Merge pull request #132 from defensivedepth/playbook-tweaks

Playbook - Bulk import
2025-12-06 09:12:45 +01:00 · 2019-11-13 14:29:14 -05:00
parent 3f1b0bd916 0007af1e12
commit 8cdcfd0a51
3 changed files with 17 additions and 49 deletions
--- a/salt/playbook/files/redmine.db
+++ b/salt/playbook/files/redmine.db
--- a/salt/soctopus/files/templates/generic.template
+++ b/salt/soctopus/files/templates/generic.template
@@ -1,23 +1,6 @@
 {% set es = salt['pillar.get']('static:masterip', '') %}
 {% set hivehost = salt['pillar.get']('static:masterip', '') %}
 {% set hivekey = salt['pillar.get']('static:hivekey', '') %}
-es_host: {{es}}
-es_port: 9200
-name: Alert-Name
-type: frequency
-index: "*:logstash-*"
-num_events: 1
-timeframe:
-    minutes: 10
-buffer_time:
-    minutes: 10
-allow_buffer_time_overlap: true
-
-filter:
- query:
-   query_string:
-      query: 'select from test'
-
 alert: modules.so.thehive.TheHiveAlerter

 hive_connection:
@@ -30,11 +13,11 @@ hive_proxies:

 hive_alert_config:
  title: '{rule[name]}'
-  type: 'external'
+  type: 'playbook'
  source: 'SecurityOnion'
-  description: '`Data:` {match[message]}'
+  description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))>  \n\n `Raw Data:` {match[message]}"
  severity: 2
-  tags: ['elastalert', 'SecurityOnion']
+  tags: ['playbook']
  tlp: 3
  status: 'New'
  follow: True
--- a/salt/soctopus/files/templates/osquery.template
+++ b/salt/soctopus/files/templates/osquery.template
@@ -1,23 +1,6 @@
 {% set es = salt['pillar.get']('static:masterip', '') %}
 {% set hivehost = salt['pillar.get']('static:masterip', '') %}
 {% set hivekey = salt['pillar.get']('static:hivekey', '') %}
-es_host: {{es}}
-es_port: 9200
-name: Alert-Name
-type: frequency
-index: "*:logstash-*"
-num_events: 1
-timeframe:
-    minutes: 10
-buffer_time:
-    minutes: 10
-allow_buffer_time_overlap: true
-
-filter:
- query:
-   query_string:
-      query: 'select from test'
-
 alert: modules.so.thehive.TheHiveAlerter

 hive_connection:
@@ -28,20 +11,22 @@ hive_proxies:
  http: ''
  https: ''

-hive_alert_config:
-  title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
-  type: 'external'
-  source: 'SecurityOnion'
-  description: '`Hostname:` __{match[osquery][hostname]}__  `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:`  __{match[osquery][name]}__ `Data:` {match[osquery][columns]}'
-  severity: 2
-  tags: ['elastalert', 'SecurityOnion']
-  tlp: 3
-  status: 'New'
-  follow: True
-  caseTemplate: '5000'
-
 hive_observable_data_mapping:
  - ip: '{match[osquery][EndpointIP1]}'
  - ip: '{match[osquery][EndpointIP2]}'
  - other: '{match[osquery][hostIdentifier]}'
  - other: '{match[osquery][hostname]}'
+
+hive_alert_config:
+  title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
+  type: 'osquery'
+  source: 'SecurityOnion'
+  description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))>  \n\n `Hostname:` __{match[osquery][hostname]}__  `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:`  __{match[osquery][name]}__ `Data:` {match[osquery][columns]}"
+  severity: 2
+  tags: ['playbook','osquery']
+  tlp: 3
+  status: 'New'
+  follow: True
+  caseTemplate: '5000'
+  
+