Merge branch 'kilo' into cogburn/detection_playbooks

2025-12-06 01:02:46 +01:00 · 2024-02-13 14:08:44 -07:00
parent f321e734eb c933627a71
commit a5db9f87dd
10 changed files with 169 additions and 6 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.50
+2.4.0-kilo
--- a/salt/elasticsearch/templates/component/so/detection-mappings.json
+++ b/salt/elasticsearch/templates/component/so/detection-mappings.json
@@ -47,13 +47,25 @@
            "isCommunity": {
              "type": "boolean"
            },
-            "note": {
+            "tags": {
              "type": "text"
            },
+            "ruleset": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
            "engine": {
              "ignore_above": 1024,
              "type": "keyword"
            },
+            "language": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "license": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
            "overrides": {
              "properties": {
                "type": {
@@ -98,6 +110,24 @@
              }
            }
          }
+        },
+        "so_detectioncomment": {
+          "properties": {
+            "createTime": {
+              "type": "date"
+            },
+            "detectionId": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
+            "value": {
+              "type": "text"
+            },
+            "userId": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            }
+          }
        }
      }
    }
--- a/salt/idstools/soc_idstools.yaml
+++ b/salt/idstools/soc_idstools.yaml
@@ -8,7 +8,7 @@ idstools:
      global: True
      helpLink: rules.html
    ruleset:
-      description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO.
+      description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO.  -- WARNING -- Changing the ruleset will remove all existing Suricata rules of the previous ruleset and their associated overrides.'
      global: True
      regex:  ETPRO\b|ETOPEN\b
      helpLink: rules.html
--- a/salt/soc/config.sls
+++ b/salt/soc/config.sls
@@ -9,9 +9,16 @@
 include:
  - manager.sync_es_users

+socdirtest:
+  file.directory:
+    - name: /opt/so/rules/elastalert/rules
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 socdir:
  file.directory:
-    - name: /opt/so/conf/soc
+    - name: /opt/so/conf/soc/fingerprints
    - user: 939
    - group: 939
    - makedirs: True
@@ -57,6 +64,22 @@ socmotd:
    - mode: 600
    - template: jinja

+socsigmafinalpipeline:
+  file.managed:
+    - name: /opt/so/conf/soc/sigma_final_pipeline.yaml
+    - source: salt://soc/files/soc/sigma_final_pipeline.yaml
+    - user: 939
+    - group: 939
+    - mode: 600
+
+socsigmasopipeline:
+  file.managed:
+    - name: /opt/so/conf/soc/sigma_so_pipeline.yaml
+    - source: salt://soc/files/soc/sigma_so_pipeline.yaml
+    - user: 939
+    - group: 939
+    - mode: 600
+
 socbanner:
  file.managed:
    - name: /opt/so/conf/soc/banner.md
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1008,6 +1008,11 @@ soc:
          jobDir: jobs
        kratos:
          hostUrl:
+        elastalertengine:
+          communityRulesImportFrequencySeconds: 180
+          elastAlertRulesFolder: /opt/sensoroni/elastalert
+          rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
+          sigmaRulePackages: core
        elastic:
          hostUrl:
          remoteHostUrls: []
@@ -1049,6 +1054,15 @@ soc:
            - rbac/custom_roles
          userFiles:
            - rbac/users_roles
+        strelkaengine:
+          compileYaraPythonScriptPath: /opt/so/conf/strelka/compile_yara.py
+          reposFolder: /opt/sensoroni/yara/repos
+          rulesRepos:
+          - https://github.com/Security-Onion-Solutions/securityonion-yara
+          yaraRulesFolder: /opt/sensoroni/yara/rules
+        suricataengine:
+          communityRulesFile: /nsm/rules/suricata/emerging-all.rules
+          rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
      client:
        enableReverseLookup: false
        docsUrl: /docs/
@@ -1754,3 +1768,55 @@ soc:
                  - amber+strict
                  - red
              customEnabled: false
+        detections:
+          viewEnabled: true
+          createLink: /detection/create
+          eventFetchLimit: 500
+          eventItemsPerPage: 50
+          groupFetchLimit: 50
+          mostRecentlyUsedLimit: 5
+          safeStringMaxLength: 100
+          queryBaseFilter: '_index:"*:so-detection" AND so_kind:detection'
+          eventFields:
+            default:
+              - so_detection.title
+              - so_detection.isEnabled
+              - so_detection.language
+              - so_detection.severity
+          queries:
+            - name: "All Detections"
+              query: "_id:*"
+            - name: "Custom Detections"
+              query: "so_detection.isCommunity:false"
+            - name: "All Detections - Enabled"
+              query: "so_detection.isEnabled:true"
+            - name: "All Detections - Disabled"
+              query: "so_detection.isEnabled:false"
+            - name: "Detection Type - Suricata (NIDS)"
+              query: "so_detection.language:suricata"
+            - name: "Detection Type - Sigma - All"
+              query: "so_detection.language:sigma"
+            - name: "Detection Type - Sigma - Windows"
+              query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"'
+            - name: "Detection Type - Yara (Strelka)"
+              query: "so_detection.language:yara"
+        detection:
+          presets:
+            severity:
+                customEnabled: false
+                labels:
+                  - unknown
+                  - informational
+                  - low
+                  - medium
+                  - high
+                  - critical
+            language:
+                customEnabled: false
+                labels:
+                  - suricata
+                  - sigma
+                  - yara
+          severityTranslations:
+            minor: low
+            major: high
--- a/salt/soc/enabled.sls
+++ b/salt/soc/enabled.sls
@@ -22,12 +22,18 @@ so-soc:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
    - binds:
+      - /nsm/rules:/nsm/rules:rw #Need to tighten this up?
+      - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
+      - /opt/so/rules/elastalert/rules:/opt/sensoroni/elastalert:rw
+      - /opt/so/conf/soc/fingerprints:/opt/sensoroni/fingerprints:rw
      - /nsm/soc/jobs:/opt/sensoroni/jobs:rw
      - /nsm/soc/uploads:/nsm/soc/uploads:rw
      - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
      - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
      - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro
      - /opt/so/conf/soc/banner.md:/opt/sensoroni/html/login/banner.md:ro
+      - /opt/so/conf/soc/sigma_so_pipeline.yaml:/opt/sensoroni/sigma_so_pipeline.yaml:ro
+      - /opt/so/conf/soc/sigma_final_pipeline.yaml:/opt/sensoroni/sigma_final_pipeline.yaml:rw
      - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
      - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
      - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
--- a/salt/soc/files/soc/sigma_final_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_final_pipeline.yaml
@@ -0,0 +1,7 @@
+name: Security Onion - Final Pipeline
+priority: 95
+transformations:
+    - id: override_field_name_mapping
+      type: field_name_mapping
+      mapping:
+        FieldNameToOverride: NewFieldName
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -0,0 +1,18 @@
+name: Security Onion Baseline Pipeline
+priority: 90
+transformations:
+    - id: baseline_field_name_mapping
+      type: field_name_mapping
+      mapping:
+        cs-method: http.method
+        c-uri: http.uri
+        c-useragent: http.useragent
+        cs-version: http.version
+        uid: user.uid
+        sid: rule.uuid
+        answer: answers
+        query: dns.query.name
+        src_ip: destination.ip.keyword
+        src_port: source.port
+        dst_ip: destination.ip.keyword
+        dst_port: destination.port
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -32,6 +32,14 @@ soc:
        global: True
        advanced: True
        helpLink: soc-customization.html
+      sigma_final_pipeline__yaml:
+        title: Final Sigma Pipeline
+        description: Final Processing Pipeline for Sigma Rules
+        syntax: yaml
+        file: True
+        global: True
+        advanced: True
+        helpLink: soc-customization.html
  config:
    licenseKey:
      title: License Key
@@ -62,6 +70,11 @@ soc:
        global: True
        advanced: True
      modules:
+        elastalertengine:
+          sigmaRulePackages:
+            description: 'Defines the Sigma Community Ruleset you want to run: core | core+ | core++ | all.  -- WARNING -- Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides.'
+            global: True
+            advanced: False
        elastic:
          index:
            description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
--- a/salt/strelka/backend/enabled.sls
+++ b/salt/strelka/backend/enabled.sls
@@ -42,8 +42,8 @@ strelka_backend:
      {% endfor %}
    {% endif %}
    - restart_policy: on-failure
-    - watch:
-      - file: strelkarules
+    #- watch:
+    #  - file: strelkarules

 delete_so-strelka-backend_so-status.disabled:
  file.uncomment: