From 33c23c30d32c27ad8ced37f9932e6031998d69bc Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Mon, 30 Jun 2025 11:43:02 -0600 Subject: [PATCH 1/2] Refactors playbook repo configuration Replaces individual playbook repo fields with an array of repos to support multiple playbook sources. Refactor Jinja. --- salt/soc/defaults.yaml | 14 +++++++++----- salt/soc/merged.map.jinja | 6 +++--- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 66355fa24..42e07a7c0 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1464,12 +1464,16 @@ soc: autoUpdateEnabled: true playbookImportFrequencySeconds: 86400 playbookImportErrorSeconds: 600 - playbookRepoUrl: - default: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks - airgap: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks - playbookRepoBranch: main playbookRepoPath: /opt/sensoroni/playbooks/ - playbookPathInRepo: securityonion-normalized + playbookRepos: + default: + - repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks + branch: main + folder: securityonion-normalized + airgap: + - repo: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks + branch: main + folder: securityonion-normalized salt: queueDir: /opt/sensoroni/queue timeoutMs: 45000 diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index c950d8a60..e053ce63f 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -61,11 +61,11 @@ {% do SOCMERGED.config.server.update({'airgapEnabled': false}) %} {% endif %} -{# set playbookRepoUrl based on airgap or not #} +{# set playbookRepos based on airgap or not #} {% if GLOBALS.airgap %} -{% do SOCMERGED.config.server.modules.playbook.update({'playbookRepoUrl': SOCMERGED.config.server.modules.playbook.playbookRepoUrl.airgap}) %} +{% do SOCMERGED.config.server.modules.playbook.update({'playbookRepos': SOCMERGED.config.server.modules.playbook.playbookRepos.airgap}) %} {% else %} -{% do SOCMERGED.config.server.modules.playbook.update({'playbookRepoUrl': SOCMERGED.config.server.modules.playbook.playbookRepoUrl.default}) %} +{% do SOCMERGED.config.server.modules.playbook.update({'playbookRepos': SOCMERGED.config.server.modules.playbook.playbookRepos.default}) %} {% endif %} {# remove these modules if detections is disabled #} From a86105294b9ef7f4f8270bd59f43d13df719fccd Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Mon, 30 Jun 2025 12:50:56 -0600 Subject: [PATCH 2/2] Playbook Annotations --- salt/soc/soc_soc.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 58560e89e..bbe963ec8 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -552,6 +552,23 @@ soc: description: How far back to search for ATT&CK-tagged alerts. (days) global: True helpLink: attack-navigator.html + playbook: + playbookRepos: + default: &pbRepos + description: "Custom Git repositories to pull Playbooks from. Playbooks are pulled when SOC starts and automatically refreshed every 24 hours. If this grid is airgapped then edit the airgap repos. Otherwise edit the default repos." + global: True + advanced: True + forcedType: "[]{}" + syntax: json + uiElements: + - field: repo + label: Repo URL + required: True + - field: branch + label: Branch + - field: folder + label: Folder + airgap: *pbRepos client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.