CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add local custom Playbooks

Browse Source
This commit is contained in:
DefensiveDepth
2025-09-18 12:07:21 -04:00
parent c1d85493df
commit 6cdd88808a
3 changed files with 64 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
salt/manager/init.sls
View File

@@ -206,6 +206,7 @@ git_config_set_safe_dirs:
- multivar: - multivar:
- /nsm/rules/custom-local-repos/local-sigma - /nsm/rules/custom-local-repos/local-sigma
- /nsm/rules/custom-local-repos/local-yara - /nsm/rules/custom-local-repos/local-yara
- /nsm/rules/custom-local-repos/local-playbooks
- /nsm/securityonion-resources - /nsm/securityonion-resources
- /opt/so/conf/soc/ai_summary_repos/securityonion-resources - /opt/so/conf/soc/ai_summary_repos/securityonion-resources
- /nsm/airgap-resources/playbooks - /nsm/airgap-resources/playbooks

16
salt/soc/config.sls
View File

@@ -249,6 +249,22 @@ add_readme_custom_local_sigma_repo_template:
- context: - context:
repo_type: "sigma" repo_type: "sigma"
create_custom_local_playbooks_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-playbooks
- bare: False
- force: True
add_readme_custom_local_playbooks_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-playbooks/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "playbooks"
socore_own_custom_repos: socore_own_custom_repos:
file.directory: file.directory:
- name: /nsm/rules/custom-local-repos/ - name: /nsm/rules/custom-local-repos/

47
salt/soc/files/soc/detections_custom_repo_template_readme.jinja
View File

@@ -91,4 +91,51 @@ Finally, commit it:
The next time the Elastalert / Sigma engine syncs, the new rule should be imported The next time the Elastalert / Sigma engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further. If there are errors, review the sync log to troubleshoot further.
{% elif repo_type == 'playbooks' %}
# Playbooks Local Custom Repository
This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any Playbook files found here.
Just add your playbook file and commit it.
For example:
** Note: If this is your first time making changes to this repo, you may run into the following error:
fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-playbooks'
To add an exception for this directory, call:
git config --global --add safe.directory /nsm/rules/custom-local-repos/local-playbooks
This means that the user you are running commands as does not match the user that is used for this git repo (socore).
You will need to make sure your playbook files are accessible to the socore user, so either su to socore
or add the exception and then chown the playbook files later.
Also, you will be asked to set some configuration:
```
Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
```
Run these commands, ommitting the `--global`.
With that out of the way:
First, create the playbook file with a .yml or .yaml extension:
`vi my_custom_playbook.yml`
Next, use git to stage the new playbook to be committed:
`git add my_custom_playbook.yml`
Finally, commit it:
`git commit -m "Initial commit of my_custom_playbook.yml"`
The next time SOC restarts, the new playbook should be imported
If there are errors, review the SOC log to troubleshoot further.
{% endif %} {% endif %}