CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12656 from Security-Onion-Solutions/2.4/detections-fixes

Browse Source 
Add bindings for sigma repos
This commit is contained in:
Josh Brower
2024-03-26 09:33:38 -04:00
committed by GitHub
parent 9c12aa261e bbcd3116f7
commit 63a58efba4
4 changed files with 83 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
salt/soc/config.sls
View File

@@ -9,7 +9,14 @@
include: include:
- manager.sync_es_users - manager.sync_es_users
socdirtest: sigmarepodir:
file.directory:
- name: /opt/so/conf/sigma/repos
- user: 939
- group: 939
- makedirs: True
socdirelastaertrules:
file.directory: file.directory:
- name: /opt/so/rules/elastalert/rules - name: /opt/so/rules/elastalert/rules
- user: 939 - user: 939

3
salt/soc/defaults.yaml
View File

@@ -1195,10 +1195,11 @@ soc:
communityRulesImportFrequencySeconds: 86400 communityRulesImportFrequencySeconds: 86400
denyRegex: '' denyRegex: ''
elastAlertRulesFolder: /opt/sensoroni/elastalert elastAlertRulesFolder: /opt/sensoroni/elastalert
reposFolder: /opt/sensoroni/sigma/repos
rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
rulesRepos: rulesRepos:
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources - repo: https://github.com/Security-Onion-Solutions/securityonion-resources
license: DRL license: Elastic-2.0
folder: sigma/stable folder: sigma/stable
sigmaRulePackages: sigmaRulePackages:
- core - core

1
salt/soc/enabled.sls
View File

@@ -24,6 +24,7 @@ so-soc:
- binds: - binds:
- /nsm/rules:/nsm/rules:rw - /nsm/rules:/nsm/rules:rw
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
- /opt/so/conf/sigma:/opt/sensoroni/sigma:rw
- /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw - /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
- /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw
- /nsm/soc/jobs:/opt/sensoroni/jobs:rw - /nsm/soc/jobs:/opt/sensoroni/jobs:rw

80
salt/soc/soc_soc.yaml
View File

@@ -78,14 +78,37 @@ soc:
advanced: True advanced: True
modules: modules:
elastalertengine: elastalertengine:
sigmaRulePackages: allowRegex:
description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone. (future use, not yet complete)' description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
global: True
advanced: False
autoUpdateEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)'
global: True global: True
advanced: True advanced: True
helpLink: sigma.html
denyRegex:
description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
global: True
advanced: True
helpLink: sigma.html
communityRulesImportFrequencySeconds:
description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.'
global: True
advanced: True
helpLink: sigma.html
rulesRepos:
description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.'
global: True
advanced: True
forcedType: "[]{}"
helpLink: sigma.html
sigmaRulePackages:
description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
global: True
advanced: False
helpLink: sigma.html
autoUpdateEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.'
global: True
advanced: True
helpLink: sigma.html
elastic: elastic:
index: index:
description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records. description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
@@ -148,10 +171,51 @@ soc:
global: True global: True
advanced: True advanced: True
strelkaengine: strelkaengine:
autoUpdateEnabled: allowRegex:
description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)' description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.'
global: True global: True
advanced: True advanced: True
helpLink: yara.html
autoUpdateEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
global: True
advanced: True
denyRegex:
description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.'
global: True
advanced: True
helpLink: yara.html
communityRulesImportFrequencySeconds:
description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.'
global: True
advanced: True
helpLink: yara.html
rulesRepos:
description: 'Custom Git repos to pull Yara rules from. License field is required'
global: True
advanced: True
forcedType: "[]{}"
helpLink: yara.html
suricataengine:
allowRegex:
description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
global: True
advanced: True
helpLink: suricata.html
autoUpdateEnabled:
description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
global: True
advanced: True
denyRegex:
description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
global: True
advanced: True
helpLink: suricata.html
communityRulesImportFrequencySeconds:
description: 'How often to check for new Suricata rules (in seconds).'
global: True
advanced: True
helpLink: suricata.html
client: client:
enableReverseLookup: enableReverseLookup:
description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.