diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 7fbf4ff14..109e244d7 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -65,6 +65,7 @@ 'registry', 'manager', 'nginx', + 'strelka.manager', 'soc', 'kratos', 'influxdb', @@ -91,6 +92,7 @@ 'nginx', 'telegraf', 'influxdb', + 'strelka.manager', 'soc', 'kratos', 'elasticfleet', @@ -111,6 +113,7 @@ 'nginx', 'telegraf', 'influxdb', + 'strelka.manager', 'soc', 'kratos', 'elastic-fleet-package-registry', diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index ad154e9d1..d76a0a0e4 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -81,22 +81,23 @@ soc: eventFields: default: - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - log.id.uid - network.community_id - - event.dataset ':kratos:': - soc_timestamp + - event.dataset - http_request.headers.x-real-ip - identity_id - http_request.headers.user-agent - - event.dataset - msg '::conn': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -105,9 +106,9 @@ soc: - network.protocol - log.id.uid - network.community_id - - event.dataset '::dce_rpc': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -116,27 +117,27 @@ soc: - dce_rpc.named_pipe - dce_rpc.operation - log.id.uid - - event.dataset '::dhcp': - soc_timestamp + - event.dataset - client.address - server.address - host.domain - host.hostname - dhcp.message_types - log.id.uid - - event.dataset '::dnp3': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - dnp3.fc_reply - log.id.uid - - event.dataset '::dnp3_control': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -144,9 +145,9 @@ soc: - dnp3.function_code - dnp3.block_type - log.id.uid - - event.dataset '::dnp3_objects': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -154,9 +155,9 @@ soc: - dnp3.function_code - dnp3.object_type - log.id.uid - - event.dataset '::dns': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -167,9 +168,9 @@ soc: - dns.response.code_name - log.id.uid - network.community_id - - event.dataset '::dpd': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -178,9 +179,9 @@ soc: - observer.analyser - error.reason - log.id.uid - - event.dataset '::file': - soc_timestamp + - event.dataset - source.ip - destination.ip - file.name @@ -189,9 +190,9 @@ soc: - file.bytes.total - log.id.fuid - log.id.uid - - event.dataset '::ftp': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -202,9 +203,9 @@ soc: - ftp.reply_code - file.size - log.id.uid - - event.dataset '::http': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -217,9 +218,9 @@ soc: - http.response.body.length - log.id.uid - network.community_id - - event.dataset '::intel': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -228,9 +229,9 @@ soc: - intel.indicator_type - intel.seen_where - log.id.uid - - event.dataset '::irc': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -241,9 +242,9 @@ soc: - irc.command.value - irc.command.info - log.id.uid - - event.dataset '::kerberos': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -252,18 +253,18 @@ soc: - kerberos.service - kerberos.request_type - log.id.uid - - event.dataset '::modbus': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - modbus.function - log.id.uid - - event.dataset '::mysql': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -273,9 +274,9 @@ soc: - mysql.success - mysql.response - log.id.uid - - event.dataset '::notice': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -285,9 +286,9 @@ soc: - log.id.fuid - log.id.uid - network.community_id - - event.dataset '::ntlm': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -298,18 +299,18 @@ soc: - ntlm.server.nb.name - ntlm.server.tree.name - log.id.uid - - event.dataset '::pe': - soc_timestamp + - event.dataset - file.is_64bit - file.is_exe - file.machine - file.os - file.subsystem - log.id.fuid - - event.dataset '::radius': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -319,9 +320,9 @@ soc: - radius.framed_address - radius.reply_message - radius.result - - event.dataset '::rdp': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -335,9 +336,9 @@ soc: - rdp.result - rdp.security_protocol - log.id.uid - - event.dataset '::rfb': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -347,9 +348,9 @@ soc: - rfb.share_flag - rfb.desktop.name - log.id.uid - - event.dataset '::signatures': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -361,9 +362,9 @@ soc: - signature_count - host.count - log.id.uid - - event.dataset '::sip': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -379,9 +380,9 @@ soc: - sip.user_agent - sip.status_code - log.id.uid - - event.dataset '::smb_files': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -393,9 +394,9 @@ soc: - file.size - file.prev_name - log.id.uid - - event.dataset '::smb_mapping': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -404,9 +405,9 @@ soc: - smb.service - smb.share_type - log.id.uid - - event.dataset '::smtp': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -417,9 +418,9 @@ soc: - smtp.useragent - log.id.uid - network.community_id - - event.dataset '::snmp': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -427,9 +428,9 @@ soc: - snmp.community - snmp.version - log.id.uid - - event.dataset '::socks': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -439,15 +440,15 @@ soc: - socks.request.port - socks.status - log.id.uid - - event.dataset '::software': - soc_timestamp + - event.dataset - source.ip - software.name - software.type - - event.dataset '::ssh': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -458,9 +459,9 @@ soc: - ssh.client - ssh.server - log.id.uid - - event.dataset ':suricata:ssl': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -469,9 +470,9 @@ soc: - ssl.certificate.subject - ssl.version - log.id.uid - - event.dataset ':zeek:ssl': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -480,9 +481,9 @@ soc: - ssl.validation_status - ssl.version - log.id.uid - - event.dataset '::ssl': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -490,9 +491,20 @@ soc: - ssl.server_name - ssl.version - log.id.uid + '::stun': + - soc_timestamp - event.dataset + - source.ip + - source.port + - destination.ip + - destination.port + - stun.class + - stun.method + - stun.attribute.types + - log.id.uid ':zeek:syslog': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -501,36 +513,35 @@ soc: - network.protocol - syslog.severity - log.id.uid - - event.dataset - '::tunnels': + '::tunnel': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - - tunnel_type - - action - - log.id.uid - - event.dataset + - event.action + - tunnel.type '::weird': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - weird.name - log.id.uid - - event.dataset '::x509': - soc_timestamp + - event.dataset - x509.certificate.subject - x509.certificate.key.type - x509.certificate.key.length - x509.certificate.issuer - log.id.fuid - - event.dataset '::firewall': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -540,9 +551,9 @@ soc: - observer.ingress.interface.name - event.action - network.community_id - - event.dataset ':pfsense:': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -552,9 +563,9 @@ soc: - observer.ingress.interface.name - event.action - network.community_id - - event.dataset ':osquery:': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -562,27 +573,27 @@ soc: - source.hostname - process.executable - user.name - - event.dataset ':strelka:': - soc_timestamp + - event.dataset - file.name - file.size - hash.md5 - file.source - file.mime_type - log.id.fuid - - event.dataset ':strelka:file': - soc_timestamp + - event.dataset - file.name - file.size - hash.md5 - file.source - file.mime_type - log.id.fuid - - event.dataset ':suricata:': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -592,35 +603,35 @@ soc: - event.severity_label - log.id.uid - network.community_id - - event.dataset ':windows_eventlog:': - soc_timestamp - - user.name - event.dataset + - user.name ':elasticsearch:': - soc_timestamp + - event.dataset - agent.name - message - log.level - metadata.version - metadata.pipeline - - event.dataset ':kibana:': - soc_timestamp + - event.dataset - host.name - message - kibana.log.meta.req.headers.x-real-ip - - event.dataset ':syslog:syslog': - soc_timestamp + - event.dataset - host.name - metadata.ip_address - real_message - syslog.priority - syslog.application - - event.dataset ':aws:': - soc_timestamp + - event.dataset - aws.cloudtrail.event_category - aws.cloudtrail.event_type - event.provider @@ -630,25 +641,25 @@ soc: - user.name - source.ip - source.geo.region_iso_code - - event.dataset ':squid:': - soc_timestamp + - event.dataset - url.original - destination.ip - destination.geo.country_iso_code - user.name - source.ip - - event.dataset '::sysmon_operational': - soc_timestamp + - event.dataset - event.action - winlog.computer_name - user.name - process.executable - process.pid - - event.dataset '::network_connection': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -656,59 +667,59 @@ soc: - source.hostname - process.executable - user.name - - event.dataset '::process_terminated': - soc_timestamp + - event.dataset - process.executable - process.pid - winlog.computer_name - - event.dataset '::file_create': - soc_timestamp + - event.dataset - file.target - process.executable - process.pid - winlog.computer_name - - event.dataset '::registry_value_set': - soc_timestamp + - event.dataset - winlog.event_data.TargetObject - process.executable - process.pid - winlog.computer_name - - event.dataset '::process_creation': - soc_timestamp + - event.dataset - process.command_line - process.pid - process.parent.executable - process.working_directory - - event.dataset '::registry_create_delete': - soc_timestamp + - event.dataset - winlog.event_data.TargetObject - process.executable - process.pid - winlog.computer_name - - event.dataset '::dns_query': - soc_timestamp + - event.dataset - dns.query.name - dns.answers.name - process.executable - winlog.computer_name - - event.dataset '::file_create_stream_hash': - soc_timestamp + - event.dataset - file.target - hash.md5 - hash.sha256 - process.executable - process.pid - winlog.computer_name - - event.dataset '::bacnet': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -716,9 +727,9 @@ soc: - bacnet.bclv.function - bacnet.result.code - log.id.uid - - event.dataset '::bacnet_discovery': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -726,9 +737,9 @@ soc: - bacnet.vendor - bacnet.pdu.service - log.id.uid - - event.dataset '::bacnet_property': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -736,9 +747,9 @@ soc: - bacnet.property - bacnet.pdu.service - log.id.uid - - event.dataset '::bsap_ip_header': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -746,16 +757,16 @@ soc: - bsap.message.type - bsap.number.messages - log.id.uid - - event.dataset '::bsap_ip_rdb': - soc_timestamp + - event.dataset - bsap.application.function - bsap.application.sub.function - bsap.vector.variables - log.id.uid - - event.dataset '::bsap_serial_header': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -764,15 +775,15 @@ soc: - bsap.destination.function - bsap.message.type - log.id.uid - - event.dataset '::bsap_serial_rdb': - soc_timestamp + - event.dataset - bsap.rdb.function - bsap.vector.variables - log.id.uid - - event.dataset '::cip': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -780,9 +791,9 @@ soc: - cip.service - cip.status_code - log.id.uid - - event.dataset '::cip_identity': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -790,9 +801,9 @@ soc: - cip.device.type.name - cip.vendor.name - log.id.uid - - event.dataset '::cip_io': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -800,63 +811,63 @@ soc: - cip.connection.id - cip.io.data - log.id.uid - - event.dataset '::cotp': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - cotp.pdu.name - log.id.uid - - event.dataset '::ecat_arp_info': - soc_timestamp + - event.dataset - source.ip - destination.ip - source.mac - destination.mac - ecat.arp.type - - event.dataset '::ecat_aoe_info': - soc_timestamp + - event.dataset - source.mac - source.port - destination.mac - destination.port - ecat.command - - event.dataset '::ecat_coe_info': - soc_timestamp + - event.dataset - ecat.message.number - ecat.message.type - ecat.request.response.type - ecat.index - ecat.sub.index - - event.dataset '::ecat_dev_info': - soc_timestamp + - event.dataset - ecat.device.type - ecat.features - ecat.ram.size - ecat.revision - ecat.slave.address - - event.dataset '::ecat_log_address': - soc_timestamp + - event.dataset - source.mac - destination.mac - ecat.command - - event.dataset '::ecat_registers': - soc_timestamp + - event.dataset - source.mac - destination.mac - ecat.command - ecat.register.type - - event.dataset '::enip': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -864,18 +875,18 @@ soc: - enip.command - enip.status_code - log.id.uid - - event.dataset '::modbus_detailed': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - modbus.function - log.id.uid - - event.dataset '::opcua_binary': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -883,9 +894,9 @@ soc: - opcua.identifier_string - opcua.message_type - log.id.uid - - event.dataset '::opcua_binary_activate_session': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -894,9 +905,9 @@ soc: - opcua.identifier_string - opcua.user_name - log.id.uid - - event.dataset '::opcua_binary_activate_session_diagnostic_info': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -904,9 +915,9 @@ soc: - opcua.activate_session_diag_info_link_id - opcua.diag_info_link_id - log.id.uid - - event.dataset '::opcua_binary_activate_session_locale_id': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -914,9 +925,9 @@ soc: - opcua.local_id - opcua.locale_link_id - log.id.uid - - event.dataset '::opcua_binary_browse': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -924,17 +935,17 @@ soc: - opcua.link_id - opcua.service_type - log.id.uid - - event.dataset '::opcua_binary_browse_description': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - log.id.uid - - event.dataset '::opcua_binary_browse_response_references': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -942,27 +953,27 @@ soc: - opcua.node_class - opcua.display_name_text - log.id.uid - - event.dataset '::opcua_binary_browse_result': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - opcua.response_link_id - log.id.uid - - event.dataset '::opcua_binary_create_session': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - opcua.link_id - log.id.uid - - event.dataset '::opcua_binary_create_session_endpoints': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -970,27 +981,27 @@ soc: - opcua.endpoint_link_id - opcua.endpoint_url - log.id.uid - - event.dataset '::opcua_binary_create_session_user_token': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - opcua.user_token_link_id - log.id.uid - - event.dataset '::opcua_binary_create_subscription': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - opcua.link_id - log.id.uid - - event.dataset '::opcua_binary_get_endpoints': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -998,9 +1009,9 @@ soc: - opcua.endpoint_url - opcua.link_id - log.id.uid - - event.dataset '::opcua_binary_get_endpoints_description': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1008,9 +1019,9 @@ soc: - opcua.endpoint_description_link_id - opcua.endpoint_uri - log.id.uid - - event.dataset '::opcua_binary_get_endpoints_user_token': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1018,9 +1029,9 @@ soc: - opcua.user_token_link_id - opcua.user_token_type - log.id.uid - - event.dataset '::opcua_binary_read': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1028,9 +1039,9 @@ soc: - opcua.link_id - opcua.read_results_link_id - log.id.uid - - event.dataset '::opcua_binary_status_code_detail': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1038,9 +1049,9 @@ soc: - opcua.info_type_string - opcua.source_string - log.id.uid - - event.dataset '::profinet': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1048,18 +1059,18 @@ soc: - profinet.index - profinet.operation_type - log.id.uid - - event.dataset '::profinet_dce_rpc': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - profinet.operation - log.id.uid - - event.dataset '::s7comm': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1067,9 +1078,9 @@ soc: - s7.ros.control.name - s7.function.name - log.id.uid - - event.dataset '::s7comm_plus': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1077,9 +1088,9 @@ soc: - s7.opcode.name - s7.version - log.id.uid - - event.dataset '::s7comm_read_szl': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1087,9 +1098,9 @@ soc: - s7.szl_id_name - s7.return_code_name - log.id.uid - - event.dataset '::s7comm_upload_download': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1097,52 +1108,52 @@ soc: - s7.ros.control.name - s7.function_code - log.id.uid - - event.dataset '::tds': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - tds.command - log.id.uid - - event.dataset '::tds_rpc': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - tds.procedure_name - log.id.uid - - event.dataset '::tds_sql_batch': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - tds.header_type - log.id.uid - - event.dataset ':endpoint:events_x_api': - soc_timestamp + - event.dataset - host.name - user.name - process.name - process.Ext.api.name - process.thread.Ext.call_stack_final_user_module.path - - event.dataset ':endpoint:events_x_file': - soc_timestamp + - event.dataset - host.name - user.name - process.name - event.action - file.path - - event.dataset ':endpoint:events_x_library': - soc_timestamp + - event.dataset - host.name - user.name - process.name @@ -1150,9 +1161,9 @@ soc: - dll.path - dll.code_signature.status - dll.code_signature.subject_name - - event.dataset ':endpoint:events_x_network': - soc_timestamp + - event.dataset - host.name - user.name - process.name @@ -1162,43 +1173,43 @@ soc: - destination.ip - destination.port - network.community_id - - event.dataset ':endpoint:events_x_process': - soc_timestamp + - event.dataset - host.name - user.name - process.parent.name - process.name - event.action - process.working_directory - - event.dataset ':endpoint:events_x_registry': - soc_timestamp + - event.dataset - host.name - user.name - process.name - event.action - registry.path - - event.dataset ':endpoint:events_x_security': - soc_timestamp + - event.dataset - host.name - user.name - process.executable - event.action - event.outcome - - event.dataset ':system:': - soc_timestamp + - event.dataset - process.name - process.pid - user.effective.name - user.name - system.auth.sudo.command - - event.dataset - message ':opencanary:': - soc_timestamp + - event.dataset - source.ip - source.port - logdata.HOSTNAME @@ -1206,20 +1217,20 @@ soc: - logdata.PATH - logdata.USERNAME - logdata.USERAGENT - - event.dataset ':elastic_agent:': - soc_timestamp - event.dataset - message ':kismet:': - soc_timestamp + - event.dataset - device.manufacturer - client.mac - network.wireless.ssid - network.wireless.bssid - - event.dataset ':playbook:': - soc_timestamp + - event.dataset - rule.name - event.severity_label - event_data.event.dataset @@ -1231,6 +1242,7 @@ soc: - event_data.process.pid ':sigma:': - soc_timestamp + - event.dataset - rule.name - event.severity_label - event_data.event.dataset @@ -1246,7 +1258,6 @@ soc: maxPacketCount: 5000 htmlDir: html importUploadDir: /nsm/soc/uploads - airgapEnabled: false modules: cases: soc filedatastore: @@ -1274,10 +1285,16 @@ soc: rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint stateFilePath: /opt/sensoroni/fingerprints/elastalertengine.state rulesRepos: - - repo: https://github.com/Security-Onion-Solutions/securityonion-resources - license: Elastic-2.0 - folder: sigma/stable - community: true + default: + - repo: https://github.com/Security-Onion-Solutions/securityonion-resources + license: Elastic-2.0 + folder: sigma/stable + community: true + airgap: + - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources + license: Elastic-2.0 + folder: sigma/stable + community: true sigmaRulePackages: - core - emerging_threats_addon @@ -1333,9 +1350,14 @@ soc: denyRegex: '' reposFolder: /opt/sensoroni/yara/repos rulesRepos: - - repo: https://github.com/Security-Onion-Solutions/securityonion-yara - license: DRL - community: true + default: + - repo: https://github.com/Security-Onion-Solutions/securityonion-yara + license: DRL + community: true + airgap: + - repo: file:///nsm/rules/detect-yara/repos/securityonion-yara + license: DRL + community: true yaraRulesFolder: /opt/sensoroni/yara/rules stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state suricataengine: @@ -1842,7 +1864,7 @@ soc: query: 'event.dataset:zeek.ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey ssl.validation_status ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: STUN description: STUN (Session Traversal Utilities for NAT) network metadata - query: 'tags:stun* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset' + query: 'tags:stun* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby stun.class | groupby -sankey stun.class stun.method | groupby stun.method | groupby stun.attribute.types' - name: Syslog description: Syslog logs query: 'tags:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby event.dataset' @@ -1944,6 +1966,7 @@ soc: eventFields: default: - soc_timestamp + - event.dataset - rule.name - event.severity_label - source.ip @@ -1956,6 +1979,7 @@ soc: - rule.rev ':playbook:': - soc_timestamp + - event.dataset - rule.name - event.severity_label - event_data.event.dataset @@ -1967,6 +1991,7 @@ soc: - event_data.process.pid ':sigma:': - soc_timestamp + - event.dataset - rule.name - event.severity_label - event_data.event.dataset @@ -1979,13 +2004,13 @@ soc: - event_data.process.pid ':strelka:': - soc_timestamp + - event.dataset - file.name - file.size - hash.md5 - file.source - file.mime_type - log.id.fuid - - event.dataset queryBaseFilter: tags:alert queryToggleFilters: - name: acknowledged diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 222566dba..f23d9c115 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -37,6 +37,17 @@ {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %} {% endif %} +{# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #} +{% if GLOBALS.airgap %} +{% do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %} +{% do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.airgap}) %} +{% do SOCMERGED.config.server.update({'airgapEnabled': true}) %} +{% else %} +{% do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.default}) %} +{% do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.default}) %} +{% do SOCMERGED.config.server.update({'airgapEnabled': false}) %} +{% endif %} + {# remove these modules if detections is disabled #} {% if not SOCMERGED.config.server.client.detectionsEnabled %} {% do SOCMERGED.config.server.modules.pop('elastalertengine') %} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 4b88a5f84..2b1e83ec4 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -107,21 +107,18 @@ soc: advanced: True helpLink: sigma.html rulesRepos: - description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.' - global: True - advanced: True - forcedType: "[]{}" - helpLink: sigma.html + default: &eerulesRepos + description: "Custom Git repos to pull Sigma rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled." + global: True + advanced: True + forcedType: "[]{}" + helpLink: sigma.html + airgap: *eerulesRepos sigmaRulePackages: description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, you will need to wait for the rule update to take place (every 8 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.' global: True advanced: False helpLink: sigma.html - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.' - global: True - advanced: True - helpLink: sigma.html elastic: index: description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records. @@ -185,45 +182,39 @@ soc: advanced: True strelkaengine: allowRegex: - description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' + description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.' global: True advanced: True helpLink: yara.html - autoEnabledYaraRules: - description: 'Yara rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' + autoEnabledYARARules: + description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' global: True advanced: True helpLink: sigma.html - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.' - global: True - advanced: True denyRegex: - description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' + description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.' global: True advanced: True helpLink: yara.html communityRulesImportFrequencySeconds: - description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.' + description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.' global: True advanced: True helpLink: yara.html rulesRepos: - description: 'Custom Git repos to pull Yara rules from. License field is required' - global: True - advanced: True - forcedType: "[]{}" - helpLink: yara.html + default: &serulesRepos + description: "Custom Git repos to pull YARA rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled." + global: True + advanced: True + forcedType: "[]{}" + helpLink: yara.html + airgap: *serulesRepos suricataengine: allowRegex: description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' global: True advanced: True helpLink: suricata.html - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.' - global: True - advanced: True denyRegex: description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' global: True diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index a626924b1..1de22f404 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -42,8 +42,6 @@ strelka_backend: {% endfor %} {% endif %} - restart_policy: on-failure - #- watch: - #- file: strelkarules delete_so-strelka-backend_so-status.disabled: file.uncomment: diff --git a/salt/strelka/compile_yara/compile_yara.py b/salt/strelka/compile_yara/compile_yara.py index ece3c6a9e..dc77980d2 100644 --- a/salt/strelka/compile_yara/compile_yara.py +++ b/salt/strelka/compile_yara/compile_yara.py @@ -20,7 +20,7 @@ def check_syntax(rule_file): def compile_yara_rules(rules_dir): compiled_dir = os.path.join(rules_dir, "compiled") - compiled_rules_path = os.path.join(compiled_dir, "rules.compiled") + compiled_rules_path = [ os.path.join(compiled_dir, "rules.compiled"), "/opt/so/saltstack/default/salt/strelka/rules/compiled/rules.compiled" ] rule_files = glob.glob(os.path.join(rules_dir, '**/*.yar'), recursive=True) files_to_compile = {} removed_count = 0 @@ -57,10 +57,11 @@ def compile_yara_rules(rules_dir): # Compile all remaining valid rules into a single file if files_to_compile: compiled_rules = yara.compile(filepaths=files_to_compile) - compiled_rules.save(compiled_rules_path) - print(f"All remaining rules compiled and saved into {compiled_rules_path}") + for path in compiled_rules_path: + compiled_rules.save(path) + print(f"All remaining rules compiled and saved into {path}") # Print summary of compilation results print(f"Summary: {success_count} rules compiled successfully, {removed_count} rules removed due to errors.") -compile_yara_rules("/opt/sensoroni/yara/rules/") \ No newline at end of file +compile_yara_rules("/opt/sensoroni/yara/rules/") diff --git a/salt/strelka/config.sls b/salt/strelka/config.sls index 90bba58a7..c65f9c2cb 100644 --- a/salt/strelka/config.sls +++ b/salt/strelka/config.sls @@ -29,6 +29,15 @@ strelkarulesdir: - group: 939 - makedirs: True +{%- if grains.role in ['so-sensor', 'so-heavynode'] %} +strelkasensorrules: + file.managed: + - name: /opt/so/conf/strelka/rules/compiled/rules.compiled + - source: salt://strelka/rules/compiled/rules.compiled + - user: 939 + - group: 939 +{%- endif %} + strelkareposdir: file.directory: - name: /opt/so/conf/strelka/repos diff --git a/salt/strelka/manager.sls b/salt/strelka/manager.sls new file mode 100644 index 000000000..1c56a18fd --- /dev/null +++ b/salt/strelka/manager.sls @@ -0,0 +1,45 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + +# Strelka config +strelkaconfdir: + file.directory: + - name: /opt/so/conf/strelka/rules/compiled/ + - user: 939 + - group: 939 + - makedirs: True + +strelkacompileyara: + file.managed: + - name: /opt/so/conf/strelka/compile_yara.py + - source: salt://strelka/compile_yara/compile_yara.py + - user: 939 + - group: 939 + - makedirs: True + +strelkarulesdir: + file.directory: + - name: /opt/so/conf/strelka/rules + - user: 939 + - group: 939 + - makedirs: True + +strelkareposdir: + file.directory: + - name: /opt/so/conf/strelka/repos + - user: 939 + - group: 939 + - makedirs: True + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/strelka/rules/compiled/DO.NOT.TOUCH b/salt/strelka/rules/compiled/DO.NOT.TOUCH new file mode 100644 index 000000000..e69de29bb diff --git a/salt/top.sls b/salt/top.sls index 2510356c4..370914d91 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -87,6 +87,7 @@ base: - registry - nginx - influxdb + - strelka.manager - soc - kratos - firewall @@ -161,6 +162,7 @@ base: - registry - nginx - influxdb + - strelka.manager - soc - kratos - firewall @@ -210,6 +212,7 @@ base: - manager - nginx - influxdb + - strelka.manager - soc - kratos - sensoroni diff --git a/setup/so-verify b/setup/so-verify index b4c79a88c..d22b80fc2 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -67,6 +67,7 @@ log_has_errors() { grep -vE "Reading first line of patchfile" | \ grep -vE "Command failed with exit code" | \ grep -vE "Running scope as unit" | \ + grep -vE "securityonion-resources/sigma/stable" | \ grep -vE "log-.*-pipeline_failed_attempts" &> "$error_log" if [[ $? -eq 0 ]]; then diff --git a/setup/so-whiptail b/setup/so-whiptail index 90bbaf397..06d62a027 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -14,7 +14,7 @@ whiptail_airgap() { [[ $is_manager || $is_import ]] && node_str='manager' INTERWEBS=$(whiptail --title "$whiptail_title" --menu \ - "How should this $node_str be installed?" 10 70 2 \ + "How should this $node_str be installed?\n\nFor more information, please see:\n$DOC_BASE_URL/airgap.html" 13 70 2 \ "Standard " "This $node_str has access to the Internet" \ "Airgap " "This $node_str does not have access to the Internet" 3>&1 1>&2 2>&3 ) @@ -592,8 +592,8 @@ whiptail_install_type() { "IMPORT" "Import PCAP or log files " \ "EVAL" "Evaluation mode (not for production) " \ "STANDALONE" "Standalone production install " \ - "DISTRIBUTED" "Distributed install submenu " \ - "DESKTOP" "Install Security Onion Desktop" \ + "DISTRIBUTED" "Distributed deployment " \ + "DESKTOP" "Security Onion Desktop" \ 3>&1 1>&2 2>&3 ) elif [[ "$OSVER" == "focal" ]]; then