From 69ace6fbfa91ba0ea49d037d1d1caed050bada96 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 2 Jul 2020 12:16:56 -0400
Subject: [PATCH] Initial commit - Low Level Alerts

---
 salt/elastalert/files/rules/so/nids2hive.yaml | 52 -------------------
 .../files/rules/so/suricata_thehive.yaml      | 51 ++++++++++++++++++
 .../files/rules/so/wazuh_thehive.yaml         | 49 +++++++++++++++++
 salt/soctopus/files/SOCtopus.conf             |  2 +-
 salt/soctopus/init.sls                        |  3 +-
 5 files changed, 102 insertions(+), 55 deletions(-)
 delete mode 100644 salt/elastalert/files/rules/so/nids2hive.yaml
 create mode 100644 salt/elastalert/files/rules/so/suricata_thehive.yaml
 create mode 100644 salt/elastalert/files/rules/so/wazuh_thehive.yaml

diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml
deleted file mode 100644
index 097511d56..000000000
--- a/salt/elastalert/files/rules/so/nids2hive.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-{% set es = salt['pillar.get']('static:masterip', '') %}
-{% set hivehost = salt['pillar.get']('static:masterip', '') %}
-{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
-{% set MASTER = salt['pillar.get']('master:url_base', '') %}
-
-# hive.yaml
-# Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance.
-#
-es_host: {{es}}
-es_port: 9200
-name: NIDS-Alert
-type: frequency
-index: "so-ids-*"
-num_events: 1
-timeframe:
-    minutes: 10
-buffer_time:
-    minutes: 10
-allow_buffer_time_overlap: true
-query_key: ["rule.uuid"]
-realert:
-    days: 1
-filter:
-- query:
-   query_string:
-      query: "event.module: suricata"
-
-alert: hivealerter
-
-hive_connection:
-  hive_host: http://{{hivehost}}
-  hive_port: 9000/thehive
-  hive_apikey: {{hivekey}}
-  
-hive_proxies:
-  http: ''
-  https: ''
-
-hive_alert_config:
-  title: '{match[rule][name]}'
-  type: 'NIDS'
-  source: 'SecurityOnion'
-  description: "`Hunting Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=event.module%3A%20suricata%20AND%20rule.uuid%3A{match[rule][uuid]}%20%7C%20groupby%20source.ip%20destination.ip%20rule.name>  \n\n `Kibana Dashboard - Signature Drilldown:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))> \n\n `Kibana Dashboard - Community_ID:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'*:so-*',key:network.community_id,negate:!f,params:(query:'{match[network][community_id]}'),type:phrase),query:(match_phrase:(network.community_id:'{match[network][community_id]}')))),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))>  \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
-  severity: 2
-  tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}']
-  tlp: 3
-  status: 'New'
-  follow: True
-
-hive_observable_data_mapping:
-  - ip: '{match[source][ip]}'
-  - ip: '{match[destination][ip]}'
diff --git a/salt/elastalert/files/rules/so/suricata_thehive.yaml b/salt/elastalert/files/rules/so/suricata_thehive.yaml
new file mode 100644
index 000000000..82698b7a8
--- /dev/null
+++ b/salt/elastalert/files/rules/so/suricata_thehive.yaml
@@ -0,0 +1,51 @@
+{% set es = salt['pillar.get']('static:masterip', '') %}
+{% set hivehost = salt['pillar.get']('static:masterip', '') %}
+{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
+{% set MASTER = salt['pillar.get']('master:url_base', '') %}
+
+# Elastalert rule to forward Suricata alerts from Security Onion to a specified TheHive instance.
+#
+es_host: {{es}}
+es_port: 9200
+name: Suricata-Alert
+type: frequency
+index: "so-ids-*"
+num_events: 1
+timeframe:
+    minutes: 10
+buffer_time:
+    minutes: 10
+allow_buffer_time_overlap: true
+query_key: ["rule.uuid","source.ip","destination.ip"]
+realert:
+    days: 1
+filter:
+- query:
+   query_string:
+      query: "event.module: suricata AND rule.severity:(1 OR 2)"
+
+alert: hivealerter
+
+hive_connection:
+  hive_host: http://{{hivehost}}
+  hive_port: 9000/thehive
+  hive_apikey: {{hivekey}}
+  
+hive_proxies:
+  http: ''
+  https: ''
+
+hive_alert_config:
+  title: '{match[rule][name]}'
+  type: 'NIDS'
+  source: 'SecurityOnion'
+  description: "`SOC Hunt Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=network.community_id%3A%20%20%22{match[network][community_id]}%22%20%7C%20groupby%20source.ip%20destination.ip,event.module,%20event.dataset>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'*:so-*',key:network.community_id,negate:!f,params:(query:'{match[network][community_id]}'),type:phrase),query:(match_phrase:(network.community_id:'{match[network][community_id]}')))),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))>  \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
+  severity: 2
+  tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}']
+  tlp: 3
+  status: 'New'
+  follow: True
+
+hive_observable_data_mapping:
+  - ip: '{match[source][ip]}'
+  - ip: '{match[destination][ip]}'
diff --git a/salt/elastalert/files/rules/so/wazuh_thehive.yaml b/salt/elastalert/files/rules/so/wazuh_thehive.yaml
new file mode 100644
index 000000000..1e275dce8
--- /dev/null
+++ b/salt/elastalert/files/rules/so/wazuh_thehive.yaml
@@ -0,0 +1,49 @@
+{% set es = salt['pillar.get']('static:masterip', '') %}
+{% set hivehost = salt['pillar.get']('static:masterip', '') %}
+{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
+{% set MASTER = salt['pillar.get']('master:url_base', '') %}
+
+# Elastalert rule to forward high level Wazuh alerts from Security Onion to a specified TheHive instance.
+#
+es_host: {{es}}
+es_port: 9200
+name: Wazuh-Alert
+type: frequency
+index: "so-ossec-*"
+num_events: 1
+timeframe:
+    minutes: 10
+buffer_time:
+    minutes: 10
+allow_buffer_time_overlap: true
+realert:
+    days: 1
+filter:
+- query:
+   query_string:
+      query: "event.module: ossec AND rule.level>=8"
+
+alert: hivealerter
+
+hive_connection:
+  hive_host: http://{{hivehost}}
+  hive_port: 9000/thehive
+  hive_apikey: {{hivekey}}
+  
+hive_proxies:
+  http: ''
+  https: ''
+
+hive_alert_config:
+  title: '{match[rule][name]}'
+  type: 'wazuh'
+  source: 'SecurityOnion'
+  description: "`SOC Hunt Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=event.module%3A%20ossec%20AND%20rule.id%3A{match[rule][id]}%20%7C%20groupby%20host.name%20rule.name>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))>"
+  severity: 2
+  tags: ['{match[rule][id]}','{match[host][name]}']
+  tlp: 3
+  status: 'New'
+  follow: True
+
+hive_observable_data_mapping:
+  - other: '{match[host][name]}'
diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf
index 71318b58d..d2c3eea2d 100644
--- a/salt/soctopus/files/SOCtopus.conf
+++ b/salt/soctopus/files/SOCtopus.conf
@@ -60,7 +60,7 @@ slack_url = YOURSLACKWORKSPACE
 slack_webhook = YOURSLACKWEBHOOK
 
 [playbook]
-playbook_url = https://{{MASTER}}/playbook
+playbook_url = http://{{MASTER}}:3200/playbook
 playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f
 playbook_verifycert = no
 playbook_unit_test_index = playbook-testing
diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls
index 6630b32b5..6c06fecff 100644
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -10,7 +10,7 @@ soctopusdir:
     - group: 939
     - makedirs: True
 
-soctopussync:
+soctopus-sync:
   file.recurse:
     - name: /opt/so/conf/soctopus/templates
     - source: salt://soctopus/files/templates
@@ -24,7 +24,6 @@ soctopusconf:
     - source: salt://soctopus/files/SOCtopus.conf
     - user: 939
     - group: 939
-    - replace: False
     - mode: 600
     - template: jinja