From 9d9d3aac53c350c6cad3fb196bc0cae8a7355d20 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 1 Oct 2020 17:37:57 -0400 Subject: [PATCH] Switch to JSON from yaml --- ...fault.yaml => alerts.actions.default.json} | 4 +--- .../soc/files/soc/alerts.queries.default.json | 9 +++++++++ .../soc/files/soc/alerts.queries.default.yaml | 11 ----------- ...default.yaml => hunt.actions.default.json} | 4 +--- ...ult.yaml => hunt.eventfields.default.json} | 7 +++---- ...default.yaml => hunt.queries.default.json} | 4 +--- salt/soc/files/soc/soc.json | 19 ++++++++++--------- 7 files changed, 25 insertions(+), 33 deletions(-) rename salt/soc/files/soc/{hunt.actions.default.yaml => alerts.actions.default.json} (94%) create mode 100644 salt/soc/files/soc/alerts.queries.default.json delete mode 100644 salt/soc/files/soc/alerts.queries.default.yaml rename salt/soc/files/soc/{alerts.actions.default.yaml => hunt.actions.default.json} (94%) rename salt/soc/files/soc/{hunt.eventfields.default.yaml => hunt.eventfields.default.json} (99%) rename salt/soc/files/soc/{hunt.queries.default.yaml => hunt.queries.default.json} (99%) diff --git a/salt/soc/files/soc/hunt.actions.default.yaml b/salt/soc/files/soc/alerts.actions.default.json similarity index 94% rename from salt/soc/files/soc/hunt.actions.default.yaml rename to salt/soc/files/soc/alerts.actions.default.json index 7d650e025..2c3bdaf31 100644 --- a/salt/soc/files/soc/hunt.actions.default.yaml +++ b/salt/soc/files/soc/alerts.actions.default.json @@ -1,6 +1,4 @@ -soc: - hunt: - actions: [ +[ { "name": "", "description": "actionHuntHelp", "icon": "fa-search", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, diff --git a/salt/soc/files/soc/alerts.queries.default.json b/salt/soc/files/soc/alerts.queries.default.json new file mode 100644 index 000000000..dcbd97787 --- /dev/null +++ b/salt/soc/files/soc/alerts.queries.default.json @@ -0,0 +1,9 @@ +[ + { "name": "Group By Name, Module", "query": "* | groupby rule.name rule.uuid event.module event.severity_label" }, + { "name": "Group By Sensor, Source IP/Port, Destination IP/Port, Name", "query": "* | groupby observer.name source.ip source.port destination.ip destination.port rule.name rule.uuid network.community_id event.severity_label" }, + { "name": "Group By Source IP, Name", "query": "* | groupby source.ip rule.name rule.uuid event.severity_label" }, + { "name": "Group By Source Port, Name", "query": "* | groupby source.port rule.name rule.uuid event.severity_label" }, + { "name": "Group By Destination IP, Name", "query": "* | groupby destination.ip rule.name rule.uuid event.severity_label" }, + { "name": "Group By Destination Port, Name", "query": "* | groupby destination.port rule.name rule.uuid event.severity_label" }, + { "name": "Ungroup", "query": "*" } +] \ No newline at end of file diff --git a/salt/soc/files/soc/alerts.queries.default.yaml b/salt/soc/files/soc/alerts.queries.default.yaml deleted file mode 100644 index 69514fe94..000000000 --- a/salt/soc/files/soc/alerts.queries.default.yaml +++ /dev/null @@ -1,11 +0,0 @@ -soc: - alerts: - queries: [ - { "name": "Group By Name, Module", "query": "* | groupby rule.name rule.uuid event.module event.severity_label" }, - { "name": "Group By Sensor, Source IP/Port, Destination IP/Port, Name", "query": "* | groupby observer.name source.ip source.port destination.ip destination.port rule.name rule.uuid network.community_id event.severity_label" }, - { "name": "Group By Source IP, Name", "query": "* | groupby source.ip rule.name rule.uuid event.severity_label" }, - { "name": "Group By Source Port, Name", "query": "* | groupby source.port rule.name rule.uuid event.severity_label" }, - { "name": "Group By Destination IP, Name", "query": "* | groupby destination.ip rule.name rule.uuid event.severity_label" }, - { "name": "Group By Destination Port, Name", "query": "* | groupby destination.port rule.name rule.uuid event.severity_label" }, - { "name": "Ungroup", "query": "*" } - ] \ No newline at end of file diff --git a/salt/soc/files/soc/alerts.actions.default.yaml b/salt/soc/files/soc/hunt.actions.default.json similarity index 94% rename from salt/soc/files/soc/alerts.actions.default.yaml rename to salt/soc/files/soc/hunt.actions.default.json index e30fe64c9..2c3bdaf31 100644 --- a/salt/soc/files/soc/alerts.actions.default.yaml +++ b/salt/soc/files/soc/hunt.actions.default.json @@ -1,6 +1,4 @@ -soc: - alerts: - actions: [ +[ { "name": "", "description": "actionHuntHelp", "icon": "fa-search", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, diff --git a/salt/soc/files/soc/hunt.eventfields.default.yaml b/salt/soc/files/soc/hunt.eventfields.default.json similarity index 99% rename from salt/soc/files/soc/hunt.eventfields.default.yaml rename to salt/soc/files/soc/hunt.eventfields.default.json index 9ed0e3203..21416483a 100644 --- a/salt/soc/files/soc/hunt.eventfields.default.yaml +++ b/salt/soc/files/soc/hunt.eventfields.default.json @@ -1,6 +1,4 @@ -soc: - hunt: - eventfields: +{ "default": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "network.community_id", "event.dataset" ], "::conn": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.protocol", "log.id.uid", "network.community_id" ], "::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid" ], @@ -42,4 +40,5 @@ soc: ":strelka:file": ["soc_timestamp", "scan.exiftool.OriginalFileName", "file.size", "hash.md5", "scan.exiftool.CompanyName", "scan.exiftool.Description", "scan.exiftool.Directory", "scan.exiftool.FileType", "scan.exiftool.FileOS", "log.id.fuid" ], ":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.category", "event.severity_label", "log.id.uid", "network.community_id" ], ":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ], - ":windows_eventlog:": ["soc_timestamp", "user.name" ] \ No newline at end of file + ":windows_eventlog:": ["soc_timestamp", "user.name" ] + } \ No newline at end of file diff --git a/salt/soc/files/soc/hunt.queries.default.yaml b/salt/soc/files/soc/hunt.queries.default.json similarity index 99% rename from salt/soc/files/soc/hunt.queries.default.yaml rename to salt/soc/files/soc/hunt.queries.default.json index f881c5c95..aa8b148ce 100644 --- a/salt/soc/files/soc/hunt.queries.default.yaml +++ b/salt/soc/files/soc/hunt.queries.default.json @@ -1,6 +1,4 @@ -soc: - hunt: - queries: [ +[ { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"}, { "name": "Log Type", "description": "Show all events grouped by module and dataset", "query": "* | groupby event.module event.dataset"}, { "name": "Elastalerts", "description": "", "query": "_type:elastalert | groupby rule.name"}, diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 5a705eebf..1f35dfbab 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -2,11 +2,11 @@ {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %} {%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') %} {%- set FEATURES = salt['pillar.get']('elastic:features', False) %} -{%- import_yaml "soc/files/soc/alerts.queries.default.yaml" as alerts_queries %} -{%- import_yaml "soc/files/soc/alerts.actions.default.yaml" as alerts_actions %} -{%- import_yaml "soc/files/soc/hunt.queries.default.yaml" as hunt_queries %} -{%- import_yaml "soc/files/soc/hunt.actions.default.yaml" as hunt_actions %} -{%- import_yaml "soc/files/soc/hunt.eventfields.default.yaml" as hunt_eventfields %} +{%- import_json "soc/files/soc/alerts.queries.default.json" as alerts_queries %} +{%- import_json "soc/files/soc/alerts.actions.default.json" as alerts_actions %} +{%- import_json "soc/files/soc/hunt.queries.default.json" as hunt_queries %} +{%- import_json "soc/files/soc/hunt.actions.default.json" as hunt_actions %} +{%- import_json "soc/files/soc/hunt.eventfields.default.json" as hunt_eventfields %} { "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", "server": { @@ -47,10 +47,11 @@ "relativeTimeValue": 24, "relativeTimeUnit": 30, "mostRecentlyUsedLimit": 5, + "eventFields": {{ hunt_eventfields }}, "queryBaseFilter": "", "queryToggleFilters": [], - "queries": {{ hunt_queries.soc.hunt.queries | json }} , - "actions": {{ hunt_actions.soc.hunt.actions | json }} , + "queries": {{ hunt_queries }} , + "actions": {{ hunt_actions }} , }, "alerts": { "advanced": false, @@ -70,8 +71,8 @@ { "name": "acknowledged", "filter": "event.acknowledged:true", "enabled": false, "exclusive": true }, { "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true } ], - "queries": {{ alerts_queries.soc.alerts.queries | json }}, - "actions": {{ alerts_actions.soc.alerts.actions | json }} + "queries": {{ alerts_queries }}, + "actions": {{ alerts_actions }} } } }