CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Addl customization for autoenable sigma

Browse Source
This commit is contained in:
defensivedepth
2024-11-18 09:03:17 -05:00
parent 4e0b5569dc
commit 56d6857cd6
2 changed files with 48 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
salt/soc/defaults.yaml
View File

@@ -1327,16 +1327,48 @@ soc:
showAiSummaries: true showAiSummaries: true
autoUpdateEnabled: true autoUpdateEnabled: true
autoEnabledSigmaRules: autoEnabledSigmaRules:
default: default: |-
- core+critical Enabled_On_Import:
- securityonion-resources+critical # SOS - resources ruleset
- securityonion-resources+high - ruleset: ["securityonion-resources"]
so-eval: level: ["critical", "high"]
- securityonion-resources+critical product: ["*"]
- securityonion-resources+high category: ["*"]
so-import: service: ["*"]
- securityonion-resources+critical # SigmaHQ - Core ruleset - Logsource: System events supported by Elastic Agent
- securityonion-resources+high - ruleset: ["core"]
level: ["critical"]
product: ["*"]
category: ["process_creation", "file_event", "registry_event", "network_connection", "dns_query"]
service: ["*"]
# SigmaHQ - Core ruleset - Logsource: Windows eventlogs
- ruleset: ["core"]
level: ["critical"]
product: ["windows"]
category: ["*"]
service: ["security", "system", "dns-client", "application"]
# SigmaHQ - Core ruleset - Logsource: misc
- ruleset: ["core"]
level: ["critical"]
product: ["*"]
category: ["antivirus"]
service: ["*"]
so-eval: |-
Enabled_On_Import:
# SOS - resources ruleset
- ruleset: ["securityonion-resources"]
level: ["critical", "high"]
product: ["*"]
category: ["*"]
service: ["*"]
so-import: |-
Enabled_On_Import:
# SOS - resources ruleset
- ruleset: ["securityonion-resources"]
level: ["critical", "high"]
product: ["*"]
category: ["*"]
service: ["*"]
communityRulesImportFrequencySeconds: 86400 communityRulesImportFrequencySeconds: 86400
communityRulesImportErrorSeconds: 300 communityRulesImportErrorSeconds: 300
failAfterConsecutiveErrorCount: 10 failAfterConsecutiveErrorCount: 10

7
salt/soc/soc_soc.yaml
View File

@@ -217,10 +217,15 @@ soc:
jinjaEscaped: True jinjaEscaped: True
autoEnabledSigmaRules: autoEnabledSigmaRules:
default: &autoEnabledSigmaRules default: &autoEnabledSigmaRules
description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.' description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.'
global: True global: True
advanced: True advanced: True
helpLink: sigma.html helpLink: sigma.html
multiline: True
syntax: yaml
duplicates: True
forcedType: string
jinjaEscaped: True
so-eval: *autoEnabledSigmaRules so-eval: *autoEnabledSigmaRules
so-import: *autoEnabledSigmaRules so-import: *autoEnabledSigmaRules
communityRulesImportFrequencySeconds: communityRulesImportFrequencySeconds: