CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update default queries

Browse Source
This commit is contained in:
DefensiveDepth
2024-04-19 16:33:35 -04:00
parent 6c6647629c
commit a237ef5d96
2 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/soc/defaults.yaml
View File

@@ -2128,14 +2128,11 @@ soc:
query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity" query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity"
description: Show all disabled Detections description: Show all disabled Detections
- name: "Detection Type - Suricata (NIDS)" - name: "Detection Type - Suricata (NIDS)"
query: "so_detection.language:suricata | groupby so_detection.ruleset so_detection.isEnabled" query: "so_detection.language:suricata | groupby so_detection.ruleset so_detection.isEnabled | groupby so_detection.category"
description: Show all NIDS Detections, which are run with Suricata description: Show all NIDS Detections, which are run with Suricata
- name: "Detection Type - Sigma (Elastalert) - All" - name: "Detection Type - Sigma (Elastalert) - All"
query: "so_detection.language:sigma | groupby so_detection.ruleset so_detection.isEnabled" query: "so_detection.language:sigma | groupby so_detection.ruleset so_detection.isEnabled | groupby so_detection.category | groupby so_detection.product"
description: Show all Sigma Detections, which are run with Elastalert description: Show all Sigma Detections, which are run with Elastalert
- name: "Detection Type - Sigma (Elastalert) - Windows"
query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*" | groupby so_detection.ruleset so_detection.isEnabled'
description: Show all Sigma Detections with a logsource of Windows
- name: "Detection Type - YARA (Strelka)" - name: "Detection Type - YARA (Strelka)"
query: "so_detection.language:yara | groupby so_detection.ruleset so_detection.isEnabled" query: "so_detection.language:yara | groupby so_detection.ruleset so_detection.isEnabled"
description: Show all YARA detections, which are used by Strelka description: Show all YARA detections, which are used by Strelka

1
salt/strelka/compile_yara/compile_yara.py
View File

@@ -43,6 +43,7 @@ def compile_yara_rules(rules_dir):
"event.dataset": "soc.detections", "event.dataset": "soc.detections",
"log.level": "error", "log.level": "error",
"error.message": error_message, "error.message": error_message,
"error.analysis": "syntax error",
"detection_type": "yara", "detection_type": "yara",
"rule.uuid": rule_id, "rule.uuid": rule_id,
"error.type": "runtime_status" "error.type": "runtime_status"