Merge pull request #132 from defensivedepth/playbook-tweaks

Playbook - Bulk import

salt/soctopus/files/templates/generic.template

@@ -1,23 +1,6 @@
 {% set es = salt['pillar.get']('static:masterip', '') %}
 {% set hivehost = salt['pillar.get']('static:masterip', '') %}
 {% set hivekey = salt['pillar.get']('static:hivekey', '') %}
-es_host: {{es}}
-es_port: 9200
-name: Alert-Name
-type: frequency
-index: "*:logstash-*"
-num_events: 1
-timeframe:
-    minutes: 10
-buffer_time:
-    minutes: 10
-allow_buffer_time_overlap: true
-
-filter:
-- query:
-   query_string:
-      query: 'select from test'
-
 alert: modules.so.thehive.TheHiveAlerter
 
 hive_connection:
@@ -30,11 +13,11 @@ hive_proxies:
 
 hive_alert_config:
   title: '{rule[name]}'
-  type: 'external'
+  type: 'playbook'
   source: 'SecurityOnion'
-  description: '`Data:` {match[message]}'
+  description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))>  \n\n `Raw Data:` {match[message]}"
   severity: 2
-  tags: ['elastalert', 'SecurityOnion']
+  tags: ['playbook']
   tlp: 3
   status: 'New'
   follow: True

salt/soctopus/files/templates/osquery.template

@@ -1,23 +1,6 @@
 {% set es = salt['pillar.get']('static:masterip', '') %}
 {% set hivehost = salt['pillar.get']('static:masterip', '') %}
 {% set hivekey = salt['pillar.get']('static:hivekey', '') %}
-es_host: {{es}}
-es_port: 9200
-name: Alert-Name
-type: frequency
-index: "*:logstash-*"
-num_events: 1
-timeframe:
-    minutes: 10
-buffer_time:
-    minutes: 10
-allow_buffer_time_overlap: true
-
-filter:
-- query:
-   query_string:
-      query: 'select from test'
-
 alert: modules.so.thehive.TheHiveAlerter
 
 hive_connection:
@@ -28,20 +11,22 @@ hive_proxies:
   http: ''
   https: ''
 
-hive_alert_config:
-  title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
-  type: 'external'
-  source: 'SecurityOnion'
-  description: '`Hostname:` __{match[osquery][hostname]}__  `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:`  __{match[osquery][name]}__ `Data:` {match[osquery][columns]}'
-  severity: 2
-  tags: ['elastalert', 'SecurityOnion']
-  tlp: 3
-  status: 'New'
-  follow: True
-  caseTemplate: '5000'
-
 hive_observable_data_mapping:
   - ip: '{match[osquery][EndpointIP1]}'
   - ip: '{match[osquery][EndpointIP2]}'
   - other: '{match[osquery][hostIdentifier]}'
   - other: '{match[osquery][hostname]}'
+
+hive_alert_config:
+  title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
+  type: 'osquery'
+  source: 'SecurityOnion'
+  description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))>  \n\n `Hostname:` __{match[osquery][hostname]}__  `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:`  __{match[osquery][name]}__ `Data:` {match[osquery][columns]}"
+  severity: 2
+  tags: ['playbook','osquery']
+  tlp: 3
+  status: 'New'
+  follow: True
+  caseTemplate: '5000'
+  
+