From 49fa800b2b44a4d6d515f047cd8a1185cf975b1a Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Mon, 25 Mar 2024 14:45:50 -0400 Subject: [PATCH 1/4] Add bindings for sigma repos --- salt/soc/config.sls | 9 ++++++++- salt/soc/defaults.yaml | 3 ++- salt/soc/enabled.sls | 1 + 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/salt/soc/config.sls b/salt/soc/config.sls index e4dad8df2..ad0ab1c8d 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -9,7 +9,14 @@ include: - manager.sync_es_users -socdirtest: +sigmarepodir: + file.directory: + - name: /opt/so/conf/sigma/repos + - user: 939 + - group: 939 + - makedirs: True + +socdirelastaertrules: file.directory: - name: /opt/so/rules/elastalert/rules - user: 939 diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 8bb180567..5e7b423cd 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1185,10 +1185,11 @@ soc: communityRulesImportFrequencySeconds: 86400 denyRegex: '' elastAlertRulesFolder: /opt/sensoroni/elastalert + reposFolder: /opt/sensoroni/sigma/repos rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint rulesRepos: - repo: https://github.com/Security-Onion-Solutions/securityonion-resources - license: DRL + license: Elastic-2.0 folder: sigma/stable sigmaRulePackages: - core diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 93ca07ac8..bbe36e5b7 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -24,6 +24,7 @@ so-soc: - binds: - /nsm/rules:/nsm/rules:rw - /opt/so/conf/strelka:/opt/sensoroni/yara:rw + - /opt/so/conf/sigma:/opt/sensoroni/sigma:rw - /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw - /nsm/soc/jobs:/opt/sensoroni/jobs:rw From 7c4ea8a58e4ef2c6fef32cd32cba2386d9418fea Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Tue, 26 Mar 2024 07:39:39 -0400 Subject: [PATCH 2/4] Add Detections SOC Config --- salt/soc/soc_soc.yaml | 82 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 74 insertions(+), 8 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index cb939f758..f1969b487 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -78,14 +78,38 @@ soc: advanced: True modules: elastalertengine: - sigmaRulePackages: - description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone. (future use, not yet complete)' - global: True - advanced: False - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)' + allowRegex: + description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' global: True advanced: True + helpLink: sigma.html + denyRegex: + description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' + global: True + advanced: True + helpLink: sigma.html + communityRulesImportFrequencySeconds: + description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.' + global: True + advanced: True + helpLink: sigma.html + rulesRepos: + description: 'Custom git repos to pull Sigma rules from. License field is required, folder is optional.' + global: True + advanced: True + multiline: True + forcedType: "[]string" + helpLink: sigma.html + sigmaRulePackages: + description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.' + global: True + advanced: False + helpLink: sigma.html + autoUpdateEnabled: + description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.' + global: True + advanced: True + helpLink: sigma.html elastic: index: description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records. @@ -148,10 +172,52 @@ soc: global: True advanced: True strelkaengine: - autoUpdateEnabled: - description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)' + allowRegex: + description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' global: True advanced: True + helpLink: yara.html + autoUpdateEnabled: + description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.' + global: True + advanced: True + denyRegex: + description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.' + global: True + advanced: True + helpLink: yara.html + communityRulesImportFrequencySeconds: + description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.' + global: True + advanced: True + helpLink: yara.html + rulesRepos: + description: 'Custom git repos to pull Sigma rules from. License field is required' + global: True + advanced: True + multiline: True + forcedType: "[]string" + helpLink: yara.html + suricataengine: + allowRegex: + description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' + global: True + advanced: True + helpLink: suricata.html + autoUpdateEnabled: + description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.' + global: True + advanced: True + denyRegex: + description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.' + global: True + advanced: True + helpLink: suricata.html + communityRulesImportFrequencySeconds: + description: 'How often to check for new Suricata rules (in seconds).' + global: True + advanced: True + helpLink: suricata.html client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. From cc0f4847ba20d773c12bbed82530eb9c1f11d95a Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Tue, 26 Mar 2024 08:10:57 -0400 Subject: [PATCH 3/4] Casing and validation --- salt/soc/soc_soc.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index f1969b487..1456c71bf 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -94,10 +94,11 @@ soc: advanced: True helpLink: sigma.html rulesRepos: - description: 'Custom git repos to pull Sigma rules from. License field is required, folder is optional.' + description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.' global: True advanced: True multiline: True + syntax: json forcedType: "[]string" helpLink: sigma.html sigmaRulePackages: @@ -192,11 +193,12 @@ soc: advanced: True helpLink: yara.html rulesRepos: - description: 'Custom git repos to pull Sigma rules from. License field is required' + description: 'Custom Git repos to pull Sigma rules from. License field is required' global: True advanced: True multiline: True forcedType: "[]string" + syntax: json helpLink: yara.html suricataengine: allowRegex: From bbcd3116f707a995a9c581f933ead92f98aa8cc1 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Tue, 26 Mar 2024 09:31:46 -0400 Subject: [PATCH 4/4] Fixes --- salt/soc/soc_soc.yaml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 1456c71bf..eae52e31b 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -97,9 +97,7 @@ soc: description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.' global: True advanced: True - multiline: True - syntax: json - forcedType: "[]string" + forcedType: "[]{}" helpLink: sigma.html sigmaRulePackages: description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.' @@ -193,12 +191,10 @@ soc: advanced: True helpLink: yara.html rulesRepos: - description: 'Custom Git repos to pull Sigma rules from. License field is required' + description: 'Custom Git repos to pull Yara rules from. License field is required' global: True advanced: True - multiline: True - forcedType: "[]string" - syntax: json + forcedType: "[]{}" helpLink: yara.html suricataengine: allowRegex: