From 766f4dd661f9483e6a5508252e6a145c58082660 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 22 May 2023 16:02:08 -0400 Subject: [PATCH] Add Elastic Defend Integration --- .../elastic-defend-endpoints.json | 28 +++++++++++++++++++ .../soctopus/files/templates/generic.template | 10 +++++++ 2 files changed, 38 insertions(+) create mode 100644 salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json new file mode 100644 index 000000000..7d7f5bb35 --- /dev/null +++ b/salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json @@ -0,0 +1,28 @@ +{ + "name": "elastic-defend-endpoints", + "namespace": "default", + "description": "", + "package": { + "name": "endpoint", + "title": "Elastic Defend", + "version": "" + }, + "enabled": true, + "policy_id": "endpoints-initial", + "vars": {}, + "inputs": [{ + "type": "endpoint", + "enabled": true, + "streams": [], + "config": { + "integration_config": { + "value": { + "type": "endpoint", + "endpointConfig": { + "preset": "DataCollection" + } + } + } + } + }] +} \ No newline at end of file diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index 035d38b24..74b40bef9 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -12,3 +12,13 @@ play_url: "https://{{ GLOBALS.url_base }}/playbook/issues/6000" kibana_pivot: "https://{{ GLOBALS.url_base }}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))" soc_pivot: "https://{{ GLOBALS.url_base }}/#/hunt" sigma_level: "" + +index: '.ds-logs-*' +name: EQL +priority: 3 +realert: + minutes: 0 +type: any +filter: +- query: + query_string: