Merge pull request #14013 from Security-Onion-Solutions/2.4/navigator

Refactor Navigator for Detections

salt/nginx/config.sls

@@ -49,16 +49,6 @@ navigatorconfig:
     - makedirs: True
     - template: jinja
 
-navigatordefaultlayer:
-  file.managed:
-    - name: /opt/so/conf/navigator/layers/nav_layer_playbook.json
-    - source: salt://nginx/files/nav_layer_playbook.json
-    - user: 939
-    - group: 939
-    - makedirs: True
-    - replace: False
-    - template: jinja
-
 navigatorpreattack:
   file.managed:
     - name: /opt/so/conf/navigator/layers/pre-attack.json

salt/nginx/enabled.sls

@@ -164,7 +164,6 @@ so-nginx:
       - x509: managerssl_crt
 {%     endif%}
       - file: navigatorconfig
-      - file: navigatordefaultlayer
 {%   endif %}
 
 delete_so-nginx_so-status.disabled:

salt/nginx/files/nav_layer_playbook.json

@@ -1,65 +0,0 @@
-{
-	"name": "Playbook Coverage",
-	"versions": {
-		"attack": "14",
-		"navigator": "4.9.1",
-		"layer": "4.5"
-	},
-	"domain": "enterprise-attack",
-	"description": "",
-	"filters": {
-		"platforms": [
-			"Linux",
-			"macOS",
-			"Windows",
-			"Network",
-			"PRE",
-			"Containers",
-			"Office 365",
-			"SaaS",
-			"Google Workspace",
-			"IaaS",
-			"Azure AD"
-		]
-	},
-	"sorting": 0,
-	"layout": {
-		"layout": "side",
-		"aggregateFunction": "average",
-		"showID": false,
-		"showName": true,
-		"showAggregateScores": false,
-		"countUnscored": false,
-		"expandedSubtechniques": "none"
-	},
-	"hideDisabled": false,
-	"techniques": [
-		{
-			"techniqueID": "T1197",
-			"tactic": "defense-evasion",
-			"score": 100,
-			"color": "",
-			"comment": "",
-			"enabled": true,
-			"metadata": [],
-			"links": [],
-			"showSubtechniques": false
-		}
-	],
-	"gradient": {
-		"colors": [
-			"#ffffff00",
-			"#66b1ffff"
-		],
-		"minValue": 0,
-		"maxValue": 100
-	},
-	"legendItems": [],
-	"metadata": [],
-	"links": [],
-	"showTacticRowBackground": false,
-	"tacticRowBackground": "#dddddd",
-	"selectTechniquesAcrossTactics": true,
-	"selectSubtechniquesWithParent": false,
-	"selectVisibleTechniques": false
-}

salt/nginx/files/navigator_config.json

@@ -1,10 +1,12 @@
 {%- set URL_BASE = salt['pillar.get']('global:url_base', '') %}
 
 {
+    "collection_index_url": "https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/index.json",
+
     "versions": [
         {
-            "name": "ATT&CK v14",
-            "version": "14",
+            "name": "ATT&CK v16",
+            "version": "16",
             "domains": [
                 {   
                     "name": "Enterprise",
@@ -15,19 +17,34 @@
         }
     ],
 
-    "custom_context_menu_items": [ {"label": "view related plays","url": "  https://{{URL_BASE}}/playbook/projects/detection-playbooks/issues?utf8=%E2%9C%93&set_filter=1&sort=id%3Adesc&f%5B%5D=cf_15&op%5Bcf_15%5D=%3D&f%5B%5D=&c%5B%5D=status&c%5B%5D=cf_10&c%5B%5D=cf_13&c%5B%5D=cf_18&c%5B%5D=cf_19&c%5B%5D=cf_1&c%5B%5D=updated_on&v%5Bcf_15%5D%5B%5D=~Technique_ID~"}],
+    "custom_context_menu_items": [ 
+        {"label": "View related Detections","url": "  https://{{URL_BASE}}/#/detections?q=*{{ "{{technique_attackID}}" }}*+|+groupby+so_detection.language+|+groupby+so_detection.ruleset+so_detection.isEnabled+|+groupby+%22so_detection.category%22&z=America/New_York&el=500&gl=50&rt=0&rtu=hours"},
+        {"label": "View related Alerts","url": "  https://{{URL_BASE}}/#/alerts?q=*{{ "{{technique_attackID}}" }}*+|+groupby+rule.name+event.module*+event.severity_label+rule.uuid&z=America/New_York&el=500&gl=500&rt=15&rtu=days"}
+        ],
 
     "default_layers": {
         "enabled": true,
-        "urls": ["assets/so/nav_layer_playbook.json"]
+        "urls": ["assets/so/navigator_layer_all_detections.json","assets/so/navigator_layer_sigma.json","assets/so/navigator_layer_suricata.json","assets/so/navigator_layer_alerts.json"]
     },
 
     "comment_color": "yellow",
     "link_color": "blue",
     "banner": "",
+    "customize_features": [
+        {"name": "multiselect", "enabled": true, "description": "Disable to remove the multiselect panel from interface."},
+        {"name": "export_render", "enabled": true, "description": "Disable to remove the button to render the current layer."},
+        {"name": "export_excel", "enabled": true, "description": "Disable to remove the button to export the current layer to MS Excel (.xlsx) format."},
+        {"name": "legend", "enabled": true, "description": "Disable to remove the legend panel from the interface."},
+        {"name": "background_color", "enabled": true, "description": "Disable to remove the background color effect on manually assigned colors."},
+        {"name": "non_aggregate_score_color", "enabled": true, "description": "Disable to remove the color effect on non-aggregate scores."},
+        {"name": "aggregate_score_color", "enabled": true, "description": "Disable to remove the color effect on aggregate scores."},
+        {"name": "comment_underline", "enabled": true, "description": "Disable to remove the comment underline effect on techniques."},
+        {"name": "metadata_underline", "enabled": true, "description": "Disable to remove the metadata underline effect on techniques."},
+        {"name": "link_underline", "enabled": true, "description": "Disable to remove the hyperlink underline effect on techniques."}
+    ],
     "features": [
-        {"name": "leave_site_dialog", "enabled": true, "description": "Disable to remove the dialog prompt when leaving site."},
-        {"name": "tabs", "enabled": true, "description": "Disable to remove the ability to open new tabs."},
+        {"name": "leave_site_dialog", "enabled": false, "description": "Disable to remove the dialog prompt when leaving site."},
+        {"name": "tabs", "disabled": true, "description": "Disable to remove the ability to open new tabs."},
         {"name": "selecting_techniques", "enabled": true, "description": "Disable to remove the ability to select techniques."},
         {"name": "header", "enabled": true, "description": "Disable to remove the header containing banner."},
         {"name": "subtechniques", "enabled": true, "description": "Disable to remove all sub-technique features from the interface."},

salt/soc/defaults.yaml

@@ -1502,6 +1502,10 @@ soc:
           integrityCheckFrequencySeconds: 1200
           ignoredSidRanges:
             - '1100000-1101000'
+        navigator:
+          intervalMinutes: 30
+          outputPath: /opt/sensoroni/navigator
+          lookbackDays: 3
       client:
         enableReverseLookup: false
         docsUrl: /docs/

salt/soc/enabled.sls

@@ -34,6 +34,7 @@ so-soc:
       - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
       - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
       - /opt/so/conf/soc/ai_summary_repos:/opt/sensoroni/ai_summary_repos:rw
+      - /opt/so/conf/navigator/layers/:/opt/sensoroni/navigator/:rw
 {% if SOCMERGED.telemetryEnabled and not GLOBALS.airgap %}
       - /opt/so/conf/soc/analytics.js:/opt/sensoroni/html/js/analytics.js:ro
 {% endif %}

salt/soc/soc_soc.yaml

@@ -419,6 +419,15 @@ soc:
             advanced: True
             forcedType: "[]string"
             helpLink: detections.html#rule-engine-status
+        navigator:
+          intervalMinutes:
+            description: How often to generate the Navigator Layers. (minutes)
+            global: True
+            helpLink: navigator.html
+          lookbackDays:
+            description: How far back to search for ATT&CK-tagged alerts. (days)
+            global: True
+            helpLink: navigator.html
       client:
         enableReverseLookup:
           description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.