index. Multiple replicas protects against data loss, while also increasing storage costs. + description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. global: True helpLink: elasticsearch.html so-azure: *indexSettings @@ -116,4 +116,4 @@ elasticsearch: so-syslog: *indexSettings so-tomcat: *indexSettings so-zeek: *indexSettings - so-zscaler: *indexSettings \ No newline at end of file + so-zscaler: *indexSettings diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index e1e219913..614f98190 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,109 +1,109 @@ firewall: hostgroups: analyst_workstations: - description: List of IP Addresses or CIDR blocks to allow analyst workstations. + description: List of IP addresses or CIDR blocks to allow analyst workstations. file: True global: True title: Analyst Workstations helpLink: firewall.html#host-groups analyst: - description: List of IP Addresses or CIDR blocks to allow analyst connections. + description: List of IP addresses or CIDR blocks to allow analyst connections. file: True global: True title: Analyst helpLink: firewall.html#host-groups beats_endpoint: - description: List of IP Addresses or CIDR blocks of standard beats without encryption. + description: List of IP addresses or CIDR blocks of standard beats without encryption. file: True global: True title: Beats Endpoints helpLink: firewall.html#host-groups beats_endpoint_ssl: - description: List of IP Addresses or CIDR blocks of standard beats with encryption. + description: List of IP addresses or CIDR blocks of standard beats with encryption. file: True global: True title: Beats Endpoints SSL helplink: firewall.html#host-groups elastic_agent_endpoint: - description: List of IP Addresses or CIDR blocks for Elastic Agent connections. + description: List of IP addresses or CIDR blocks for Elastic Agent connections. file: True global: True title: Elastic Agents helplink: firewall.html#host-groups elasticsearch_rest: - description: List of IP Addresses or CIDR blocks to allow access directly to Elasticsearch. + description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch. file: True global: True title: Elasticsearch Rest advanced: True helplink: firewall.html#host-groups endgame: - description: List of IP Addresses or CIDR blocks to allow endgame access. + description: List of IP addresses or CIDR blocks to allow Endgame access. file: True global: True title: Endgame advanced: True helplink: firewall.html#host-groups strelka_frontend: - description: List of IP Addresses or CIDR blocks to allow access to the Strelka front end. + description: List of IP addresses or CIDR blocks to allow access to the Strelka front end. file: True global: True title: Strelka Frontend advanced: True helplink: firewall.html#host-groups syslog: - description: List of IP Addresses or CIDR blocks to allow syslog. + description: List of IP addresses or CIDR blocks to allow syslog. file: True global: True title: Syslog Endpoint Traffic helplink: firewall.html#host-groups standalone: - description: List of IP Addresses or CIDR blocks to allow standalone connections. + description: List of IP addresses or CIDR blocks to allow standalone connections. file: True global: True title: Standalone advanced: True helpLink: firewall.html#host-groups eval: - description: List of IP Addresses or CIDR blocks to allow eval connections. + description: List of IP addresses or CIDR blocks to allow eval connections. file: True global: True title: Eval advanced: True helpLink: firewall.html#host-groups idh: - description: List of IP Addresses or CIDR blocks to allow idh connections. + description: List of IP addresses or CIDR blocks to allow idh connections. file: True global: True title: IDH Nodes helpLink: firewall.html#host-groups manager: - description: List of IP Addresses or CIDR blocks to allow manager connections. + description: List of IP addresses or CIDR blocks to allow manager connections. file: True global: True title: Manager advanced: True helpLink: firewall.html#host-groups heavynodes: - description: List of IP Addresses or CIDR blocks to allow heavynode connections. + description: List of IP addresses or CIDR blocks to allow heavynode connections. file: True global: True title: Heavy Nodes helpLink: firewall.html#host-groups searchnodes: - description: List of IP Addresses or CIDR blocks to allow searchnode connections. + description: List of IP addresses or CIDR blocks to allow searchnode connections. file: True global: True title: Search Nodes helpLink: firewall.html#host-groups sensors: - description: List of IP Addresses or CIDR blocks to allow Sensor connections. + description: List of IP addresses or CIDR blocks to allow Sensor connections. file: True global: True title: Sensors helpLink: firewall.html#host-groups receivers: - description: List of IP Addresses or CIDR blocks to allow receiver connections. + description: List of IP addresses or CIDR blocks to allow receiver connections. file: True global: True title: Receivers diff --git a/salt/grafana/soc_grafana.yaml b/salt/grafana/soc_grafana.yaml index 5789f6c81..a1b056544 100644 --- a/salt/grafana/soc_grafana.yaml +++ b/salt/grafana/soc_grafana.yaml @@ -10,20 +10,20 @@ grafana: global: True helpLink: grafana.html user: - description: User used to authenticate SMTP. + description: Username for the SMTP server. global: True helpLink: grafana.html password: - description: Password used to authenticate SMTP. + description: Password for the SMTP server. global: True sensitive: True helpLink: grafana.html cert_file: - description: Location of cert file for SMTP. + description: Location of cert file for the SMTP server. global: True helpLink: grafana.html key_file: - description: Location of key file for SMTP. + description: Location of key file for the SMTP server. global: True helpLink: grafana.html skip_verify: @@ -31,15 +31,15 @@ grafana: global: True helpLink: grafana.html from_address: - description: The email address you would like in the from field. + description: The email address you would like in the From field. global: True helpLink: grafana.html from_name: - description: The name displayed for the from email address. + description: The name displayed for the From email address. global: True helpLink: grafana.html ehlo_identity: - description: Used with servers with SMTP service extensions. + description: Used for servers with SMTP service extensions. global: True helpLink: grafana.html enterprise: diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index 383f6b42d..f567bcbc9 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -3,18 +3,18 @@ idstools: oinkcode: description: Enter your registration code for paid rulesets. global: True - helpLink: managing-alerts.html + helpLink: managing-rules.html ruleset: description: Define the ruleset you want to run. Options are ETOPEN or ETPRO. global: True - helpLink: managing-alerts.html + helpLink: managing-rules.html urls: description: This is a list of additional rule download locations. global: True - helpLink: managing-alerts.html + helpLink: managing-rules.html sids: disabled: - description: List of disables SIDS. + description: List of SIDS that you want to disable. global: True helpLink: managing-alerts.html enabled: @@ -22,7 +22,7 @@ idstools: global: True helpLink: managing-alerts.html modify: - description: List of SIDS that are modified. + description: List of SIDS that you want to modify. global: True helpLink: managing-alerts.html rules: @@ -32,18 +32,18 @@ idstools: global: True advanced: True title: Local Rules - helpLink: managing-alerts.html + helpLink: local-rules.html filters__rules: - description: You can set custom filters for Suricata when using it for meta data creation. + description: If you are using Suricata for metadata, then you can set custom filters for that metadata here. file: True global: True advanced: True title: Filter Rules - helpLink: managing-alerts.html + helpLink: suricata.html extraction__rules: - description: This is a list of mime types for file extraction when Suricata is used for meta data creation. + description: If you are using Suricata for metadata, then you can set a list of MIME types for file extraction here. file: True global: True advanced: True title: Extraction Rules - helpLink: managing-alerts.html \ No newline at end of file + helpLink: suricata.html diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml index fe6c9525c..331e7716f 100644 --- a/salt/kibana/soc_kibana.yaml +++ b/salt/kibana/soc_kibana.yaml @@ -2,6 +2,6 @@ kibana: config: elasticsearch: requestTimeout: - description: Request timeout length. + description: The length of time before the request reaches timeout. global: True helpLink: kibana.html diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 54b57c22a..b78550c2b 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -1,22 +1,22 @@ nginx: config: replace_cert: - description: Replace the Security Onion Certificate with your own? + description: Enable this if you would like to replace the Security Onion Certificate with your own. global: True advanced: True title: Replace Default Cert helpLink: nginx.html ssl__key: - description: Paste your .key file here + description: If you enabled the replace_cert option, paste your .key file here. file: True title: SSL Key File advanced: True global: True helpLink: nginx.html ssl__crt: - description: Paste your .crt file here + description: If you enabled the replace_cert option, paste your .crt file here. file: True title: SSL Cert File advanced: True global: True - helpLink: nginx.html \ No newline at end of file + helpLink: nginx.html diff --git a/salt/pcap/soc_pcap.yaml b/salt/pcap/soc_pcap.yaml index e25b1253b..0f4b7e1e4 100644 --- a/salt/pcap/soc_pcap.yaml +++ b/salt/pcap/soc_pcap.yaml @@ -1,20 +1,20 @@ pcap: enabled: - description: Enable or Disable Stenographer on all sensors or a single sensor + description: You can enable or disable Stenographer on all sensors or a single sensor. helpLink: pcap.html config: maxdirectoryfiles: - description: The maximum number of packet/index files to create before deleting old files. The default is about 8 days regardless of free space. + description: The maximum number of packet/index files to create before deleting old files. helpLink: pcap.html diskfreepercentage: - description: The disk space percent to always keep free for pcap + description: The disk space percent to always keep free for PCAP helpLink: pcap.html blocks: description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. advanced: True helpLink: pcap.html preallocate_file_mb: - description: File size to pre-allocate for individual pcap files. You shouldn't need to change this. + description: File size to pre-allocate for individual PCAP files. You shouldn't need to change this. advanced: True helpLink: pcap.html aiops: @@ -26,7 +26,7 @@ pcap: advanced: True helpLink: pcap.html cpus_to_pin_to: - description: CPU to pin PCAP to. Currently only a single CPU is supported + description: CPU to pin PCAP to. Currently only a single CPU is supported. advanced: True helpLink: pcap.html disks: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 848fa7091..8d7cc8481 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -7,25 +7,25 @@ soc: file: True global: True syntax: md - helpLink: soc.html + helpLink: soc-customization.html motd__md: title: Overview Page - description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the users' browser. + description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser. file: True global: True syntax: md - helpLink: soc.html + helpLink: soc-customization.html custom__js: title: Custom Javascript description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades. file: True global: True advanced: True - helpLink: soc.html + helpLink: soc-customization.html custom_roles: title: Custom Roles - description: Customize role and permission mappings. Changes to this setting requires a complete understanding of the SOC RBAC system. + description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system. file: True global: True advanced: True - helpLink: soc.html \ No newline at end of file + helpLink: soc-customization.html diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 6eae3b37d..ea98b7650 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -10,80 +10,80 @@ suricata: vars: address-groups: HOME_NET: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html EXTERNAL_NET: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html HTTP_SERVERS: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html SMTP_SERVERS: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html SQL_SERVERS: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html DNS_SERVERS: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html TELNET_SERVERS: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html AIM_SERVERS: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html DC_SERVERS: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html DNP3_SERVER: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html DNP3_CLIENT: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html MODBUS_CLIENT: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html MODBUS_SERVER: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html ENIP_CLIENT: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html ENIP_SERVER: - description: List of hosts or netowrks. + description: List of hosts or networks. helpLink: suricata.html port-groups: HTTP_PORTS: - description: List of HTTP ports to look for HTTP traffic on. + description: List of ports to look for HTTP traffic on. helpLink: suricata.html SHELLCODE_PORTS: - description: List of SHELLCODE ports to look for SHELLCODE traffic on. + description: List of ports to look for SHELLCODE traffic on. helpLink: suricata.html ORACLE_PORTS: - description: List of ORACLE ports to look for ORACLE traffic on. + description: List of ports to look for ORACLE traffic on. helpLink: suricata.html SSH_PORTS: - description: List of SSH ports to look for SSH traffic on. + description: List of ports to look for SSH traffic on. helpLink: suricata.html DNP3_PORTS: - description: List of DNP3 ports to look for DNP3 traffic on. + description: List of ports to look for DNP3 traffic on. helpLink: suricata.html MODBUS_PORTS: - description: List of MODBUS ports to look for MODBUS traffic on. + description: List of ports to look for MODBUS traffic on. helpLink: suricata.html FILE_DATA_PORTS: - description: List of FILE_DATA ports to look for FILE_DATA traffic on. + description: List of ports to look for FILE_DATA traffic on. helpLink: suricata.html FTP_PORTS: - description: List of FTP ports to look for FTP traffic on. + description: List of ports to look for FTP traffic on. helpLink: suricata.html VXLAN_PORTS: - description: List of VXLAN ports to look for VXLAN traffic on. + description: List of ports to look for VXLAN traffic on. helpLink: suricata.html TEREDO_PORTS: - description: List of TEREDO ports to look for TEREDO traffic on. + description: List of ports to look for TEREDO traffic on. helpLink: suricata.html outputs: eve-log: @@ -180,4 +180,4 @@ suricata: helpLink: suricata.html ports: description: Ports to listen for. This should be a variable. - helpLink: suricata.html \ No newline at end of file + helpLink: suricata.html diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 7da21aa41..11ad78656 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -1,36 +1,44 @@ zeek: logging: enabled: - description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor. + description: This is a list of Zeek logs that will be shipped through the pipeline. If you remove a log from this list, it will still persist on the sensor. + helpLink: zeek.html config: local: '@load': description: List of Zeek policies to load + helpLink: zeek.html '@load-sigs': description: List of Zeek signatures to load + helpLink: zeek.html node: lb_procs: - description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins. + description: This is the number of CPUs to use for Zeek. This setting is ignored if you are using pins. + helpLink: zeek.html node: True pins_enabled: - description: Enabled CPU pinning + description: Enabling this setting allows you to pin Zeek to specific CPUs. + helpLink: zeek.html node: True advanced: True pins: - description: List of CPUs you want to pin to + description: This is a list of CPUs you want to pin Zeek to. + helpLink: zeek.html node: True advanced: True zeekctl: CompressLogs: - description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU. + description: This setting enables compression of Zeek logs. If you are seeing packet loss at the top of the hour in Zeek or PCAP you might need to disable this by seting it to 0. This will use more disk space but save IO and CPU. + helpLink: zeek.html policy: custom: filters: conn: description: Conn Filter for Zeek. This is an advanced setting and will take further action to enable. + helpLink: zeek.html file: True global: True advanced: True file_extraction: - description: This is a list of mime types Zeek will extract from the network streams. - \ No newline at end of file + description: This is a list of MIME types that Zeek will extract from the network streams. + helpLink: zeek.html