diff --git a/salt/soc/config.sls b/salt/soc/config.sls index e4dad8df2..ad0ab1c8d 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -9,7 +9,14 @@ include: - manager.sync_es_users -socdirtest: +sigmarepodir: + file.directory: + - name: /opt/so/conf/sigma/repos + - user: 939 + - group: 939 + - makedirs: True + +socdirelastaertrules: file.directory: - name: /opt/so/rules/elastalert/rules - user: 939 diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 5f21d480e..70db82fc6 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1195,10 +1195,11 @@ soc: communityRulesImportFrequencySeconds: 86400 denyRegex: '' elastAlertRulesFolder: /opt/sensoroni/elastalert + reposFolder: /opt/sensoroni/sigma/repos rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint rulesRepos: - repo: https://github.com/Security-Onion-Solutions/securityonion-resources - license: DRL + license: Elastic-2.0 folder: sigma/stable sigmaRulePackages: - core diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 93ca07ac8..bbe36e5b7 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -24,6 +24,7 @@ so-soc: - binds: - /nsm/rules:/nsm/rules:rw - /opt/so/conf/strelka:/opt/sensoroni/yara:rw + - /opt/so/conf/sigma:/opt/sensoroni/sigma:rw - /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw - /nsm/soc/jobs:/opt/sensoroni/jobs:rw diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index cb939f758..eae52e31b 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -78,14 +78,37 @@ soc: advanced: True modules: elastalertengine: - sigmaRulePackages: - description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone. (future use, not yet complete)' - global: True - advanced: False - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)' + allowRegex: + description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' global: True advanced: True + helpLink: sigma.html + denyRegex: + description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' + global: True + advanced: True + helpLink: sigma.html + communityRulesImportFrequencySeconds: + description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.' + global: True + advanced: True + helpLink: sigma.html + rulesRepos: + description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.' + global: True + advanced: True + forcedType: "[]{}" + helpLink: sigma.html + sigmaRulePackages: + description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.' + global: True + advanced: False + helpLink: sigma.html + autoUpdateEnabled: + description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.' + global: True + advanced: True + helpLink: sigma.html elastic: index: description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records. @@ -148,10 +171,51 @@ soc: global: True advanced: True strelkaengine: - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)' + allowRegex: + description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' global: True advanced: True + helpLink: yara.html + autoUpdateEnabled: + description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.' + global: True + advanced: True + denyRegex: + description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' + global: True + advanced: True + helpLink: yara.html + communityRulesImportFrequencySeconds: + description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.' + global: True + advanced: True + helpLink: yara.html + rulesRepos: + description: 'Custom Git repos to pull Yara rules from. License field is required' + global: True + advanced: True + forcedType: "[]{}" + helpLink: yara.html + suricataengine: + allowRegex: + description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' + global: True + advanced: True + helpLink: suricata.html + autoUpdateEnabled: + description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.' + global: True + advanced: True + denyRegex: + description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' + global: True + advanced: True + helpLink: suricata.html + communityRulesImportFrequencySeconds: + description: 'How often to check for new Suricata rules (in seconds).' + global: True + advanced: True + helpLink: suricata.html client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.