From 55c5ea5c4cf75f8c73e2762ce6382f0adbe9d120 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 30 May 2024 16:58:56 +0000 Subject: [PATCH 1/5] Add template for Suricata alerts --- salt/elasticsearch/defaults.yaml | 111 +++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index e54d58c3b..6ecdc96a1 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -11088,6 +11088,117 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-suricata_x_alerts: + index_sorting: false + index_template: + composed_of: + - agent-mappings + - dtc-agent-mappings + - base-mappings + - dtc-base-mappings + - client-mappings + - dtc-client-mappings + - cloud-mappings + - container-mappings + - data_stream-mappings + - destination-mappings + - dtc-destination-mappings + - pb-override-destination-mappings + - dll-mappings + - dns-mappings + - dtc-dns-mappings + - ecs-mappings + - dtc-ecs-mappings + - error-mappings + - event-mappings + - dtc-event-mappings + - file-mappings + - dtc-file-mappings + - group-mappings + - host-mappings + - dtc-host-mappings + - http-mappings + - dtc-http-mappings + - log-mappings + - network-mappings + - dtc-network-mappings + - observer-mappings + - dtc-observer-mappings + - orchestrator-mappings + - organization-mappings + - package-mappings + - process-mappings + - dtc-process-mappings + - registry-mappings + - related-mappings + - rule-mappings + - dtc-rule-mappings + - server-mappings + - service-mappings + - dtc-service-mappings + - source-mappings + - dtc-source-mappings + - pb-override-source-mappings + - suricata-mappings + - threat-mappings + - tls-mappings + - tracing-mappings + - url-mappings + - user_agent-mappings + - dtc-user_agent-mappings + - vulnerability-mappings + - common-settings + - common-dynamic-mappings + data_stream: {} + index_patterns: + - logs-suricata.alerts-* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + lifecycle: + name: so-suricata.alerts-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 1d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-syslog: index_sorting: false index_template: From e83135440198e8ed2bb0f79e420e6abd7d73e7be Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 30 May 2024 17:00:11 +0000 Subject: [PATCH 2/5] Add Suricata alerts setting for configuration --- salt/elasticsearch/soc_elasticsearch.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 000fd60b7..f56ed313e 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -521,6 +521,7 @@ elasticsearch: so-endgame: *indexSettings so-idh: *indexSettings so-suricata: *indexSettings + so-suricata_x_alerts: *indexSettings so-import: *indexSettings so-kratos: *indexSettings so-kismet: *indexSettings From 2c635bce6201859256af9891c4ae76411e8d38de Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 30 May 2024 17:02:31 +0000 Subject: [PATCH 3/5] Set index for Suricata alerts --- salt/elasticsearch/files/ingest/suricata.alert | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index 87d5144ed..68e0a5cb3 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -1,6 +1,7 @@ { "description" : "suricata.alert", "processors" : [ + { "set": { "field": "_index", "value": "logs-suricata.alerts-so" } }, { "set": { "field": "tags","value": "alert" }}, { "rename":{ "field": "message2.alert", "target_field": "rule", "ignore_failure": true } }, { "rename":{ "field": "rule.signature", "target_field": "rule.name", "ignore_failure": true } }, From 7702f05756cf83830013e41217a756aa87c5876d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 30 May 2024 15:00:32 -0400 Subject: [PATCH 4/5] upgrade salt 3006.8. soup for 2.4.80 --- salt/manager/tools/sbin/soup | 12 ++++++++++++ salt/salt/master.defaults.yaml | 2 +- salt/salt/minion.defaults.yaml | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 525fce3f6..30f40ee5a 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -358,6 +358,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.40 ]] && up_to_2.4.50 [[ "$INSTALLEDVERSION" == 2.4.50 ]] && up_to_2.4.60 [[ "$INSTALLEDVERSION" == 2.4.60 ]] && up_to_2.4.70 + [[ "$INSTALLEDVERSION" == 2.4.70 ]] && up_to_2.4.80 true } @@ -375,6 +376,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.40 ]] && post_to_2.4.50 [[ "$POSTVERSION" == 2.4.50 ]] && post_to_2.4.60 [[ "$POSTVERSION" == 2.4.60 ]] && post_to_2.4.70 + [[ "$POSTVERSION" == 2.4.70 ]] && post_to_2.4.80 true } @@ -448,6 +450,11 @@ post_to_2.4.70() { POSTVERSION=2.4.70 } +post_to_2.4.80() { + echo "Nothing to apply" + POSTVERSION=2.4.80 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -595,6 +602,11 @@ up_to_2.4.70() { INSTALLEDVERSION=2.4.70 } +up_to_2.4.80() { + echo "Nothing to do for 2.4.80" + INSTALLEDVERSION=2.4.80 +} + add_detection_test_pillars() { if [[ -n "$SOUP_INTERNAL_TESTING" ]]; then echo "Adding detection pillar values for automated testing" diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 19677f70b..24ba29d98 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -1,4 +1,4 @@ # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched salt: master: - version: 3006.6 + version: 3006.8 diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index 2e4ebc93e..dddd6683b 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -1,6 +1,6 @@ # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched salt: minion: - version: 3006.6 + version: 3006.8 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. From 85c269e69758402cc1976187ca346016b29eac2e Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 30 May 2024 15:59:03 -0600 Subject: [PATCH 5/5] Added TemplateDetections To Detection ClientParams The UI can now insert templates when you select a Detection language. These are those templates, annotated. --- salt/soc/defaults.yaml | 33 +++++++++++++++++++++++++++++++++ salt/soc/soc_soc.yaml | 13 ++++++++++++- 2 files changed, 45 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9f5faf50b..f5628f3c3 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2253,3 +2253,36 @@ soc: severityTranslations: minor: low major: high + templateDetections: + suricata: | + alert tcp any any <> any any (msg:""; sid:[publicId];) + strelka: | + rule { + meta: + description = ""; + strings: + $x = \"string\"; + condition: + all of them; + } + elastalert: | + title: + id: [publicId] + status: + description: + references: + - + author: + date: + tags: + - + logsource: + product: + category: + detection: + selection: + condition: selection + falsepositives: + - + level: + diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 1f64eb0bc..47d051e4e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -119,7 +119,7 @@ soc: advanced: True rulesRepos: default: &eerulesRepos - description: "Custom Git repositories to pull Sigma rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled. The new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update." + description: "Custom Git repositories to pull Sigma rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled. The new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update." global: True advanced: True forcedType: "[]{}" @@ -319,6 +319,17 @@ soc: cases: *appSettings dashboards: *appSettings detections: *appSettings + detection: + templateDetections: + suricata: + description: The template used when creating a new Suricata detection. [publicId] will be replaced with an unused Public Id. + multiline: True + strelka: + description: The template used when creating a new Strelka detection. + multiline: True + elastalert: + description: The template used when creating a new ElastAlert detection. [publicId] will be replaced with an unused Public Id. + multiline: True grid: maxUploadSize: description: The maximum number of bytes for an uploaded PCAP import file.