Merge pull request #12906 from Security-Onion-Solutions/det_easr

Apply autoEnabledSigmaRules based on role if defined and default if not
2025-12-06 17:22:49 +01:00 · 2024-05-01 13:05:36 -04:00
parent 854799fabb 47ba4c0f57
commit 72b2503b49
3 changed files with 22 additions and 10 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1257,9 +1257,16 @@ soc:
          allowRegex: ''
          autoUpdateEnabled: true
          autoEnabledSigmaRules:
+            default:
              - core+critical
              - securityonion-resources+critical
              - securityonion-resources+high
+            so-eval:
+              - securityonion-resources+critical
+              - securityonion-resources+high
+            so-import:
+              - securityonion-resources+critical
+              - securityonion-resources+high
          communityRulesImportFrequencySeconds: 28800
          denyRegex: ''
          elastAlertRulesFolder: /opt/sensoroni/elastalert
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -30,9 +30,11 @@
 {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
 {% do SOCMERGED.config.server.modules.pop('cases') %}

-{# do not automatically enable Sigma rules if install is Eval or Import #}
-{% if grains['role'] in ['so-eval', 'so-import'] %}
-  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': []}) %}
+{# set Sigma rules based on role if defined and default if not #}
+{% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules[GLOBALS.role]}) %}
+{% else %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %}
 {% endif %}

 {# remove these modules if detections is disabled #}
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -89,10 +89,13 @@ soc:
            advanced: True
            helpLink: sigma.html
          autoEnabledSigmaRules:
-            description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical'
+            default: &autoEnabledSigmaRules
+              description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical. These will be applied based on role if defined and default if not.'
              global: True
              advanced: True
              helpLink: sigma.html
+            so-eval: *autoEnabledSigmaRules
+            so-import: *autoEnabledSigmaRules
          denyRegex:
            description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
            global: True