CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12906 from Security-Onion-Solutions/det_easr

Browse Source 
Apply autoEnabledSigmaRules based on role if defined and default if not
This commit is contained in:
Josh Patterson
2024-05-01 13:05:36 -04:00
committed by GitHub
parent 854799fabb 47ba4c0f57
commit 72b2503b49
3 changed files with 22 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
salt/soc/defaults.yaml
View File

@@ -1257,9 +1257,16 @@ soc:
allowRegex: '' allowRegex: ''
autoUpdateEnabled: true autoUpdateEnabled: true
autoEnabledSigmaRules: autoEnabledSigmaRules:
- core+critical default:
- securityonion-resources+critical - core+critical
- securityonion-resources+high - securityonion-resources+critical
- securityonion-resources+high
so-eval:
- securityonion-resources+critical
- securityonion-resources+high
so-import:
- securityonion-resources+critical
- securityonion-resources+high
communityRulesImportFrequencySeconds: 28800 communityRulesImportFrequencySeconds: 28800
denyRegex: '' denyRegex: ''
elastAlertRulesFolder: /opt/sensoroni/elastalert elastAlertRulesFolder: /opt/sensoroni/elastalert

8
salt/soc/merged.map.jinja
View File

@@ -30,9 +30,11 @@
{# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #} {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
{% do SOCMERGED.config.server.modules.pop('cases') %} {% do SOCMERGED.config.server.modules.pop('cases') %}
{# do not automatically enable Sigma rules if install is Eval or Import #} {# set Sigma rules based on role if defined and default if not #}
{% if grains['role'] in ['so-eval', 'so-import'] %} {% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules %}
{% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': []}) %} {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules[GLOBALS.role]}) %}
{% else %}
{% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %}
{% endif %} {% endif %}
{# remove these modules if detections is disabled #} {# remove these modules if detections is disabled #}

11
salt/soc/soc_soc.yaml
View File

@@ -89,10 +89,13 @@ soc:
advanced: True advanced: True
helpLink: sigma.html helpLink: sigma.html
autoEnabledSigmaRules: autoEnabledSigmaRules:
description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical' default: &autoEnabledSigmaRules
global: True description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.'
advanced: True global: True
helpLink: sigma.html advanced: True
helpLink: sigma.html
so-eval: *autoEnabledSigmaRules
so-import: *autoEnabledSigmaRules
denyRegex: denyRegex:
description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
global: True global: True