diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml index 62395830f..86e4c0ee8 100644 --- a/salt/bpf/soc_bpf.yaml +++ b/salt/bpf/soc_bpf.yaml @@ -1,7 +1,10 @@ bpf: pcap: description: List of BPF filters to apply to PCAP. + helpLink: bpf.html suricata: description: List of BPF filters to apply to Suricata. + helpLink: bpf.html zeek: description: List of BPF filters to apply to Zeek. + helpLink: bpf.html diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 5d9e386e8..0e1d15c5a 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -3,32 +3,41 @@ elastalert: disable_rules_on_error: description: Disable rules on failure. global: True + helpLink: elastalert.html run_every: minutes: description: Amount of time in minutes between searches. global: True + helpLink: elastalert.html buffer_time: minutes: description: Amount of time in minutes to look through. global: True + helpLink: elastalert.html old_query_limit: minutes: description: Amount of time in minutes between queries to start at the most recently run query. global: True + helpLink: elastalert.html es_conn_timeout: description: Timeout in seconds for connecting to and reading from Elasticsearch. global: True + helpLink: elastalert.html max_query_size: description: The maximum number of documents that will be downloaded from Elasticsearch in a single query. global: True + helpLink: elastalert.html alert_time_limit: days: description: The retry window for failed alerts. global: True + helpLink: elastalert.html index_settings: shards: description: The amount of shards to use for elastalert. global: True + helpLink: elastalert.html replicas: description: The amount of replicas for the Elastalert index. global: True + helpLink: elastalert.html diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0e8faf4a2..d82c4adfa 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -5,43 +5,54 @@ elasticsearch: description: The name of the Security Onion Elasticsearch cluster, for identification purposes. readonly: True global: True + helpLink: elasticsearch.html routing: allocation: disk: threshold_enabled: description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster. + helpLink: elasticsearch.html watermark: low: description: The lower percentage of used disk space representing a healthy node. + helpLink: elasticsearch.html high: description: The higher percentage of used disk space representing an unhealthy node. + helpLink: elasticsearch.html flood_stage: description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. + helpLink: elasticsearch.html script: max_compilations_rate: description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. global: True + helpLink: elasticsearch.html indices: query: bool: max_clause_count: description: Max number of boolean clauses per query. global: True + helpLink: elasticsearch.html index_settings: so-aws: &indexSettings warm: description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch. global: True + helpLink: elasticsearch.html close: description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index. global: True + helpLink: elasticsearch.html delete: description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable. global: True + helpLink: elasticsearch.html index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. global: True + helpLink: elasticsearch.html index_template: template: settings: @@ -51,15 +62,19 @@ elasticsearch: limit: description: Max number of fields that can exist on a single index. Larger values will consume more resources. global: True + helpLink: elasticsearch.html refresh_interval: description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. global: True + helpLink: elasticsearch.html number_of_shards: description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. global: True + helpLink: elasticsearch.html number_of_replicas: description: Number of replicas required for this index. Multiple replicas protects against data loss, while also increasing storage costs. global: True + helpLink: elasticsearch.html so-azure: *indexSettings so-barracuda: *indexSettings so-beats: *indexSettings diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 39e8b7354..e630736b3 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -5,54 +5,64 @@ firewall: file: True global: True title: Analyst Workstation + helpLink: firewall.html#host-groups analyst: description: List of IP Addresses or CIDR blocks to allow analyst connections. file: True global: True title: Analyst + helpLink: firewall.html#host-groups standalone: description: List of IP Addresses or CIDR blocks to allow standalone connections. file: True global: True title: Standalone advanced: True + helpLink: firewall.html#host-groups eval: description: List of IP Addresses or CIDR blocks to allow eval connections. file: True global: True title: Eval advanced: True + helpLink: firewall.html#host-groups idh: description: List of IP Addresses or CIDR blocks to allow idh connections. file: True global: True title: IDHNode + helpLink: firewall.html#host-groups manager: description: List of IP Addresses or CIDR blocks to allow manager connections. file: True global: True title: Manager advanced: True + helpLink: firewall.html#host-groups heavynodes: description: List of IP Addresses or CIDR blocks to allow heavynode connections. file: True global: True title: HeavyNode + helpLink: firewall.html#host-groups searchnodes: description: List of IP Addresses or CIDR blocks to allow searchnode connections. file: True global: True title: SearchNode + helpLink: firewall.html#host-groups sensors: description: List of IP Addresses or CIDR blocks to allow Sensor connections. file: True global: True title: Sensor + helpLink: firewall.html#host-groups receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True global: True title: Receiver + helpLink: firewall.html#host-groups portgroups: portgroups__yaml: description: Port Groups @@ -61,6 +71,7 @@ firewall: advanced: True title: Port Groups syntax: yaml + helpLink: firewall.html#function ports: ports__yaml: description: Ports in YAML. @@ -68,4 +79,5 @@ firewall: global: True advanced: True title: Ports - syntax: yaml \ No newline at end of file + syntax: yaml + helpLink: firewall.html#port-groups diff --git a/salt/grafana/soc_grafana.yaml b/salt/grafana/soc_grafana.yaml index f9c291a74..5789f6c81 100644 --- a/salt/grafana/soc_grafana.yaml +++ b/salt/grafana/soc_grafana.yaml @@ -4,35 +4,46 @@ grafana: enabled: description: Enable the sending of emails from Grafana. global: True + helpLink: grafana.html host: description: Hostname of the SMTP server. global: True + helpLink: grafana.html user: description: User used to authenticate SMTP. global: True + helpLink: grafana.html password: description: Password used to authenticate SMTP. global: True sensitive: True + helpLink: grafana.html cert_file: description: Location of cert file for SMTP. global: True + helpLink: grafana.html key_file: description: Location of key file for SMTP. global: True + helpLink: grafana.html skip_verify: description: Verify SSL certificates. global: True + helpLink: grafana.html from_address: description: The email address you would like in the from field. global: True + helpLink: grafana.html from_name: description: The name displayed for the from email address. global: True + helpLink: grafana.html ehlo_identity: description: Used with servers with SMTP service extensions. global: True + helpLink: grafana.html enterprise: license_path: description: Path to enterprise license key. global: True + helpLink: grafana.html diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index 9f1867bb7..383f6b42d 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -3,22 +3,28 @@ idstools: oinkcode: description: Enter your registration code for paid rulesets. global: True + helpLink: managing-alerts.html ruleset: description: Define the ruleset you want to run. Options are ETOPEN or ETPRO. global: True + helpLink: managing-alerts.html urls: description: This is a list of additional rule download locations. global: True + helpLink: managing-alerts.html sids: disabled: description: List of disables SIDS. global: True + helpLink: managing-alerts.html enabled: description: List of SIDS that are disabled by the rule source that you want to enable. global: True + helpLink: managing-alerts.html modify: description: List of SIDS that are modified. global: True + helpLink: managing-alerts.html rules: local__rules: description: This is where custom Suricata rules are entered. @@ -26,15 +32,18 @@ idstools: global: True advanced: True title: Local Rules + helpLink: managing-alerts.html filters__rules: description: You can set custom filters for Suricata when using it for meta data creation. file: True global: True advanced: True title: Filter Rules + helpLink: managing-alerts.html extraction__rules: description: This is a list of mime types for file extraction when Suricata is used for meta data creation. file: True global: True advanced: True - title: Extraction Rules \ No newline at end of file + title: Extraction Rules + helpLink: managing-alerts.html \ No newline at end of file diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 8e52e9b02..8bcd4b97a 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -3,14 +3,24 @@ influxdb: so_short_term: duration: description: Amount of time to keep short term data. + global: True + helpLink: grafana.html#data shard_duration: description: Time range + global: True + helpLink: grafana.html#data so_long_term: duration: description: Amount of time to keep long term downsampled data. + global: True + helpLink: grafana.html#data shard_duration: description: Amount of the time range covered by the shard group. + global: True + helpLink: grafana.html#data downsample: so_long_term: resolution: - description: Amount of time to turn into a single data point. \ No newline at end of file + description: Amount of time to turn into a single data point. + global: True + helpLink: grafana.html#data \ No newline at end of file diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml index dd0e87734..fe6c9525c 100644 --- a/salt/kibana/soc_kibana.yaml +++ b/salt/kibana/soc_kibana.yaml @@ -3,3 +3,5 @@ kibana: elasticsearch: requestTimeout: description: Request timeout length. + global: True + helpLink: kibana.html diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index d5811654e..54b57c22a 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -5,15 +5,18 @@ nginx: global: True advanced: True title: Replace Default Cert + helpLink: nginx.html ssl__key: description: Paste your .key file here file: True title: SSL Key File advanced: True global: True + helpLink: nginx.html ssl__crt: description: Paste your .crt file here file: True title: SSL Cert File advanced: True - global: True \ No newline at end of file + global: True + helpLink: nginx.html \ No newline at end of file diff --git a/salt/ntp/soc_ntp.yaml b/salt/ntp/soc_ntp.yaml index 01484d714..1b75099a1 100644 --- a/salt/ntp/soc_ntp.yaml +++ b/salt/ntp/soc_ntp.yaml @@ -3,3 +3,4 @@ ntp: servers: description: NTP Server List title: NTP Servers + helpLink: ntp.html diff --git a/salt/pcap/soc_pcap.yaml b/salt/pcap/soc_pcap.yaml index 321e93713..e25b1253b 100644 --- a/salt/pcap/soc_pcap.yaml +++ b/salt/pcap/soc_pcap.yaml @@ -1,24 +1,35 @@ pcap: enabled: description: Enable or Disable Stenographer on all sensors or a single sensor + helpLink: pcap.html config: maxdirectoryfiles: description: The maximum number of packet/index files to create before deleting old files. The default is about 8 days regardless of free space. + helpLink: pcap.html diskfreepercentage: description: The disk space percent to always keep free for pcap + helpLink: pcap.html blocks: description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. advanced: True + helpLink: pcap.html preallocate_file_mb: description: File size to pre-allocate for individual pcap files. You shouldn't need to change this. advanced: True + helpLink: pcap.html aiops: description: The max number of async writes to allow at once. advanced: True + helpLink: pcap.html pin_to_cpu: description: Enable CPU pinning for PCAP. + advanced: True + helpLink: pcap.html cpus_to_pin_to: description: CPU to pin PCAP to. Currently only a single CPU is supported + advanced: True + helpLink: pcap.html disks: description: List of disks to use for PCAP. This is currently not used. advanced: True + helpLink: pcap.html diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index f16f5da87..848fa7091 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -7,21 +7,25 @@ soc: file: True global: True syntax: md + helpLink: soc.html motd__md: title: Overview Page description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the users' browser. file: True global: True syntax: md + helpLink: soc.html custom__js: title: Custom Javascript description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades. file: True global: True advanced: True + helpLink: soc.html custom_roles: title: Custom Roles description: Customize role and permission mappings. Changes to this setting requires a complete understanding of the SOC RBAC system. file: True global: True - advanced: True \ No newline at end of file + advanced: True + helpLink: soc.html \ No newline at end of file diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 251de8663..6eae3b37d 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -5,125 +5,179 @@ suricata: file: True syntax: yaml title: SIDS + helpLink: suricata.html config: vars: address-groups: HOME_NET: description: List of hosts or netowrks. + helpLink: suricata.html EXTERNAL_NET: description: List of hosts or netowrks. + helpLink: suricata.html HTTP_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html SMTP_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html SQL_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html DNS_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html TELNET_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html AIM_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html DC_SERVERS: description: List of hosts or netowrks. + helpLink: suricata.html DNP3_SERVER: description: List of hosts or netowrks. + helpLink: suricata.html DNP3_CLIENT: description: List of hosts or netowrks. + helpLink: suricata.html MODBUS_CLIENT: description: List of hosts or netowrks. + helpLink: suricata.html MODBUS_SERVER: description: List of hosts or netowrks. + helpLink: suricata.html ENIP_CLIENT: description: List of hosts or netowrks. + helpLink: suricata.html ENIP_SERVER: description: List of hosts or netowrks. + helpLink: suricata.html port-groups: HTTP_PORTS: description: List of HTTP ports to look for HTTP traffic on. + helpLink: suricata.html SHELLCODE_PORTS: description: List of SHELLCODE ports to look for SHELLCODE traffic on. + helpLink: suricata.html ORACLE_PORTS: description: List of ORACLE ports to look for ORACLE traffic on. + helpLink: suricata.html SSH_PORTS: description: List of SSH ports to look for SSH traffic on. + helpLink: suricata.html DNP3_PORTS: description: List of DNP3 ports to look for DNP3 traffic on. + helpLink: suricata.html MODBUS_PORTS: description: List of MODBUS ports to look for MODBUS traffic on. + helpLink: suricata.html FILE_DATA_PORTS: description: List of FILE_DATA ports to look for FILE_DATA traffic on. + helpLink: suricata.html FTP_PORTS: description: List of FTP ports to look for FTP traffic on. + helpLink: suricata.html VXLAN_PORTS: description: List of VXLAN ports to look for VXLAN traffic on. + helpLink: suricata.html TEREDO_PORTS: description: List of TEREDO ports to look for TEREDO traffic on. + helpLink: suricata.html outputs: eve-log: xff: enabled: description: Enable X-Forward-For support. + helpLink: suricata.html mode: description: Operation mode. This should always be extra-data if you use PCAP. + helpLink: suricata.html deployment: description: forward would use the first IP address and reverse would use the last. + helpLink: suricata.html header: description: Header name where the actual IP address will be reported. + helpLink: suricata.html asn1-max-frames: description: Maximum nuber of asn1 frames to decode. + helpLink: suricata.html max-pending-packets: description: Number of packets preallocated per thread. + helpLink: suricata.html default-packet-size: description: Preallocated size for each packet. + helpLink: suricata.html pcre: match-limit: description: Match limit for PCRE. + helpLink: suricata.html match-limit-recursion: description: Recursion limit for PCRE. + helpLink: suricata.html defrag: memcap: description: Max memory to use for defrag. You should only change this if you know what you are doing. + helpLink: suricata.html hash-size: description: Hash size + helpLink: suricata.html trackers: description: Number of defragmented flows to follow. + helpLink: suricata.html max-frags: description: Max number of fragments to keep + helpLink: suricata.html prealloc: description: Preallocate memory. + helpLink: suricata.html timeout: description: Timeout value. + helpLink: suricata.html flow: memcap: description: Reserverd memory for flows. + helpLink: suricata.html hash-size: description: Determines the size of the hash used to identify flows inside the engine. + helpLink: suricata.html prealloc: description: Number of preallocated flows. + helpLink: suricata.html stream: memcap: description: Can be specified in kb,mb,gb. + helpLink: suricata.html checksum-validation: description: Validate checksum of packets. + helpLink: suricata.html reassembly: memcap: description: Can be specified in kb,mb,gb. + helpLink: suricata.html host: hash-size: description: Hash size in bytes. + helpLink: suricata.html prealloc: description: How many streams to preallocate. + helpLink: suricata.html memcap: description: Memory settings for host. + helpLink: suricata.html decoder: teredo: enabled: description: Enable TEREDO capabilities + helpLink: suricata.html ports: description: Ports to listen for. This should be a variable. + helpLink: suricata.html vxlan: enabled: description: Enable VXLAN capabilities. + helpLink: suricata.html ports: - description: Ports to listen for. This should be a variable. \ No newline at end of file + description: Ports to listen for. This should be a variable. + helpLink: suricata.html \ No newline at end of file