CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update rule templates

Browse Source
This commit is contained in:
DefensiveDepth
2024-06-14 15:47:57 -04:00
parent af11879545
commit 7556587e35
1 changed files with 46 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
salt/soc/defaults.yaml
View File

@@ -2256,34 +2256,58 @@ soc:
major: high
templateDetections:
suricata: |
alert tcp any any <> any any (msg:""; sid:[publicId];)
# This is a Suricata rule template. Replace all template values with your own values.
# The rule identifier (sid) is pregenerated and known to be unique for this Security Onion installation.
# Docs: https://docs.suricata.io/en/latest/rules/intro.html
# Delete these comments before attempting to "Create" the rule
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Example Rule Title - 'example' String Detected"; content:"example"; sid:[publicId]; rev:1;)
strelka: |
rule {
/*
This is a YARA rule template. Replace all template values with your own values.
The YARA rule name is the unique identifier for the rule.
Docs: https://yara.readthedocs.io/en/stable/writingrules.html#writing-yara-rules
*/
rule Example // This identifier _must_ be unique
{
meta:
description = "";
description="Generic YARA Rule"
author = "@SecurityOnion"
date = "YYYY-MM-DD"
reference = "https://local.invalid"
strings:
$x = "string";
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }
condition:
all of them;
filesize < 3MB and ($my_text_string or $my_hex_string)
}
elastalert: |
title:
# This is a Sigma rule template, which uses YAML. Replace all template values with your own values.
# The id (UUIDv4) is pregenerated and can safely be used.
# Click "Convert" to convert the Sigma rule to use Security Onion field mappings within an EQL query
#
# Rule Creation Guide: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide
# Logsources: https://sigmahq.io/docs/basics/log-sources.html
title: 'A Short Capitalised Title With Less Than 50 Characters'
id: [publicId]
status:
description:
status: 'experimental'
description: |
This should be a detailed description of what this Detection focuses on: what we are trying to find and why we are trying to find it.
references:
-
author:
date:
- 'https://local.invalid'
author: '@SecurityOnion'
date: 'YYYY/MM/DD'
tags:
-
- detection.threat_hunting
- attack.technique_id
logsource:
product:
category:
category: process_creation
product: windows
detection:
selection:
Image: 'whoami.exe'
User: 'backup'
condition: selection
falsepositives:
-
level:
level: 'high' # info | low | medium | high | critical