From dcdfaf66f4a0a29afabc24b8158d285581d50adf Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Wed, 16 Oct 2024 15:20:52 -0400 Subject: [PATCH 01/48] Add process and file creation mappings --- salt/soc/files/soc/sigma_so_pipeline.yaml | 66 +++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 8314361f5..121bc06a6 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -106,3 +106,69 @@ transformations: - type: include_fields fields: - event.code + # Maps Windows + process_creation rules to endpoint process creation logs + - id: endpoint_process_create_windows_add-fields + type: add_condition + conditions: + event.category: 'process' + event.type: 'start' + host.os.type: 'windows' + rule_conditions: + - type: logsource + category: process_creation + product: windows + # Maps Linux + file_event rules to endpoint file creation logs + - id: endpoint_process_create_linux_add-fields + type: add_condition + conditions: + event.category: 'process' + event.type: 'start' + host.os.type: 'linux' + rule_conditions: + - type: logsource + category: process_creation + product: linux + # Maps macOS + file_event rules to endpoint file creation logs + - id: endpoint_process_create_macos_add-fields + type: add_condition + conditions: + event.category: 'process' + event.type: 'start' + host.os.type: 'macos' + rule_conditions: + - type: logsource + category: process_creation + product: macos + # Maps Windows + file_event rules to endpoint file creation logs + - id: endpoint_file_create_windows_add-fields + type: add_condition + conditions: + event.category: 'file' + event.type: 'creation' + host.os.type: 'windows' + rule_conditions: + - type: logsource + category: file_event + product: windows + # Maps Linux + file_event rules to endpoint file creation logs + - id: endpoint_file_create_linux_add-fields + type: add_condition + conditions: + event.category: 'file' + event.type: 'creation' + host.os.type: 'linux' + rule_conditions: + - type: logsource + category: file_event + product: linux + # Maps macOS + file_event rules to endpoint file creation logs + - id: endpoint_file_create_macos_add-fields + type: add_condition + conditions: + event.category: 'file' + event.type: 'creation' + host.os.type: 'macos' + rule_conditions: + - type: logsource + category: file_event + product: macos \ No newline at end of file From 322199358deaa8840fa9a02f4f183bc82253a77a Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 16 Oct 2024 16:45:46 -0400 Subject: [PATCH 02/48] add support for trendmicro integration Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticfleet/defaults.yaml | 2 + salt/elasticsearch/defaults.yaml | 176 ++++++++++++++++++ salt/elasticsearch/soc_elasticsearch.yaml | 4 + ...s-trend_micro_vision_one.alert@custom.json | 36 ++++ ...s-trend_micro_vision_one.audit@custom.json | 36 ++++ ...end_micro_vision_one.detection@custom.json | 36 ++++ .../logs-trendmicro.deep_security@custom.json | 36 ++++ 7 files changed, 326 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index c3ca0f828..e586100da 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -110,6 +110,8 @@ elasticfleet: - ti_otx - ti_recordedfuture - ti_threatq + - trendmicro + - trend_micro_vision_one - udp - vsphere - windows diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 06f5392d8..f0178728e 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -10298,6 +10298,182 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-trend_micro_vision_one_x_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-trend_micro_vision_one.alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-trend_micro_vision_one.alert@package" + - "logs-trend_micro_vision_one.alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + ignore_missing_component_templates: + - "logs-trend_micro_vision_one.alert@custom" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-trend_micro_vision_one_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-trend_micro_vision_one.audit-*" + template: + settings: + index: + number_of_replicas: 0 + ignore_missing_component_templates: + - "logs-trend_micro_vision_one.audit@custom" + composed_of: + - "logs-trend_micro_vision_one.audit@package" + - "logs-trend_micro_vision_one.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-trend_micro_vision_one_x_detection: + index_sorting: False + index_template: + index_patterns: + - "logs-trend_micro_vision_one.detection-*" + template: + settings: + index: + number_of_replicas: 0 + ignore_missing_component_templates: + - "logs-trend_micro_vision_one.detection@custom" + composed_of: + - "logs-trend_micro_vision_one.detection@package" + - "logs-trend_micro_vision_one.detection@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-trendmicro_x_deep_security: + index_sorting: False + index_template: + index_patterns: + - "logs-trendmicro.deep_security-*" + template: + settings: + index: + number_of_replicas: 0 + ignore_missing_component_templates: + - "logs-trendmicro.deep_security@custom" + composed_of: + - "logs-trendmicro.deep_security@package" + - "logs-trendmicro.deep_security@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-vsphere_x_log: index_sorting: false index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 31a8a7f6f..266372708 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -494,6 +494,10 @@ elasticsearch: so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings so-logs-ti_recordedfuture_x_threat: *indexSettings so-logs-ti_threatq_x_threat: *indexSettings + so-logs-trend_micro_vision_one_x_alert: *indexSettings + so-logs-trend_micro_vision_one_x_audit: *indexSettings + so-logs-trend_micro_vision_one_x_detection: *indexSettings + so-logs-trendmicro_x_deep_security: *indexSettings so-logs-zscaler_zia_x_alerts: *indexSettings so-logs-zscaler_zia_x_dns: *indexSettings so-logs-zscaler_zia_x_firewall: *indexSettings diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} From 73ce5264676705802a4e1db90bd42695020c4a2e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 16 Oct 2024 17:06:03 -0400 Subject: [PATCH 03/48] allow users to lock pkgs from upgrade --- pillar/top.sls | 2 ++ salt/versionlock/defaults.yaml | 3 +++ salt/versionlock/init.sls | 13 +++++++++++ salt/versionlock/map.jinja | 32 +++++++++++++++++++++++++++ salt/versionlock/soc_versionlock.yaml | 10 +++++++++ 5 files changed, 60 insertions(+) create mode 100644 salt/versionlock/defaults.yaml create mode 100644 salt/versionlock/init.sls create mode 100644 salt/versionlock/map.jinja create mode 100644 salt/versionlock/soc_versionlock.yaml diff --git a/pillar/top.sls b/pillar/top.sls index 131b39a99..9ae7e1e44 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -16,6 +16,8 @@ base: - sensoroni.adv_sensoroni - telegraf.soc_telegraf - telegraf.adv_telegraf + - versionlock.soc_versionlock + - versionlock.adv_versionlock '* and not *_desktop': - firewall.soc_firewall diff --git a/salt/versionlock/defaults.yaml b/salt/versionlock/defaults.yaml new file mode 100644 index 000000000..b7bce6c48 --- /dev/null +++ b/salt/versionlock/defaults.yaml @@ -0,0 +1,3 @@ +versionlock: + kernel: False + hold: [] diff --git a/salt/versionlock/init.sls b/salt/versionlock/init.sls new file mode 100644 index 000000000..ac27d69d7 --- /dev/null +++ b/salt/versionlock/init.sls @@ -0,0 +1,13 @@ +{% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %} + +{% for pkg in VERSIONLOCKMERGED.hold %} +{{pkg}}_held: + pkg.held: + - name: {{pkg}} +{% endfor %} + +{% for pkg in VERSIONLOCKMERGED.UNHOLD %} +{{pkg}}_unheld: + pkg.unheld: + - name: {{pkg}} +{% endfor %} diff --git a/salt/versionlock/map.jinja b/salt/versionlock/map.jinja new file mode 100644 index 000000000..79ef1c45c --- /dev/null +++ b/salt/versionlock/map.jinja @@ -0,0 +1,32 @@ +{% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %} +{% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %} +{% set HELD = salt['pkg.list_holds']() %} + +{% set PACKAGES_HELD_IN_OTHER_STATES = [ + 'salt', + 'salt-master', + 'salt-minion', + 'containerd.io', + 'docker-ce', + 'docker-ce-cli', + 'docker-ce-rootless-extras' +] %} + +{% if VERSIONLOCKMERGED.kernel %} + {% do VERSIONLOCKMERGED['hold'].append('kernel') %} +{% endif %} + +{# remove packages held in other states from hold list #} +{% do VERSIONLOCKMERGED.update({'hold': VERSIONLOCKMERGED['hold'] | unique | reject('in', PACKAGES_HELD_IN_OTHER_STATES) | list }) %} + +{% do VERSIONLOCKMERGED.update({'UNHOLD': []}) %} + +{# if a package is currently held but not set to be held, unhold it #} +{% for item in HELD %} + {% set base_name = item.rsplit('-', 2)[0] %} + {% if base_name not in VERSIONLOCKMERGED['hold'] + and base_name not in PACKAGES_HELD_IN_OTHER_STATES + and base_name not in VERSIONLOCKMERGED['UNHOLD'] %} + {% do VERSIONLOCKMERGED['UNHOLD'].append(base_name) %} + {% endif %} +{% endfor %} diff --git a/salt/versionlock/soc_versionlock.yaml b/salt/versionlock/soc_versionlock.yaml new file mode 100644 index 000000000..b5f25c3a7 --- /dev/null +++ b/salt/versionlock/soc_versionlock.yaml @@ -0,0 +1,10 @@ +versionlock: + kernel: + description: Lock the kernel to prevent upgrade. + global: True + forcedType: bool + hold: + description: List of packages to hold + global: True + forcedType: "[]string" + multiline: True From 5fb660bc9ad082cf478d1b6fed842a803294616b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 17 Oct 2024 09:29:03 -0400 Subject: [PATCH 04/48] remove kernel bool option, just use list --- salt/logstash/map.jinja | 4 ++-- salt/top.sls | 1 + salt/versionlock/defaults.yaml | 1 - salt/versionlock/init.sls | 5 +++++ salt/versionlock/map.jinja | 15 ++++++++------- salt/versionlock/soc_versionlock.yaml | 7 ++----- setup/so-functions | 2 +- 7 files changed, 19 insertions(+), 16 deletions(-) diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index 8fc3291e5..da2bc341a 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -1,5 +1,5 @@ {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one - or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at https://securityonion.net/license; you may not use this file except in compliance with the Elastic License 2.0. #} @@ -42,4 +42,4 @@ {% do LOGSTASH_MERGED.update({'enabled': False}) %} {% endif %} {% endif %} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/top.sls b/salt/top.sls index d876806f2..cffd1ebc8 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -12,6 +12,7 @@ base: '*': - cron.running - repo.client + - versionlock - ntp - schedule - logrotate diff --git a/salt/versionlock/defaults.yaml b/salt/versionlock/defaults.yaml index b7bce6c48..cacd1d7bb 100644 --- a/salt/versionlock/defaults.yaml +++ b/salt/versionlock/defaults.yaml @@ -1,3 +1,2 @@ versionlock: - kernel: False hold: [] diff --git a/salt/versionlock/init.sls b/salt/versionlock/init.sls index ac27d69d7..278809aee 100644 --- a/salt/versionlock/init.sls +++ b/salt/versionlock/init.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %} {% for pkg in VERSIONLOCKMERGED.hold %} diff --git a/salt/versionlock/map.jinja b/salt/versionlock/map.jinja index 79ef1c45c..e078ff22d 100644 --- a/salt/versionlock/map.jinja +++ b/salt/versionlock/map.jinja @@ -1,7 +1,13 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + {% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %} {% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %} {% set HELD = salt['pkg.list_holds']() %} +{# these are packages held / versionlock in other states #} {% set PACKAGES_HELD_IN_OTHER_STATES = [ 'salt', 'salt-master', @@ -12,21 +18,16 @@ 'docker-ce-rootless-extras' ] %} -{% if VERSIONLOCKMERGED.kernel %} - {% do VERSIONLOCKMERGED['hold'].append('kernel') %} -{% endif %} - {# remove packages held in other states from hold list #} {% do VERSIONLOCKMERGED.update({'hold': VERSIONLOCKMERGED['hold'] | unique | reject('in', PACKAGES_HELD_IN_OTHER_STATES) | list }) %} +{# initiate VERSIONLOCKMERGED.UNHOLD #} {% do VERSIONLOCKMERGED.update({'UNHOLD': []}) %} {# if a package is currently held but not set to be held, unhold it #} {% for item in HELD %} {% set base_name = item.rsplit('-', 2)[0] %} - {% if base_name not in VERSIONLOCKMERGED['hold'] - and base_name not in PACKAGES_HELD_IN_OTHER_STATES - and base_name not in VERSIONLOCKMERGED['UNHOLD'] %} + {% if base_name not in VERSIONLOCKMERGED['hold'] and base_name not in PACKAGES_HELD_IN_OTHER_STATES and base_name not in VERSIONLOCKMERGED['UNHOLD'] %} {% do VERSIONLOCKMERGED['UNHOLD'].append(base_name) %} {% endif %} {% endfor %} diff --git a/salt/versionlock/soc_versionlock.yaml b/salt/versionlock/soc_versionlock.yaml index b5f25c3a7..24b8676a9 100644 --- a/salt/versionlock/soc_versionlock.yaml +++ b/salt/versionlock/soc_versionlock.yaml @@ -1,10 +1,7 @@ versionlock: - kernel: - description: Lock the kernel to prevent upgrade. - global: True - forcedType: bool hold: - description: List of packages to hold + description: List of packages to hold. To reduce the frequency of required reboots, add 'kernel' to this list. global: True forcedType: "[]string" multiline: True + helpLink: versionlock.html diff --git a/setup/so-functions b/setup/so-functions index 5ebf76c17..8e83f822d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1404,7 +1404,7 @@ make_some_dirs() { mkdir -p $local_salt_dir/salt/firewall/portgroups mkdir -p $local_salt_dir/salt/firewall/ports - for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global kafka;do + for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert stig global kafka versionlock; do mkdir -p $local_salt_dir/pillar/$THEDIR touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls From 76ff0c56cd2570fd97194990fa7d5d02d041100b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 17 Oct 2024 10:06:40 -0400 Subject: [PATCH 05/48] create versionlock pillar dir/files during soup to 120 --- salt/manager/tools/sbin/soup | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index c592dffe4..3569029ac 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -404,6 +404,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.80 ]] && up_to_2.4.90 [[ "$INSTALLEDVERSION" == 2.4.90 ]] && up_to_2.4.100 [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110 + [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.120 true } @@ -425,6 +426,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.80 ]] && post_to_2.4.90 [[ "$POSTVERSION" == 2.4.90 ]] && post_to_2.4.100 [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110 + [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.120 true } @@ -517,6 +519,11 @@ post_to_2.4.110() { POSTVERSION=2.4.110 } +post_to_2.4.120() { + echo "Nothing to apply" + POSTVERSION=2.4.120 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -694,17 +701,27 @@ up_to_2.4.90() { INSTALLEDVERSION=2.4.90 } + up_to_2.4.100() { # Elastic Update for this release, so download Elastic Agent files determine_elastic_agent_upgrade INSTALLEDVERSION=2.4.100 } + up_to_2.4.110() { echo "Nothing to do for 2.4.110" INSTALLEDVERSION=2.4.110 } +up_to_2.4.120() { + # this is needed for the new versionlock state + mkdir /opt/so/saltstack/local/pillar/versionlock + touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls + + INSTALLEDVERSION=2.4.120 +} + add_detection_test_pillars() { if [[ -n "$SOUP_INTERNAL_TESTING" ]]; then echo "Adding detection pillar values for automated testing" From 39230159aecccc4613dea7695758dcfd93e98694 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 17 Oct 2024 12:10:49 -0400 Subject: [PATCH 06/48] update description --- salt/versionlock/soc_versionlock.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/versionlock/soc_versionlock.yaml b/salt/versionlock/soc_versionlock.yaml index 24b8676a9..f1e864d7d 100644 --- a/salt/versionlock/soc_versionlock.yaml +++ b/salt/versionlock/soc_versionlock.yaml @@ -1,6 +1,6 @@ versionlock: hold: - description: List of packages to hold. To reduce the frequency of required reboots, add 'kernel' to this list. + description: List of packages to prevent from upgrading. To reduce the frequency of required reboots, add 'kernel' to this list. global: True forcedType: "[]string" multiline: True From 8b11019712cf07e032eebccb1d7355d2146ac0c1 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 18 Oct 2024 11:56:47 -0400 Subject: [PATCH 07/48] Add support for cybereason integration Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticfleet/defaults.yaml | 1 + salt/elasticsearch/defaults.yaml | 264 ++++++++++++++++++ salt/elasticsearch/soc_elasticsearch.yaml | 6 + .../logs-cybereason.logon_session@custom.json | 36 +++ ...gs-cybereason.malop_connection@custom.json | 36 +++ .../logs-cybereason.malop_process@custom.json | 36 +++ .../logs-cybereason.malware@custom.json | 36 +++ .../logs-cybereason.poll_malop@custom.json | 36 +++ ...-cybereason.suspicions_process@custom.json | 36 +++ 9 files changed, 487 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index e586100da..6e4ce206b 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -53,6 +53,7 @@ elasticfleet: - citrix_waf - cloudflare - crowdstrike + - cybereason - darktrace - elastic_agent - elasticsearch diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f0178728e..0a6463f06 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3562,6 +3562,270 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-cybereason_x_logon_session: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.logon_session-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.logon_session@package" + - "logs-cybereason.logon_session@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.logon_session@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cybereason_x_malop_connection: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.malop_connection-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.malop_connection@package" + - "logs-cybereason.malop_connection@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.malop_connection@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cybereason_x_malop_process: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.malop_process-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.malop_process@package" + - "logs-cybereason.malop_process@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.malop_process@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cybereason_x_malware: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.malware-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.malware@package" + - "logs-cybereason.malware@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.malware@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cybereason_x_poll_malop: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.poll_malop-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.poll_malop@package" + - "logs-cybereason.poll_malop@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.poll_malop@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cybereason_x_suspicions_process: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.suspicions_process-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.suspicions_process@package" + - "logs-cybereason.suspicions_process@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.suspicions_process@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-darktrace_x_ai_analyst_alert: index_sorting: false index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 266372708..284e4acc2 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -398,6 +398,12 @@ elasticsearch: so-logs-cloudflare_x_logpull: *indexSettings so-logs-crowdstrike_x_falcon: *indexSettings so-logs-crowdstrike_x_fdr: *indexSettings + so-logs-cybereason_x_logon_session: *indexSettings + so-logs-cybereason_x_malop_connection: *indexSettings + so-logs-cybereason_x_malop_process: *indexSettings + so-logs-cybereason_x_malware: *indexSettings + so-logs-cybereason_x_poll_malop: *indexSettings + so-logs-cybereason_x_suspicions_process: *indexSettings so-logs-darktrace_x_ai_analyst_alert: *indexSettings so-logs-darktrace_x_model_breach_alert: *indexSettings so-logs-darktrace_x_system_status_alert: *indexSettings diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} From 4d093735ecd37e16e2e56249114ce20b30fd48f0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 18 Oct 2024 14:41:23 -0400 Subject: [PATCH 08/48] prevent state from failing if versionlock plugin not installed --- salt/versionlock/init.sls | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/salt/versionlock/init.sls b/salt/versionlock/init.sls index 278809aee..a310356b4 100644 --- a/salt/versionlock/init.sls +++ b/salt/versionlock/init.sls @@ -3,16 +3,17 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %} - -{% for pkg in VERSIONLOCKMERGED.hold %} +{% if grains.os_family == 'Debian' or (grains.os_family == 'RedHat' and salt['pkg.version']('python3-dnf-plugin-versionlock') != "") %} +{% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %} +{% for pkg in VERSIONLOCKMERGED.hold %} {{pkg}}_held: pkg.held: - name: {{pkg}} -{% endfor %} +{% endfor %} -{% for pkg in VERSIONLOCKMERGED.UNHOLD %} +{% for pkg in VERSIONLOCKMERGED.UNHOLD %} {{pkg}}_unheld: pkg.unheld: - name: {{pkg}} -{% endfor %} +{% endfor %} +{% endif %} From cf95af66c66c1623190eff042965aa9f340a8ea8 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Mon, 21 Oct 2024 15:23:05 -0400 Subject: [PATCH 09/48] Revert "Add support for cybereason integration" --- salt/elasticfleet/defaults.yaml | 1 - salt/elasticsearch/defaults.yaml | 264 ------------------ salt/elasticsearch/soc_elasticsearch.yaml | 6 - .../logs-cybereason.logon_session@custom.json | 36 --- ...gs-cybereason.malop_connection@custom.json | 36 --- .../logs-cybereason.malop_process@custom.json | 36 --- .../logs-cybereason.malware@custom.json | 36 --- .../logs-cybereason.poll_malop@custom.json | 36 --- ...-cybereason.suspicions_process@custom.json | 36 --- 9 files changed, 487 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 6e4ce206b..e586100da 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -53,7 +53,6 @@ elasticfleet: - citrix_waf - cloudflare - crowdstrike - - cybereason - darktrace - elastic_agent - elasticsearch diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 0a6463f06..f0178728e 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3562,270 +3562,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-cybereason_x_logon_session: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.logon_session-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.logon_session@package" - - "logs-cybereason.logon_session@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.logon_session@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cybereason_x_malop_connection: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.malop_connection-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.malop_connection@package" - - "logs-cybereason.malop_connection@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.malop_connection@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cybereason_x_malop_process: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.malop_process-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.malop_process@package" - - "logs-cybereason.malop_process@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.malop_process@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cybereason_x_malware: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.malware-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.malware@package" - - "logs-cybereason.malware@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.malware@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cybereason_x_poll_malop: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.poll_malop-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.poll_malop@package" - - "logs-cybereason.poll_malop@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.poll_malop@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cybereason_x_suspicions_process: - index_sorting: False - index_template: - index_patterns: - - "logs-cybereason.suspicions_process-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-cybereason.suspicions_process@package" - - "logs-cybereason.suspicions_process@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cybereason.suspicions_process@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-darktrace_x_ai_analyst_alert: index_sorting: false index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 284e4acc2..266372708 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -398,12 +398,6 @@ elasticsearch: so-logs-cloudflare_x_logpull: *indexSettings so-logs-crowdstrike_x_falcon: *indexSettings so-logs-crowdstrike_x_fdr: *indexSettings - so-logs-cybereason_x_logon_session: *indexSettings - so-logs-cybereason_x_malop_connection: *indexSettings - so-logs-cybereason_x_malop_process: *indexSettings - so-logs-cybereason_x_malware: *indexSettings - so-logs-cybereason_x_poll_malop: *indexSettings - so-logs-cybereason_x_suspicions_process: *indexSettings so-logs-darktrace_x_ai_analyst_alert: *indexSettings so-logs-darktrace_x_model_breach_alert: *indexSettings so-logs-darktrace_x_system_status_alert: *indexSettings diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} From 21f359456c01084c07ab52764fd3aef3082bfdec Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Oct 2024 11:35:08 -0400 Subject: [PATCH 10/48] install createrepo for airgap --- setup/so-functions | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5ebf76c17..ad10752ea 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1825,10 +1825,9 @@ repo_sync_local() { if [[ ! $is_airgap ]]; then curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup - # After the download is complete run createrepo - create_repo fi - + # After the download is complete run createrepo + create_repo else # Add the proper repos for unsupported stuff echo "Adding Repos" From 8d2ae23ae65751cec3d855c4463b8b93767fc27a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Oct 2024 13:56:38 -0400 Subject: [PATCH 11/48] install createrepo on airgap and non airgap --- salt/manager/init.sls | 6 ++++++ setup/so-functions | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 2feda45ae..31af523cc 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -45,6 +45,12 @@ yara_log_dir: - user - group +{% if GLOBALS.os_family == 'RedHat' %} +install_createrepo: + pkg.installed: + - name: createrepo +{% endif %} + repo_conf_dir: file.directory: - name: /opt/so/conf/reposync diff --git a/setup/so-functions b/setup/so-functions index ad10752ea..f4262152f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -803,7 +803,6 @@ create_manager_pillars() { create_repo() { title "Create the repo directory" - logCmd "dnf -y install yum-utils createrepo" logCmd "createrepo /nsm/repo" } @@ -1821,13 +1820,14 @@ repo_sync_local() { echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf logCmd "dnf repolist" + logCmd "dnf -y install yum-utils createrepo" if [[ ! $is_airgap ]]; then curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup + # After the download is complete run createrepo + create_repo fi - # After the download is complete run createrepo - create_repo else # Add the proper repos for unsupported stuff echo "Adding Repos" From 7a0f6d5e9326c733248ad079eb274dc1086b5477 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Oct 2024 16:42:01 -0400 Subject: [PATCH 12/48] fix pkg name --- salt/manager/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 31af523cc..96055df24 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -48,7 +48,7 @@ yara_log_dir: {% if GLOBALS.os_family == 'RedHat' %} install_createrepo: pkg.installed: - - name: createrepo + - name: createrepo_c {% endif %} repo_conf_dir: From 1df104967ebb426a52d5dbb0f109005c115b1a36 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Oct 2024 16:50:23 -0400 Subject: [PATCH 13/48] fix pkg name --- salt/manager/tools/sbin/soup | 2 +- setup/so-functions | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index c592dffe4..1845918c1 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -914,7 +914,7 @@ update_airgap_repo() { echo "Syncing new updates to /nsm/repo" rsync -av $AGREPO/* /nsm/repo/ echo "Creating repo" - dnf -y install yum-utils createrepo + dnf -y install yum-utils createrepo_c createrepo /nsm/repo } diff --git a/setup/so-functions b/setup/so-functions index f4262152f..8e1297812 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1820,7 +1820,7 @@ repo_sync_local() { echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf logCmd "dnf repolist" - logCmd "dnf -y install yum-utils createrepo" + logCmd "dnf -y install yum-utils createrepo_c" if [[ ! $is_airgap ]]; then curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install From 8cc530dd4c1437d6f697f2da6c40c8582bc1b7ca Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 23 Oct 2024 09:36:17 -0400 Subject: [PATCH 14/48] fix HELD for debian families --- salt/versionlock/map.jinja | 7 ++++++- salt/versionlock/soc_versionlock.yaml | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/versionlock/map.jinja b/salt/versionlock/map.jinja index e078ff22d..1477657bc 100644 --- a/salt/versionlock/map.jinja +++ b/salt/versionlock/map.jinja @@ -5,7 +5,12 @@ {% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %} {% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %} -{% set HELD = salt['pkg.list_holds']() %} + +{% if grains.os_family == 'RedHat' %} +{% set HELD = salt['pkg.list_holds']() %} +{% else %} +{% set HELD = salt['pkg.get_selections'](state='hold')['hold'] %} +{% endif %} {# these are packages held / versionlock in other states #} {% set PACKAGES_HELD_IN_OTHER_STATES = [ diff --git a/salt/versionlock/soc_versionlock.yaml b/salt/versionlock/soc_versionlock.yaml index f1e864d7d..92fd69875 100644 --- a/salt/versionlock/soc_versionlock.yaml +++ b/salt/versionlock/soc_versionlock.yaml @@ -1,6 +1,6 @@ versionlock: hold: - description: List of packages to prevent from upgrading. To reduce the frequency of required reboots, add 'kernel' to this list. + description: List of packages to prevent from upgrading. To reduce the frequency of required reboots, add 'kernel' to this list for RedHat based OS families. For Debian, please see the documentation. global: True forcedType: "[]string" multiline: True From 17ba048b50da30a9933573ddae9c875c9880f461 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 23 Oct 2024 10:40:26 -0400 Subject: [PATCH 15/48] use manager state to install createrepo_c for airgap --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 8e1297812..51ddabadf 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -803,6 +803,7 @@ create_manager_pillars() { create_repo() { title "Create the repo directory" + logCmd "dnf -y install yum-utils createrepo_c" logCmd "createrepo /nsm/repo" } @@ -1820,7 +1821,6 @@ repo_sync_local() { echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf logCmd "dnf repolist" - logCmd "dnf -y install yum-utils createrepo_c" if [[ ! $is_airgap ]]; then curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install From 4d902da931f20278c42e324a2f68e70bb14f46b0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 23 Oct 2024 15:58:11 -0400 Subject: [PATCH 16/48] call airgap_rules if airgap. log rsync and git commands --- setup/so-functions | 10 +++++----- setup/so-setup | 6 ++++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5ebf76c17..caeda5d6a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -44,17 +44,17 @@ logCmd() { airgap_rules() { # Copy the rules for detections if using Airgap mkdir -p /nsm/rules - rsync -av /root/SecurityOnion/agrules/ /nsm/rules/ + logCmd "rsync -av /root/SecurityOnion/agrules/ /nsm/rules/" # Copy over the securityonion-resources repo - rsync -av /root/SecurityOnion/agrules/securityonion-resources /nsm/ + logCmd "rsync -av /root/SecurityOnion/agrules/securityonion-resources /nsm/" } airgap_detection_summaries() { # Copy summaries over to SOC and checkout the correct branch - rsync -av --chown=socore:socore /nsm/securityonion-resources /opt/so/conf/soc/ai_summary_repos - git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources - git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published + logCmd "rsync -av --chown=socore:socore /nsm/securityonion-resources /opt/so/conf/soc/ai_summary_repos" + logCmd "git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources" + logCmd "git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published" } add_admin_user() { diff --git a/setup/so-setup b/setup/so-setup index 85b26fa40..b7723da37 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -692,8 +692,10 @@ if ! [[ -f $install_opt_file ]]; then logCmd "so-minion -o=setup" title "Creating Global SLS" - # Airgap Rules - airgap_rules + if [[ $is_airgap ]]; then + # Airgap Rules + airgap_rules + fi manager_pillar From ca793966a8a9767981e945615e406609aa870eb1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 24 Oct 2024 10:32:42 -0400 Subject: [PATCH 17/48] set retry and interval to remove state warning --- salt/elasticfleet/enabled.sls | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 51d2d1430..f91074b39 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -143,7 +143,9 @@ so-elastic-fleet-integrations: so-elastic-agent-grid-upgrade: cmd.run: - name: /usr/sbin/so-elastic-agent-grid-upgrade - - retry: True + - retry: + attempts: 12 + interval: 5 so-elastic-fleet-integration-upgrade: cmd.run: From a0558ace16e3bcb5b94cb7c6b60a35d7051a04a1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 24 Oct 2024 10:33:16 -0400 Subject: [PATCH 18/48] replace: False to remove state warning --- salt/common/init.sls | 1 + salt/strelka/filestream/config.sls | 2 ++ 2 files changed, 3 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index 8dd727f72..f385bd96d 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -182,6 +182,7 @@ sostatus_log: file.managed: - name: /opt/so/log/sostatus/status.log - mode: 644 + - replace: False # Install sostatus check cron. This is used to populate Grid. so-status_check_cron: diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls index 0f9f38914..2809bd8b1 100644 --- a/salt/strelka/filestream/config.sls +++ b/salt/strelka/filestream/config.sls @@ -99,12 +99,14 @@ filecheck.log: - name: /opt/so/log/strelka/filecheck.log - user: {{ filecheck_runas }} - group: {{ filecheck_runas }} + - replace: False filecheck_stdout.log: file.managed: - name: /opt/so/log/strelka/filecheck_stdout.log - user: {{ filecheck_runas }} - group: {{ filecheck_runas }} + - replace: False {% if GLOBALS.md_engine == 'ZEEK' %} From cbb4d6846f98e4664fa704c980691db06f7f1ac8 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 8 Oct 2024 14:52:49 -0600 Subject: [PATCH 19/48] Detection Engine Status Queries A few for testing --- salt/soc/defaults.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 00c45e5c5..bcdccf9ca 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1447,6 +1447,13 @@ soc: casesEnabled: true detectionsEnabled: true inactiveTools: ['toolUnused'] + detectionEngineStatusQueries: + - suricata: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"' + - elastalert: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"' + - strelka: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"' tools: - name: toolKibana description: toolKibanaHelp From 04ebe4efeacc8535add8b8cb0c8a49b49a6c49c3 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 8 Oct 2024 14:59:15 -0600 Subject: [PATCH 20/48] Array to Dictionary --- salt/soc/defaults.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index bcdccf9ca..e0a5206bc 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1448,11 +1448,11 @@ soc: detectionsEnabled: true inactiveTools: ['toolUnused'] detectionEngineStatusQueries: - - suricata: + suricata: IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"' - - elastalert: + elastalert: IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"' - - strelka: + strelka: IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"' tools: - name: toolKibana From c77b0afd8e4c2c524461b778a64b6c9919709613 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 9 Oct 2024 08:40:54 -0600 Subject: [PATCH 21/48] Move to Client/Detections Added a basic annotation. --- salt/soc/defaults.yaml | 14 +++++++------- salt/soc/soc_soc.yaml | 7 ++++++- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index e0a5206bc..d96e41a70 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1447,13 +1447,6 @@ soc: casesEnabled: true detectionsEnabled: true inactiveTools: ['toolUnused'] - detectionEngineStatusQueries: - suricata: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"' - elastalert: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"' - strelka: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"' tools: - name: toolKibana description: toolKibanaHelp @@ -2270,6 +2263,13 @@ soc: - name: "Detections with Overrides" query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled" description: Show Detections that have Overrides + detectionEngineStatusQueries: + suricata: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"' + elastalert: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"' + strelka: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"' detection: showUnreviewedAiSummaries: false presets: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index af4668fc2..06f562a6a 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -461,7 +461,12 @@ soc: alerts: *appSettings cases: *appSettings dashboards: *appSettings - detections: *appSettings + detections: + <<: *appSettings + detectionEngineStatusQueries: + description: Queries mapped to the detection engine status. + global: True + forcedType: "{}" detection: showUnreviewedAiSummaries: description: Show AI summaries in detections even if they have not yet been reviewed by a human. From ad0b0a5e95e06ae4a74f95db81ce3ab98782ec6c Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 9 Oct 2024 12:54:55 -0600 Subject: [PATCH 22/48] Refactor to String To accomodate the config screen, the annotation now specifies it as a multiline string with a yaml syntax. The user can edit the yaml to add or remove queries. The UI will parse the YAML before use. Also updated the IntegrityFailure queries to specify table columns more relevant to a sync failure than the default ones. --- salt/soc/defaults.yaml | 9 +++++---- salt/soc/soc_soc.yaml | 6 ++++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index d96e41a70..fe131ca58 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2263,13 +2263,14 @@ soc: - name: "Detections with Overrides" query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled" description: Show Detections that have Overrides - detectionEngineStatusQueries: + detectionEngineStatusQueries: | suricata: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"' + default: + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' elastalert: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"' + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' strelka: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"' + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' detection: showUnreviewedAiSummaries: false presets: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 06f562a6a..14296dade 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -464,9 +464,11 @@ soc: detections: <<: *appSettings detectionEngineStatusQueries: - description: Queries mapped to the detection engine status. + description: Queries mapped to the detection engine statuses. Acceptable statuses are "Migrating", "Importing", "MigrationFailure", "IntegrityFailure", "SyncFailure", "ImportPending", "Syncing", and "Healthy" and will fallback to a "default" entry if specified. global: True - forcedType: "{}" + syntax: yaml + multiline: True + forcedType: "string" detection: showUnreviewedAiSummaries: description: Show AI summaries in detections even if they have not yet been reviewed by a human. From b7c392a2443538484bce8afb5d7ab862385a7a2c Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 9 Oct 2024 14:26:03 -0600 Subject: [PATCH 23/48] Corrected a misspelling --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index fe131ca58..a9ab09e47 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2244,7 +2244,7 @@ soc: description: Show all custom detections - name: "All Detections - Enabled" query: "so_detection.isEnabled:true | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity" - description: Show all enalbed Detections + description: Show all enabled Detections - name: "All Detections - Disabled" query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity" description: Show all disabled Detections From f67fcecc6e2f539fddbbddedc5b090cd75ce2168 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Mon, 21 Oct 2024 09:47:58 -0600 Subject: [PATCH 24/48] Clean up StatusQueries String --- salt/soc/defaults.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index a9ab09e47..00468e7a0 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2265,7 +2265,6 @@ soc: description: Show Detections that have Overrides detectionEngineStatusQueries: | suricata: - default: IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' elastalert: IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' From 6ce52bf9aba7946f5022640100b44397fa5cfa23 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 24 Oct 2024 13:11:49 -0600 Subject: [PATCH 25/48] Specify Defaults for detectionEngineStatusQueries Specify the defaults as an example to the user. --- salt/soc/defaults.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 00468e7a0..6a9a1bfc6 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2265,10 +2265,13 @@ soc: description: Show Detections that have Overrides detectionEngineStatusQueries: | suricata: + default: 'tags:so-soc AND suricata | groupby log.level | groupby event.action | groupby soc.fields.error' IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' elastalert: + default: 'tags:so-soc AND elastalert | groupby log.level | groupby event.action | groupby soc.fields.error' IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' strelka: + default: 'tags:so-soc AND strelka | groupby log.level | groupby event.action | groupby soc.fields.error' IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' detection: showUnreviewedAiSummaries: false From e11c562022978513ac96afbe5d1577160402e41e Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Fri, 4 Oct 2024 14:22:27 -0600 Subject: [PATCH 26/48] Added Note to ES Mappings --- .../templates/component/so/detection-mappings.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/elasticsearch/templates/component/so/detection-mappings.json b/salt/elasticsearch/templates/component/so/detection-mappings.json index 5e51b872b..51e13c829 100644 --- a/salt/elasticsearch/templates/component/so/detection-mappings.json +++ b/salt/elasticsearch/templates/component/so/detection-mappings.json @@ -142,6 +142,9 @@ "userId": { "ignore_above": 1024, "type": "keyword" + }, + "note": { + "type": "text" } } } From 1aa9d87c5db266bb89d79e2256d621047195e7d9 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 8 Oct 2024 09:57:52 -0600 Subject: [PATCH 27/48] Corrected Put the note on the right model this time. --- .../templates/component/so/detection-mappings.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/elasticsearch/templates/component/so/detection-mappings.json b/salt/elasticsearch/templates/component/so/detection-mappings.json index 51e13c829..9f992f971 100644 --- a/salt/elasticsearch/templates/component/so/detection-mappings.json +++ b/salt/elasticsearch/templates/component/so/detection-mappings.json @@ -97,6 +97,9 @@ "updatedAt": { "type": "date" }, + "note": { + "type": "text" + }, "regex": { "type": "text" }, @@ -143,9 +146,6 @@ "ignore_above": 1024, "type": "keyword" }, - "note": { - "type": "text" - } } } } From 640f53d0857dfffb66db0e8d243e014347c32c4b Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 8 Oct 2024 10:15:29 -0600 Subject: [PATCH 28/48] Cleanup Fix indentation and trailing comma. --- .../templates/component/so/detection-mappings.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/elasticsearch/templates/component/so/detection-mappings.json b/salt/elasticsearch/templates/component/so/detection-mappings.json index 9f992f971..2e405912d 100644 --- a/salt/elasticsearch/templates/component/so/detection-mappings.json +++ b/salt/elasticsearch/templates/component/so/detection-mappings.json @@ -21,10 +21,10 @@ "properties": { "publicId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword" }, "title": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" }, "severity": { @@ -38,15 +38,15 @@ "description": { "type": "text" }, - "category": { + "category": { "ignore_above": 1024, "type": "keyword" }, - "product": { + "product": { "ignore_above": 1024, "type": "keyword" }, - "service": { + "service": { "ignore_above": 1024, "type": "keyword" }, @@ -64,7 +64,7 @@ }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword" }, "ruleset": { "ignore_above": 1024, @@ -145,7 +145,7 @@ "userId": { "ignore_above": 1024, "type": "keyword" - }, + } } } } From f3ca5b1c4248f29422a87e00adbcd781b447bc29 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Mon, 28 Oct 2024 09:19:51 -0400 Subject: [PATCH 29/48] Remove OS-specific mappings --- salt/soc/files/soc/sigma_so_pipeline.yaml | 58 +++-------------------- 1 file changed, 6 insertions(+), 52 deletions(-) diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 121bc06a6..df8b2709a 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -106,69 +106,23 @@ transformations: - type: include_fields fields: - event.code - # Maps Windows + process_creation rules to endpoint process creation logs + # Maps process_creation rules to endpoint process creation logs + # This is an OS-agnostic mapping, to account for logs that don't specify source OS - id: endpoint_process_create_windows_add-fields type: add_condition conditions: event.category: 'process' event.type: 'start' - host.os.type: 'windows' rule_conditions: - type: logsource category: process_creation - product: windows - # Maps Linux + file_event rules to endpoint file creation logs - - id: endpoint_process_create_linux_add-fields - type: add_condition - conditions: - event.category: 'process' - event.type: 'start' - host.os.type: 'linux' - rule_conditions: - - type: logsource - category: process_creation - product: linux - # Maps macOS + file_event rules to endpoint file creation logs - - id: endpoint_process_create_macos_add-fields - type: add_condition - conditions: - event.category: 'process' - event.type: 'start' - host.os.type: 'macos' - rule_conditions: - - type: logsource - category: process_creation - product: macos - # Maps Windows + file_event rules to endpoint file creation logs - - id: endpoint_file_create_windows_add-fields + # Maps file_event rules to endpoint file creation logs + # This is an OS-agnostic mapping, to account for logs that don't specify source OS + - id: endpoint_file_create_add-fields type: add_condition conditions: event.category: 'file' event.type: 'creation' - host.os.type: 'windows' rule_conditions: - type: logsource - category: file_event - product: windows - # Maps Linux + file_event rules to endpoint file creation logs - - id: endpoint_file_create_linux_add-fields - type: add_condition - conditions: - event.category: 'file' - event.type: 'creation' - host.os.type: 'linux' - rule_conditions: - - type: logsource - category: file_event - product: linux - # Maps macOS + file_event rules to endpoint file creation logs - - id: endpoint_file_create_macos_add-fields - type: add_condition - conditions: - event.category: 'file' - event.type: 'creation' - host.os.type: 'macos' - rule_conditions: - - type: logsource - category: file_event - product: macos \ No newline at end of file + category: file_event \ No newline at end of file From 4c5099d42980b26465ea231f5ab8ad2c549bfbc0 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Tue, 29 Oct 2024 10:27:54 -0400 Subject: [PATCH 30/48] Initial support for local lookup --- salt/elasticfleet/config.sls | 8 +++ .../grid-nodes_general/so-ip-mappings.json | 35 ++++++++++ .../so/9805_output_elastic_agent.conf.jinja | 67 ++++++++++++------- 3 files changed, 84 insertions(+), 26 deletions(-) create mode 100644 salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 71bc369c6..1dcc45896 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -63,6 +63,14 @@ eastatedir: - group: 939 - makedirs: True +custommappingsdir: + file.directory: + - name: /nsm/custom-mappings + - user: 947 + - group: 939 + - makedirs: True + + eapackageupgrade: file.managed: - name: /usr/sbin/so-elastic-fleet-package-upgrade diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json b/salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json new file mode 100644 index 000000000..fdcd36815 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json @@ -0,0 +1,35 @@ +{ + "package": { + "name": "log", + "version": "" + }, + "name": "so-ip-mappings", + "namespace": "so", + "description": "IP Description mappings", + "policy_id": "so-grid-nodes_general", + "vars": {}, + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.logs": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/custom-mappings/ip-descriptions.csv" + ], + "data_stream.dataset": "hostnamemappings", + "tags": [ + "so-ip-mappings" + ], + "processors": "- decode_csv_fields:\n fields:\n message: decoded.csv\n separator: \",\"\n ignore_missing: false\n overwrite_keys: true\n trim_leading_space: true\n fail_on_error: true\n\n- extract_array:\n field: decoded.csv\n mappings:\n so.ip_address: '0'\n so.description: '1'\n\n- script:\n lang: javascript\n source: >\n function process(event) {\n var ip = event.Get('so.ip_address');\n var validIpRegex = /^((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)$/\n if (!validIpRegex.test(ip)) {\n event.Cancel();\n }\n }\n- fingerprint:\n fields: [\"so.ip_address\"]\n target_field: \"@metadata._id\"\n", + "custom": "" + } + } + } + } + }, + "force": true +} + + diff --git a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja index 3a86cd8be..be7ec6898 100644 --- a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja +++ b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja @@ -1,18 +1,45 @@ output { - if "elastic-agent" in [tags] { - if [metadata][pipeline] { - if [metadata][_id] { - elasticsearch { - hosts => "{{ GLOBALS.hostname }}" - ecs_compatibility => v8 - data_stream => true - user => "{{ ES_USER }}" - password => "{{ ES_PASS }}" - document_id => "%{[metadata][_id]}" - pipeline => "%{[metadata][pipeline]}" - silence_errors_in_log => ["version_conflict_engine_exception"] - ssl => true - ssl_certificate_verification => false + if "elastic-agent" in [tags] and "so-ip-mappings" in [tags] { + elasticsearch { + hosts => "{{ GLOBALS.hostname }}" + data_stream => false + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" + document_id => "%{[metadata][_id]}" + index => "so-ip-mappings" + silence_errors_in_log => ["version_conflict_engine_exception"] + ssl => true + ssl_certificate_verification => false + } + } + else { + if "elastic-agent" in [tags] { + if [metadata][pipeline] { + if [metadata][_id] { + elasticsearch { + hosts => "{{ GLOBALS.hostname }}" + ecs_compatibility => v8 + data_stream => true + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" + document_id => "%{[metadata][_id]}" + pipeline => "%{[metadata][pipeline]}" + silence_errors_in_log => ["version_conflict_engine_exception"] + ssl => true + ssl_certificate_verification => false + } + } + else { + elasticsearch { + hosts => "{{ GLOBALS.hostname }}" + ecs_compatibility => v8 + data_stream => true + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" + pipeline => "%{[metadata][pipeline]}" + ssl => true + ssl_certificate_verification => false + } } } else { @@ -22,22 +49,10 @@ output { data_stream => true user => "{{ ES_USER }}" password => "{{ ES_PASS }}" - pipeline => "%{[metadata][pipeline]}" ssl => true ssl_certificate_verification => false } } } - else { - elasticsearch { - hosts => "{{ GLOBALS.hostname }}" - ecs_compatibility => v8 - data_stream => true - user => "{{ ES_USER }}" - password => "{{ ES_PASS }}" - ssl => true - ssl_certificate_verification => false - } - } } } From 5406a263d57c90e10d4d6ee4f07b788ce20b64bd Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Tue, 29 Oct 2024 19:42:06 -0400 Subject: [PATCH 31/48] Add local custom template --- salt/elasticfleet/config.sls | 9 +--- salt/manager/init.sls | 9 ++++ salt/soc/config.sls | 32 +++++++++++++ salt/soc/defaults.yaml | 12 +++++ ...tections_custom_repo_template_readme.jinja | 46 +++++++++++++++++++ 5 files changed, 100 insertions(+), 8 deletions(-) create mode 100644 salt/soc/files/soc/detections_custom_repo_template_readme.jinja diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 1dcc45896..208fa2306 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -81,14 +81,7 @@ eapackageupgrade: - template: jinja {% if GLOBALS.role != "so-fleet" %} - -soresourcesrepoconfig: - git.config_set: - - name: safe.directory - - value: /nsm/securityonion-resources - - global: True - - user: socore - + {% if not GLOBALS.airgap %} soresourcesrepoclone: git.latest: diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 96055df24..ca1296383 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -141,6 +141,15 @@ rules_dir: - group: socore - makedirs: True +git_config_set_safe_dirs: + git.config_set: + - name: safe.directory + - multivar: + - /nsm/rules/custom-local-repos/local-sigma + - /nsm/rules/custom-local-repos/local-yara + - /nsm/securityonion-resources + - /opt/so/conf/soc/ai_summary_repos/securityonion-resources + - global: True {% else %} {{sls}}_state_not_allowed: diff --git a/salt/soc/config.sls b/salt/soc/config.sls index 7607da5ff..52281db74 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -198,6 +198,38 @@ socsensoronirepos: - mode: 775 - makedirs: True +create_custom_local_yara_repo_template: + git.present: + - name: /nsm/rules/custom-local-repos/local-yara + - bare: False + - force: True + +add_readme_custom_local_yara_repo_template: + file.managed: + - name: /nsm/rules/custom-local-repos/local-yara/README + - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja + - user: 939 + - group: 939 + - template: jinja + - context: + repo_type: "yara" + +create_custom_local_sigma_repo_template: + git.present: + - name: /nsm/rules/custom-local-repos/local-sigma + - bare: False + - force: True + +add_readme_custom_local_sigma_repo_template: + file.managed: + - name: /nsm/rules/custom-local-repos/local-sigma/README + - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja + - user: 939 + - group: 939 + - template: jinja + - context: + repo_type: "sigma" + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 6a9a1bfc6..fe4edb12b 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1342,11 +1342,17 @@ soc: license: Elastic-2.0 folder: sigma/stable community: true + - repo: file:///nsm/rules/custom-local-repos/local-sigma + license: Elastic-2.0 + community: false airgap: - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources license: Elastic-2.0 folder: sigma/stable community: true + - repo: file:///nsm/rules/custom-local-repos/local-sigma + license: Elastic-2.0 + community: false sigmaRulePackages: - core - emerging_threats_addon @@ -1412,10 +1418,16 @@ soc: - repo: https://github.com/Security-Onion-Solutions/securityonion-yara license: DRL community: true + - repo: file:///nsm/rules/custom-local-repos/local-yara + license: Elastic-2.0 + community: false airgap: - repo: file:///nsm/rules/detect-yara/repos/securityonion-yara license: DRL community: true + - repo: file:///nsm/rules/custom-local-repos/local-yara + license: Elastic-2.0 + community: false yaraRulesFolder: /opt/sensoroni/yara/rules stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state integrityCheckFrequencySeconds: 1200 diff --git a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja new file mode 100644 index 000000000..1d391fec0 --- /dev/null +++ b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja @@ -0,0 +1,46 @@ +{% if repo_type == 'yara' %} +# YARA Local Custom Rules Repository + +This folder has already been initialized as a git repo +and your Security Onion grid is configured to import any YARA rule files found here. + +Just add your rule file and commit it. + +For example: + +First, create the rule file; make sure to create the file with a .yar extension +`sudo vi my_custom_rule.yar` + +Next, use git to stage the new rule to be commited: +`sudo git add my_custom_rule.yar` + +Finally, commit it. +If this is your first time making changes to this repo, you will be asked to set some configuration. +`sudo git commit -m "Initial commit of my_custom_rule.yar"` + +The next time the Strelka / YARA engine syncs, the new rule should be imported +If there are errors, review the sync log to troubleshoot further. + +{% elif repo_type == 'sigma' %} +# Sigma Local Custom Rules Repository + +This folder has already been initialized as a git repo +and your Security Onion grid is configured to import any Sigma rule files found here. + +Just add your rule file and commit it. + +For example: + +First, create the rule file; make sure to create the file with a .yaml|.yml extension +`sudo vi my_custom_rule.yml` + +Next, use git to stage the new rule to be commited: +`sudo git add my_custom_rule.yml` + +Finally, commit it. +If this is your first time making changes to this repo, you will be asked to set some configuration. +`sudo git commit -m "Initial commit of my_custom_rule.yml"` + +The next time the Elastalert / Sigma engine syncs, the new rule should be imported +If there are errors, review the sync log to troubleshoot further. +{% endif %} \ No newline at end of file From 36fc3bbd6dd0df4d9ba4110f6269e3605ec8e347 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 30 Oct 2024 10:24:11 -0400 Subject: [PATCH 32/48] add so-ip-mappings index Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 29 +++++++++++++++++++ .../component/so/so-ip-mappings.json | 22 ++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 salt/elasticsearch/templates/component/so/so-ip-mappings.json diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f0178728e..c8684e775 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -599,6 +599,35 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-ip-mappings: + index_sorting: false + index_template: + composed_of: + - so-ip-mappings + ignore_missing_component_templates: [] + index_patterns: + - so-ip* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + mapping: + total_fields: + limit: 1500 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc so-items: index_sorting: false index_template: diff --git a/salt/elasticsearch/templates/component/so/so-ip-mappings.json b/salt/elasticsearch/templates/component/so/so-ip-mappings.json new file mode 100644 index 000000000..ab80e365c --- /dev/null +++ b/salt/elasticsearch/templates/component/so/so-ip-mappings.json @@ -0,0 +1,22 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "so": { + "properties": { + "ip_address": { + "type": "ip" + }, + "description": { + "type": "text" + } + } + } + } + } + } +} \ No newline at end of file From c509dab5f18d0c2c807197b88f7d7ca0dbdc822c Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Wed, 30 Oct 2024 11:03:14 -0400 Subject: [PATCH 33/48] Use socore user --- salt/manager/init.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index ca1296383..a3fb44e97 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -144,12 +144,13 @@ rules_dir: git_config_set_safe_dirs: git.config_set: - name: safe.directory + - global: True + - user: socore - multivar: - /nsm/rules/custom-local-repos/local-sigma - /nsm/rules/custom-local-repos/local-yara - /nsm/securityonion-resources - /opt/so/conf/soc/ai_summary_repos/securityonion-resources - - global: True {% else %} {{sls}}_state_not_allowed: From 6b468eaed3ec886442ed1cfcf496ff7c2dc4e489 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Wed, 30 Oct 2024 16:52:44 -0400 Subject: [PATCH 34/48] rm eaintegration state file --- salt/manager/tools/sbin/soup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 3fda54fb9..bd2db98d7 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -719,6 +719,9 @@ up_to_2.4.120() { mkdir /opt/so/saltstack/local/pillar/versionlock touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls + # New Grid Integration added this release + rm -f /opt/so/state/eaintegrations.txt + INSTALLEDVERSION=2.4.120 } From 7896f951f3f7f267b7db65febf83b255280f8635 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 31 Oct 2024 10:24:58 -0400 Subject: [PATCH 35/48] timestamp fix --- salt/elasticsearch/templates/component/so/so-ip-mappings.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/elasticsearch/templates/component/so/so-ip-mappings.json b/salt/elasticsearch/templates/component/so/so-ip-mappings.json index ab80e365c..a61eae5fd 100644 --- a/salt/elasticsearch/templates/component/so/so-ip-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-ip-mappings.json @@ -6,6 +6,9 @@ "template": { "mappings": { "properties": { + "@timestamp": { + "type": "date" + }, "so": { "properties": { "ip_address": { From 083c678400f1905cb0abe25dee0ea22551f75e83 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Nov 2024 09:46:26 -0500 Subject: [PATCH 36/48] new salt repo --- setup/so-functions | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index e3c8a5615..cc55ec21d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1843,9 +1843,9 @@ repo_sync_local() { fi dnf install -y yum-utils device-mapper-persistent-data lvm2 curl -fsSL https://repo.securityonion.net/file/so-repo/prod/2.4/so/so.repo | tee /etc/yum.repos.d/so.repo - rpm --import https://repo.saltproject.io/salt/py3/redhat/9/x86_64/SALT-PROJECT-GPG-PUBKEY-2023.pub + rpm --import https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo - curl -fsSL "https://repo.saltproject.io/salt/py3/redhat/9/x86_64/minor/$SALTVERSION.repo" | tee /etc/yum.repos.d/salt.repo + curl -fsSL "https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo" | tee /etc/yum.repos.d/salt.repo dnf repolist curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install else @@ -1878,24 +1878,19 @@ saltify() { logCmd "mkdir -vp /etc/apt/keyrings" logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg" + # Download public key + logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.pgp https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public" + # Create apt repo target configuration + echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.pgp arch=amd64] https://packages.broadcom.com/artifactory/saltproject-deb/ stable main" | sudo tee /etc/apt/sources.list.d/salt.list + if [[ $is_ubuntu ]]; then - - # Add Salt Repo - logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/ubuntu/$UBVER/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg" - echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt/py3/ubuntu/$UBVER/amd64/minor/$SALTVERSION/ $OSVER main" | sudo tee /etc/apt/sources.list.d/salt.list - # Add Docker Repo add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" else - # Add Salt Repo *NOTE* You have to use debian 11 since it isn't out for 12 - logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/debian/11/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg" - echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt/py3/debian/11/amd64/minor/$SALTVERSION/ bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list - # Add Docker Repo curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list - fi logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg" From 6e14f7b6267d7419c9ac3807a1817dcde1280918 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Nov 2024 11:14:00 -0500 Subject: [PATCH 37/48] fix pub key name --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index cc55ec21d..c6aadef3d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1893,7 +1893,7 @@ saltify() { echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list fi - logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg" + logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.pgp" #logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub" logCmd "apt-key add /etc/apt/keyrings/docker.pub" From 69dd35c30a49587f08261c40f2b56458a7dbc96b Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Mon, 4 Nov 2024 14:31:53 -0700 Subject: [PATCH 38/48] Add Option for Ignoring Ranges of SIDs in Suricata Integrity Check --- salt/soc/defaults.yaml | 2 ++ salt/soc/soc_soc.yaml | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 6a9a1bfc6..068a9c9b7 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1435,6 +1435,8 @@ soc: rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state integrityCheckFrequencySeconds: 1200 + ignoredSidRanges: + - '1100000-1199999' client: enableReverseLookup: false docsUrl: /docs/ diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 14296dade..fd3295daf 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -390,6 +390,11 @@ soc: advanced: True forcedType: "[]{}" helpLink: suricata.html + ignoredSidRanges: + description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI.' + global: True + advanced: True + forcedType: "[]string" client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. From 5e48ccafce5ab3b4a04d6e059b311b8efac975b4 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 5 Nov 2024 11:11:34 -0700 Subject: [PATCH 39/48] Update Default Value --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 068a9c9b7..73446abd7 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1436,7 +1436,7 @@ soc: stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state integrityCheckFrequencySeconds: 1200 ignoredSidRanges: - - '1100000-1199999' + - '1100000-1101000' client: enableReverseLookup: false docsUrl: /docs/ From 25d55feeefd8f6955271daac729b94be1d2e4d4a Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 5 Nov 2024 11:41:14 -0700 Subject: [PATCH 40/48] More Detailed Description --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fd3295daf..3bd1774bc 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -391,7 +391,7 @@ soc: forcedType: "[]{}" helpLink: suricata.html ignoredSidRanges: - description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI.' + description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.' global: True advanced: True forcedType: "[]string" From 52a144c0521a3a4f5b7e476f60251b66f2c0a332 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 5 Nov 2024 12:11:17 -0700 Subject: [PATCH 41/48] Added Help Link to Annotation for IgnoredSidRanges --- salt/soc/soc_soc.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 3bd1774bc..c27228ab6 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -395,6 +395,7 @@ soc: global: True advanced: True forcedType: "[]string" + helpLink: detections.html#rule-engine-status client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. From 039d5c22ac8212c01bdd68a5e5afbcccb4b532a9 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 6 Nov 2024 14:35:41 -0600 Subject: [PATCH 42/48] fix: crowdstrike integration Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 120 +++++++++++++++--- salt/elasticsearch/soc_elasticsearch.yaml | 2 + .../logs-crowdstrike.alert@custom.json | 36 ++++++ .../logs-crowdstrike.host@custom.json | 36 ++++++ 4 files changed, 176 insertions(+), 18 deletions(-) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c8684e775..e3259ecd5 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3499,28 +3499,70 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-crowdstrike_x_falcon: - index_sorting: false + so-logs-crowdstrike_x_alert: + index_sorting: False index_template: + index_patterns: + - logs-crowdstrike.alert-* + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - logs-crowdstrike.alert@package + - logs-crowdstrike.alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-crowdstrike.alert@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-crowdstrike_x_falcon: + index_sorting: False + index_template: + index_patterns: + - logs-crowdstrike.falcon-* + template: + settings: + index: + number_of_replicas: 0 composed_of: - logs-crowdstrike.falcon@package - logs-crowdstrike.falcon@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + priority: 501 data_stream: - allow_custom_routing: false hidden: false + allow_custom_routing: false ignore_missing_component_templates: - logs-crowdstrike.falcon@custom - index_patterns: - - logs-crowdstrike.falcon-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-crowdstrike.falcon-logs - number_of_replicas: 0 policy: phases: cold: @@ -3546,27 +3588,69 @@ elasticsearch: priority: 50 min_age: 30d so-logs-crowdstrike_x_fdr: - index_sorting: false + index_sorting: False index_template: + index_patterns: + - logs-crowdstrike.fdr-* + template: + settings: + index: + number_of_replicas: composed_of: - logs-crowdstrike.fdr@package - logs-crowdstrike.fdr@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + priority: 501 data_stream: - allow_custom_routing: false hidden: false + allow_custom_routing: false ignore_missing_component_templates: - logs-crowdstrike.fdr@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-crowdstrike_x_host: + index_sorting: False + index_template: index_patterns: - - logs-crowdstrike.fdr-* - priority: 501 + - logs-crowdstrike.host-* template: settings: index: - lifecycle: - name: so-logs-crowdstrike.fdr-logs number_of_replicas: 0 + composed_of: + - logs-crowdstrike.host@package + - logs-crowdstrike.host@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-crowdstrike.host@custom policy: phases: cold: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 266372708..e26d1d705 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -396,8 +396,10 @@ elasticsearch: so-logs-citrix_waf_x_log: *indexSettings so-logs-cloudflare_x_audit: *indexSettings so-logs-cloudflare_x_logpull: *indexSettings + so-logs-crowdstrike_x_alert: *indexSettings so-logs-crowdstrike_x_falcon: *indexSettings so-logs-crowdstrike_x_fdr: *indexSettings + so-logs-crowdstrike_x_host: *indexSettings so-logs-darktrace_x_ai_analyst_alert: *indexSettings so-logs-darktrace_x_model_breach_alert: *indexSettings so-logs-darktrace_x_system_status_alert: *indexSettings diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} From 80b82b0bd62b61739b0c689aa2e75967f35fc4af Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 6 Nov 2024 15:24:13 -0600 Subject: [PATCH 43/48] missing replica 0 Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index e3259ecd5..133c333e1 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3595,7 +3595,7 @@ elasticsearch: template: settings: index: - number_of_replicas: + number_of_replicas: 0 composed_of: - logs-crowdstrike.fdr@package - logs-crowdstrike.fdr@custom From f5bd8ab58556c0f9bafa26717d83de33f6dd2862 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Thu, 7 Nov 2024 15:33:47 -0500 Subject: [PATCH 44/48] Rewrite docs --- ...tections_custom_repo_template_readme.jinja | 76 +++++++++++++++---- 1 file changed, 62 insertions(+), 14 deletions(-) diff --git a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja index 1d391fec0..228a467bf 100644 --- a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja +++ b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja @@ -8,15 +8,39 @@ Just add your rule file and commit it. For example: -First, create the rule file; make sure to create the file with a .yar extension -`sudo vi my_custom_rule.yar` +** Note: If this is your first time making changes to this repo, you may run into the following error: -Next, use git to stage the new rule to be commited: -`sudo git add my_custom_rule.yar` +fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-yara' +To add an exception for this directory, call: + git config --global --add safe.directory /nsm/rules/custom-local-repos/local-yara -Finally, commit it. -If this is your first time making changes to this repo, you will be asked to set some configuration. -`sudo git commit -m "Initial commit of my_custom_rule.yar"` +This means that the user you are running commands as does not match the user that is used for this git repo (socore). +You will need to make sure your rule files are accessible to the socore user, so either su to socore +or add the exception and then chown the rule files later. + +Also, you will be asked to set some configuration: +``` +Author identity unknown +*** Please tell me who you are. +Run + git config --global user.email "you@example.com" + git config --global user.name "Your Name" +to set your account's default identity. +Omit --global to set the identity only in this repository. +``` + +Run these commands, ommitting the `--global`. + +With that out of the way: + +First, create the rule file with a .yar extension: +`vi my_custom_rule.yar` + +Next, use git to stage the new rule to be committed: +`git add my_custom_rule.yar` + +Finally, commit it: +`git commit -m "Initial commit of my_custom_rule.yar"` The next time the Strelka / YARA engine syncs, the new rule should be imported If there are errors, review the sync log to troubleshoot further. @@ -31,15 +55,39 @@ Just add your rule file and commit it. For example: -First, create the rule file; make sure to create the file with a .yaml|.yml extension -`sudo vi my_custom_rule.yml` +** Note: If this is your first time making changes to this repo, you may run into the following error: -Next, use git to stage the new rule to be commited: -`sudo git add my_custom_rule.yml` +fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-sigma' +To add an exception for this directory, call: + git config --global --add safe.directory /nsm/rules/custom-local-repos/local-sigma -Finally, commit it. -If this is your first time making changes to this repo, you will be asked to set some configuration. -`sudo git commit -m "Initial commit of my_custom_rule.yml"` +This means that the user you are running commands as does not match the user that is used for this git repo (socore). +You will need to make sure your rule files are accessible to the socore user, so either su to socore +or add the exception and then chown the rule files later. + +Also, you will be asked to set some configuration: +``` +Author identity unknown +*** Please tell me who you are. +Run + git config --global user.email "you@example.com" + git config --global user.name "Your Name" +to set your account's default identity. +Omit --global to set the identity only in this repository. +``` + +Run these commands, ommitting the `--global`. + +With that out of the way: + +First, create the rule file with a .yml or .yaml extension: +`vi my_custom_rule.yml` + +Next, use git to stage the new rule to be committed: +`git add my_custom_rule.yml` + +Finally, commit it: +`git commit -m "Initial commit of my_custom_rule.yml"` The next time the Elastalert / Sigma engine syncs, the new rule should be imported If there are errors, review the sync log to troubleshoot further. From 8334fd9c46d80ef12cc127b9a8d5c14eba04e0ac Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 6 Nov 2024 10:52:34 -0700 Subject: [PATCH 45/48] Source Dates --- .../templates/component/so/detection-mappings.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/component/so/detection-mappings.json b/salt/elasticsearch/templates/component/so/detection-mappings.json index 2e405912d..4dd5b45e7 100644 --- a/salt/elasticsearch/templates/component/so/detection-mappings.json +++ b/salt/elasticsearch/templates/component/so/detection-mappings.json @@ -64,7 +64,7 @@ }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword" }, "ruleset": { "ignore_above": 1024, @@ -82,6 +82,12 @@ "ignore_above": 1024, "type": "keyword" }, + "sourceCreated": { + "type": "date" + }, + "sourceUpdated": { + "type": "date" + }, "overrides": { "properties": { "type": { From 8b70aa9f0eedc3e05372362eae5bce1301628495 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Fri, 8 Nov 2024 09:19:41 -0500 Subject: [PATCH 46/48] Fix socore permissions --- salt/soc/config.sls | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/salt/soc/config.sls b/salt/soc/config.sls index 52281db74..c153ad7a6 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -198,11 +198,22 @@ socsensoronirepos: - mode: 775 - makedirs: True +make-repo-dir-yara: + file.directory: + - name: /nsm/rules/custom-local-repos/local-yara + - user: socore + - group: socore + - makedirs: True + - recurse: + - user + - group + create_custom_local_yara_repo_template: git.present: - name: /nsm/rules/custom-local-repos/local-yara - bare: False - force: True + - user: socore add_readme_custom_local_yara_repo_template: file.managed: @@ -214,11 +225,22 @@ add_readme_custom_local_yara_repo_template: - context: repo_type: "yara" +make-repo-dir-sigma: + file.directory: + - name: /nsm/rules/custom-local-repos/local-sigma + - user: socore + - group: socore + - makedirs: True + - recurse: + - user + - group + create_custom_local_sigma_repo_template: git.present: - name: /nsm/rules/custom-local-repos/local-sigma - bare: False - force: True + - user: socore add_readme_custom_local_sigma_repo_template: file.managed: From dcbb0e48d4684fc676d72a27e1744a84737d16ae Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Fri, 8 Nov 2024 14:34:29 -0500 Subject: [PATCH 47/48] make sure its owned by socore --- salt/soc/config.sls | 29 +++++++++-------------------- 1 file changed, 9 insertions(+), 20 deletions(-) diff --git a/salt/soc/config.sls b/salt/soc/config.sls index c153ad7a6..89627d659 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -198,22 +198,12 @@ socsensoronirepos: - mode: 775 - makedirs: True -make-repo-dir-yara: - file.directory: - - name: /nsm/rules/custom-local-repos/local-yara - - user: socore - - group: socore - - makedirs: True - - recurse: - - user - - group create_custom_local_yara_repo_template: git.present: - name: /nsm/rules/custom-local-repos/local-yara - bare: False - force: True - - user: socore add_readme_custom_local_yara_repo_template: file.managed: @@ -225,22 +215,12 @@ add_readme_custom_local_yara_repo_template: - context: repo_type: "yara" -make-repo-dir-sigma: - file.directory: - - name: /nsm/rules/custom-local-repos/local-sigma - - user: socore - - group: socore - - makedirs: True - - recurse: - - user - - group create_custom_local_sigma_repo_template: git.present: - name: /nsm/rules/custom-local-repos/local-sigma - bare: False - force: True - - user: socore add_readme_custom_local_sigma_repo_template: file.managed: @@ -251,6 +231,15 @@ add_readme_custom_local_sigma_repo_template: - template: jinja - context: repo_type: "sigma" + +socore_own_custom_repos: + file.directory: + - name: /nsm/rules/custom-local-repos/ + - user: socore + - group: socore + - recurse: + - user + - group {% else %} From ee4405e75ea27035e43304932ca3d5c2d3cb38b0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 8 Nov 2024 16:13:44 -0500 Subject: [PATCH 48/48] only enable repo sync cron if OEL --- salt/manager/init.sls | 5 +---- salt/manager/map.jinja | 6 +++++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 96055df24..07c39b371 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -6,10 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'strelka/map.jinja' import STRELKAMERGED %} -{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %} -{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %} -{% from 'strelka/map.jinja' import STRELKAMERGED %} +{% from 'manager/map.jinja' import MANAGERMERGED %} include: - salt.minion diff --git a/salt/manager/map.jinja b/salt/manager/map.jinja index 1ab9c12c3..4ea04a1cf 100644 --- a/salt/manager/map.jinja +++ b/salt/manager/map.jinja @@ -4,4 +4,8 @@ Elastic License 2.0. #} {% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %} -{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %} \ No newline at end of file +{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %} + +{% if grains.os != 'OEL' %} +{% do MANAGERMERGED.reposync.update({'enabled': False}) %} +{% endif %}