Merge pull request #14793 from Security-Onion-Solutions/cogburn/playbooks-import

Refactors playbook repo configuration
2025-12-15 21:52:47 +01:00 · 2025-06-30 13:02:39 -06:00
parent fe76a79ebd a86105294b
commit 56c9fa3129
3 changed files with 29 additions and 8 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1464,12 +1464,16 @@ soc:
          autoUpdateEnabled: true
          playbookImportFrequencySeconds: 86400
          playbookImportErrorSeconds: 600
-          playbookRepoUrl:
-            default: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
-            airgap: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks
-          playbookRepoBranch: main
          playbookRepoPath: /opt/sensoroni/playbooks/
-          playbookPathInRepo: securityonion-normalized
+          playbookRepos:
+            default:
+              - repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
+                branch: main
+                folder: securityonion-normalized
+            airgap:
+              - repo: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks
+                branch: main
+                folder: securityonion-normalized
        salt:
          queueDir: /opt/sensoroni/queue
          timeoutMs: 45000
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -61,11 +61,11 @@
 {%   do SOCMERGED.config.server.update({'airgapEnabled': false}) %}
 {% endif %}

-{# set playbookRepoUrl based on airgap or not #}
+{# set playbookRepos based on airgap or not #}
 {% if GLOBALS.airgap %}
-{%   do SOCMERGED.config.server.modules.playbook.update({'playbookRepoUrl': SOCMERGED.config.server.modules.playbook.playbookRepoUrl.airgap}) %}
+{%   do SOCMERGED.config.server.modules.playbook.update({'playbookRepos': SOCMERGED.config.server.modules.playbook.playbookRepos.airgap}) %}
 {% else %}
-{%   do SOCMERGED.config.server.modules.playbook.update({'playbookRepoUrl': SOCMERGED.config.server.modules.playbook.playbookRepoUrl.default}) %}
+{%   do SOCMERGED.config.server.modules.playbook.update({'playbookRepos': SOCMERGED.config.server.modules.playbook.playbookRepos.default}) %}
 {% endif %}

 {# remove these modules if detections is disabled #}
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -552,6 +552,23 @@ soc:
            description: How far back to search for ATT&CK-tagged alerts. (days)
            global: True
            helpLink: attack-navigator.html
+        playbook:
+          playbookRepos:
+            default: &pbRepos
+              description: "Custom Git repositories to pull Playbooks from. Playbooks are pulled when SOC starts and automatically refreshed every 24 hours. If this grid is airgapped then edit the airgap repos. Otherwise edit the default repos."
+              global: True
+              advanced: True
+              forcedType: "[]{}"
+              syntax: json
+              uiElements:
+              - field: repo
+                label: Repo URL
+                required: True
+              - field: branch
+                label: Branch
+              - field: folder
+                label: Folder
+            airgap: *pbRepos
      client:
        enableReverseLookup:
          description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.