Initial commit - Low Level Alerts

2025-12-06 17:22:49 +01:00 · 2020-07-02 12:16:56 -04:00
parent 07d13b7ad0
commit 69ace6fbfa
5 changed files with 102 additions and 55 deletions
--- a/salt/elastalert/files/rules/so/nids2hive.yaml
+++ b/salt/elastalert/files/rules/so/nids2hive.yaml
@@ -1,52 +0,0 @@
-{% set es = salt['pillar.get']('static:masterip', '') %}
-{% set hivehost = salt['pillar.get']('static:masterip', '') %}
-{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
-{% set MASTER = salt['pillar.get']('master:url_base', '') %}
-
-# hive.yaml
-# Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance.
-#
-es_host: {{es}}
-es_port: 9200
-name: NIDS-Alert
-type: frequency
-index: "so-ids-*"
-num_events: 1
-timeframe:
-    minutes: 10
-buffer_time:
-    minutes: 10
-allow_buffer_time_overlap: true
-query_key: ["rule.uuid"]
-realert:
-    days: 1
-filter:
- query:
-   query_string:
-      query: "event.module: suricata"
-
-alert: hivealerter
-
-hive_connection:
-  hive_host: http://{{hivehost}}
-  hive_port: 9000/thehive
-  hive_apikey: {{hivekey}}
-  
-hive_proxies:
-  http: ''
-  https: ''
-
-hive_alert_config:
-  title: '{match[rule][name]}'
-  type: 'NIDS'
-  source: 'SecurityOnion'
-  description: "`Hunting Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=event.module%3A%20suricata%20AND%20rule.uuid%3A{match[rule][uuid]}%20%7C%20groupby%20source.ip%20destination.ip%20rule.name>  \n\n `Kibana Dashboard - Signature Drilldown:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))> \n\n `Kibana Dashboard - Community_ID:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'*:so-*',key:network.community_id,negate:!f,params:(query:'{match[network][community_id]}'),type:phrase),query:(match_phrase:(network.community_id:'{match[network][community_id]}')))),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))>  \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
-  severity: 2
-  tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}']
-  tlp: 3
-  status: 'New'
-  follow: True
-
-hive_observable_data_mapping:
-  - ip: '{match[source][ip]}'
-  - ip: '{match[destination][ip]}'
--- a/salt/elastalert/files/rules/so/suricata_thehive.yaml
+++ b/salt/elastalert/files/rules/so/suricata_thehive.yaml
@@ -0,0 +1,51 @@
+{% set es = salt['pillar.get']('static:masterip', '') %}
+{% set hivehost = salt['pillar.get']('static:masterip', '') %}
+{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
+{% set MASTER = salt['pillar.get']('master:url_base', '') %}
+
+# Elastalert rule to forward Suricata alerts from Security Onion to a specified TheHive instance.
+#
+es_host: {{es}}
+es_port: 9200
+name: Suricata-Alert
+type: frequency
+index: "so-ids-*"
+num_events: 1
+timeframe:
+    minutes: 10
+buffer_time:
+    minutes: 10
+allow_buffer_time_overlap: true
+query_key: ["rule.uuid","source.ip","destination.ip"]
+realert:
+    days: 1
+filter:
+- query:
+   query_string:
+      query: "event.module: suricata AND rule.severity:(1 OR 2)"
+
+alert: hivealerter
+
+hive_connection:
+  hive_host: http://{{hivehost}}
+  hive_port: 9000/thehive
+  hive_apikey: {{hivekey}}
+  
+hive_proxies:
+  http: ''
+  https: ''
+
+hive_alert_config:
+  title: '{match[rule][name]}'
+  type: 'NIDS'
+  source: 'SecurityOnion'
+  description: "`SOC Hunt Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=network.community_id%3A%20%20%22{match[network][community_id]}%22%20%7C%20groupby%20source.ip%20destination.ip,event.module,%20event.dataset>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'*:so-*',key:network.community_id,negate:!f,params:(query:'{match[network][community_id]}'),type:phrase),query:(match_phrase:(network.community_id:'{match[network][community_id]}')))),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))>  \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
+  severity: 2
+  tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}']
+  tlp: 3
+  status: 'New'
+  follow: True
+
+hive_observable_data_mapping:
+  - ip: '{match[source][ip]}'
+  - ip: '{match[destination][ip]}'
--- a/salt/elastalert/files/rules/so/wazuh_thehive.yaml
+++ b/salt/elastalert/files/rules/so/wazuh_thehive.yaml
@@ -0,0 +1,49 @@
+{% set es = salt['pillar.get']('static:masterip', '') %}
+{% set hivehost = salt['pillar.get']('static:masterip', '') %}
+{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
+{% set MASTER = salt['pillar.get']('master:url_base', '') %}
+
+# Elastalert rule to forward high level Wazuh alerts from Security Onion to a specified TheHive instance.
+#
+es_host: {{es}}
+es_port: 9200
+name: Wazuh-Alert
+type: frequency
+index: "so-ossec-*"
+num_events: 1
+timeframe:
+    minutes: 10
+buffer_time:
+    minutes: 10
+allow_buffer_time_overlap: true
+realert:
+    days: 1
+filter:
+- query:
+   query_string:
+      query: "event.module: ossec AND rule.level>=8"
+
+alert: hivealerter
+
+hive_connection:
+  hive_host: http://{{hivehost}}
+  hive_port: 9000/thehive
+  hive_apikey: {{hivekey}}
+  
+hive_proxies:
+  http: ''
+  https: ''
+
+hive_alert_config:
+  title: '{match[rule][name]}'
+  type: 'wazuh'
+  source: 'SecurityOnion'
+  description: "`SOC Hunt Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=event.module%3A%20ossec%20AND%20rule.id%3A{match[rule][id]}%20%7C%20groupby%20host.name%20rule.name>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))>"
+  severity: 2
+  tags: ['{match[rule][id]}','{match[host][name]}']
+  tlp: 3
+  status: 'New'
+  follow: True
+
+hive_observable_data_mapping:
+  - other: '{match[host][name]}'
--- a/salt/soctopus/files/SOCtopus.conf
+++ b/salt/soctopus/files/SOCtopus.conf
@@ -60,7 +60,7 @@ slack_url = YOURSLACKWORKSPACE
 slack_webhook = YOURSLACKWEBHOOK

 [playbook]
-playbook_url = https://{{MASTER}}/playbook
+playbook_url = http://{{MASTER}}:3200/playbook
 playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f
 playbook_verifycert = no
 playbook_unit_test_index = playbook-testing
--- a/salt/soctopus/init.sls
+++ b/salt/soctopus/init.sls
@@ -10,7 +10,7 @@ soctopusdir:
    - group: 939
    - makedirs: True

-soctopussync:
+soctopus-sync:
  file.recurse:
    - name: /opt/so/conf/soctopus/templates
    - source: salt://soctopus/files/templates
@@ -24,7 +24,6 @@ soctopusconf:
    - source: salt://soctopus/files/SOCtopus.conf
    - user: 939
    - group: 939
-    - replace: False
    - mode: 600
    - template: jinja