From 7122709bbf9dd99c70a555f3e0bae93ba6d252ba Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 May 2024 12:25:34 -0400 Subject: [PATCH 1/2] set Sigma rules based on role if defined and default if not --- salt/soc/defaults.yaml | 13 ++++++++++--- salt/soc/merged.map.jinja | 8 +++++--- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9be17bcca..b66ae3bbe 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1257,9 +1257,16 @@ soc: allowRegex: '' autoUpdateEnabled: true autoEnabledSigmaRules: - - core+critical - - securityonion-resources+critical - - securityonion-resources+high + default: + - core+critical + - securityonion-resources+critical + - securityonion-resources+high + so-eval: + - securityonion-resources+critical + - securityonion-resources+high + so-import: + - securityonion-resources+critical + - securityonion-resources+high communityRulesImportFrequencySeconds: 28800 denyRegex: '' elastAlertRulesFolder: /opt/sensoroni/elastalert diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index ae68dc01f..222566dba 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -30,9 +30,11 @@ {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #} {% do SOCMERGED.config.server.modules.pop('cases') %} -{# do not automatically enable Sigma rules if install is Eval or Import #} -{% if grains['role'] in ['so-eval', 'so-import'] %} - {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': []}) %} +{# set Sigma rules based on role if defined and default if not #} +{% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules %} +{% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules[GLOBALS.role]}) %} +{% else %} +{% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %} {% endif %} {# remove these modules if detections is disabled #} From 47ba4c0f57b7f8a0ea756cb680b883fbc8d05317 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 May 2024 12:55:29 -0400 Subject: [PATCH 2/2] add new annotation for soc autoEnabledSigmaRules --- salt/soc/soc_soc.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 2001fb0c1..4b88a5f84 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -89,10 +89,13 @@ soc: advanced: True helpLink: sigma.html autoEnabledSigmaRules: - description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical' - global: True - advanced: True - helpLink: sigma.html + default: &autoEnabledSigmaRules + description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.' + global: True + advanced: True + helpLink: sigma.html + so-eval: *autoEnabledSigmaRules + so-import: *autoEnabledSigmaRules denyRegex: description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' global: True