Addl customization for autoenable sigma

2025-12-06 09:12:45 +01:00 · 2024-11-18 09:03:17 -05:00
parent 4e0b5569dc
commit 56d6857cd6
2 changed files with 48 additions and 11 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1327,16 +1327,48 @@ soc:
          showAiSummaries: true
          autoUpdateEnabled: true
          autoEnabledSigmaRules:
-            default:
-              - core+critical
-              - securityonion-resources+critical
-              - securityonion-resources+high
-            so-eval:
-              - securityonion-resources+critical
-              - securityonion-resources+high
-            so-import:
-              - securityonion-resources+critical
-              - securityonion-resources+high
+            default: |-
+              Enabled_On_Import:
+                # SOS - resources ruleset
+                - ruleset: ["securityonion-resources"]
+                  level: ["critical", "high"]
+                  product: ["*"]
+                  category: ["*"]
+                  service: ["*"]
+                # SigmaHQ - Core ruleset - Logsource: System events supported by Elastic Agent
+                - ruleset: ["core"]
+                  level: ["critical"]
+                  product: ["*"]
+                  category: ["process_creation", "file_event", "registry_event", "network_connection", "dns_query"]
+                  service: ["*"]
+                # SigmaHQ - Core ruleset - Logsource: Windows eventlogs
+                - ruleset: ["core"]
+                  level: ["critical"]
+                  product: ["windows"]
+                  category: ["*"]
+                  service: ["security", "system", "dns-client", "application"]
+                # SigmaHQ - Core ruleset - Logsource: misc
+                - ruleset: ["core"]
+                  level: ["critical"]
+                  product: ["*"]
+                  category: ["antivirus"]
+                  service: ["*"]
+            so-eval: |-
+              Enabled_On_Import:
+                # SOS - resources ruleset
+                - ruleset: ["securityonion-resources"]
+                  level: ["critical", "high"]
+                  product: ["*"]
+                  category: ["*"]
+                  service: ["*"]
+            so-import: |-
+              Enabled_On_Import:
+                # SOS - resources ruleset
+                - ruleset: ["securityonion-resources"]
+                  level: ["critical", "high"]
+                  product: ["*"]
+                  category: ["*"]
+                  service: ["*"]
          communityRulesImportFrequencySeconds: 86400
          communityRulesImportErrorSeconds: 300
          failAfterConsecutiveErrorCount: 10
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -217,10 +217,15 @@ soc:
              jinjaEscaped: True
          autoEnabledSigmaRules:
            default: &autoEnabledSigmaRules
-              description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.'
+              description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.'
              global: True
              advanced: True
              helpLink: sigma.html
+              multiline: True
+              syntax: yaml
+              duplicates: True
+              forcedType: string
+              jinjaEscaped: True
            so-eval: *autoEnabledSigmaRules
            so-import: *autoEnabledSigmaRules
          communityRulesImportFrequencySeconds: