Add Detections SOC Config

2025-12-06 09:12:45 +01:00 · 2024-03-26 07:39:39 -04:00
parent 49fa800b2b
commit 7c4ea8a58e
1 changed files with 74 additions and 8 deletions
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -78,14 +78,38 @@ soc:
        advanced: True
      modules:
        elastalertengine:
-          sigmaRulePackages:
-            description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone. (future use, not yet complete)'
-            global: True
-            advanced: False
-          autoUpdateEnabled:
-            description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)'
+          allowRegex:
+            description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
            global: True
            advanced: True
+            helpLink: sigma.html
+          denyRegex:
+            description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
+            global: True
+            advanced: True
+            helpLink: sigma.html
+          communityRulesImportFrequencySeconds:
+            description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.'
+            global: True
+            advanced: True
+            helpLink: sigma.html
+          rulesRepos:
+            description: 'Custom git repos to pull Sigma rules from. License field is required, folder is optional.'
+            global: True
+            advanced: True
+            multiline: True
+            forcedType: "[]string"
+            helpLink: sigma.html
+          sigmaRulePackages:
+            description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
+            global: True
+            advanced: False
+            helpLink: sigma.html
+          autoUpdateEnabled:
+            description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.'
+            global: True
+            advanced: True
+            helpLink: sigma.html
        elastic:
          index:
            description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
@@ -148,10 +172,52 @@ soc:
            global: True
            advanced: True
        strelkaengine:
-          autoUpdateEnabled:
-            description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false. (future use, not yet complete)'
+          allowRegex:
+            description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.'
            global: True
            advanced: True
+            helpLink: yara.html
+          autoUpdateEnabled:
+            description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
+            global: True
+            advanced: True
+          denyRegex:
+            description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.'
+            global: True
+            advanced: True
+            helpLink: yara.html
+          communityRulesImportFrequencySeconds:
+            description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.'
+            global: True
+            advanced: True
+            helpLink: yara.html
+          rulesRepos:
+            description: 'Custom git repos to pull Sigma rules from. License field is required'
+            global: True
+            advanced: True
+            multiline: True
+            forcedType: "[]string"
+            helpLink: yara.html
+        suricataengine:
+          allowRegex:
+            description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
+            global: True
+            advanced: True
+            helpLink: suricata.html
+          autoUpdateEnabled:
+            description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
+            global: True
+            advanced: True
+          denyRegex:
+            description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
+            global: True
+            advanced: True
+            helpLink: suricata.html
+          communityRulesImportFrequencySeconds:
+            description: 'How often to check for new Suricata rules (in seconds).'
+            global: True
+            advanced: True
+            helpLink: suricata.html
      client:
        enableReverseLookup:
          description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.