From cbb4d6846f98e4664fa704c980691db06f7f1ac8 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 8 Oct 2024 14:52:49 -0600 Subject: [PATCH 1/7] Detection Engine Status Queries A few for testing --- salt/soc/defaults.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 00c45e5c5..bcdccf9ca 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1447,6 +1447,13 @@ soc: casesEnabled: true detectionsEnabled: true inactiveTools: ['toolUnused'] + detectionEngineStatusQueries: + - suricata: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"' + - elastalert: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"' + - strelka: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"' tools: - name: toolKibana description: toolKibanaHelp From 04ebe4efeacc8535add8b8cb0c8a49b49a6c49c3 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 8 Oct 2024 14:59:15 -0600 Subject: [PATCH 2/7] Array to Dictionary --- salt/soc/defaults.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index bcdccf9ca..e0a5206bc 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1448,11 +1448,11 @@ soc: detectionsEnabled: true inactiveTools: ['toolUnused'] detectionEngineStatusQueries: - - suricata: + suricata: IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"' - - elastalert: + elastalert: IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"' - - strelka: + strelka: IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"' tools: - name: toolKibana From c77b0afd8e4c2c524461b778a64b6c9919709613 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 9 Oct 2024 08:40:54 -0600 Subject: [PATCH 3/7] Move to Client/Detections Added a basic annotation. --- salt/soc/defaults.yaml | 14 +++++++------- salt/soc/soc_soc.yaml | 7 ++++++- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index e0a5206bc..d96e41a70 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1447,13 +1447,6 @@ soc: casesEnabled: true detectionsEnabled: true inactiveTools: ['toolUnused'] - detectionEngineStatusQueries: - suricata: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"' - elastalert: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"' - strelka: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"' tools: - name: toolKibana description: toolKibanaHelp @@ -2270,6 +2263,13 @@ soc: - name: "Detections with Overrides" query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled" description: Show Detections that have Overrides + detectionEngineStatusQueries: + suricata: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"' + elastalert: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"' + strelka: + IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"' detection: showUnreviewedAiSummaries: false presets: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index af4668fc2..06f562a6a 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -461,7 +461,12 @@ soc: alerts: *appSettings cases: *appSettings dashboards: *appSettings - detections: *appSettings + detections: + <<: *appSettings + detectionEngineStatusQueries: + description: Queries mapped to the detection engine status. + global: True + forcedType: "{}" detection: showUnreviewedAiSummaries: description: Show AI summaries in detections even if they have not yet been reviewed by a human. From ad0b0a5e95e06ae4a74f95db81ce3ab98782ec6c Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 9 Oct 2024 12:54:55 -0600 Subject: [PATCH 4/7] Refactor to String To accomodate the config screen, the annotation now specifies it as a multiline string with a yaml syntax. The user can edit the yaml to add or remove queries. The UI will parse the YAML before use. Also updated the IntegrityFailure queries to specify table columns more relevant to a sync failure than the default ones. --- salt/soc/defaults.yaml | 9 +++++---- salt/soc/soc_soc.yaml | 6 ++++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index d96e41a70..fe131ca58 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2263,13 +2263,14 @@ soc: - name: "Detections with Overrides" query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled" description: Show Detections that have Overrides - detectionEngineStatusQueries: + detectionEngineStatusQueries: | suricata: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"' + default: + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' elastalert: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"' + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' strelka: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"' + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' detection: showUnreviewedAiSummaries: false presets: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 06f562a6a..14296dade 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -464,9 +464,11 @@ soc: detections: <<: *appSettings detectionEngineStatusQueries: - description: Queries mapped to the detection engine status. + description: Queries mapped to the detection engine statuses. Acceptable statuses are "Migrating", "Importing", "MigrationFailure", "IntegrityFailure", "SyncFailure", "ImportPending", "Syncing", and "Healthy" and will fallback to a "default" entry if specified. global: True - forcedType: "{}" + syntax: yaml + multiline: True + forcedType: "string" detection: showUnreviewedAiSummaries: description: Show AI summaries in detections even if they have not yet been reviewed by a human. From b7c392a2443538484bce8afb5d7ab862385a7a2c Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 9 Oct 2024 14:26:03 -0600 Subject: [PATCH 5/7] Corrected a misspelling --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index fe131ca58..a9ab09e47 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2244,7 +2244,7 @@ soc: description: Show all custom detections - name: "All Detections - Enabled" query: "so_detection.isEnabled:true | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity" - description: Show all enalbed Detections + description: Show all enabled Detections - name: "All Detections - Disabled" query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity" description: Show all disabled Detections From f67fcecc6e2f539fddbbddedc5b090cd75ce2168 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Mon, 21 Oct 2024 09:47:58 -0600 Subject: [PATCH 6/7] Clean up StatusQueries String --- salt/soc/defaults.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index a9ab09e47..00468e7a0 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2265,7 +2265,6 @@ soc: description: Show Detections that have Overrides detectionEngineStatusQueries: | suricata: - default: IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' elastalert: IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' From 6ce52bf9aba7946f5022640100b44397fa5cfa23 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 24 Oct 2024 13:11:49 -0600 Subject: [PATCH 7/7] Specify Defaults for detectionEngineStatusQueries Specify the defaults as an example to the user. --- salt/soc/defaults.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 00468e7a0..6a9a1bfc6 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2265,10 +2265,13 @@ soc: description: Show Detections that have Overrides detectionEngineStatusQueries: | suricata: + default: 'tags:so-soc AND suricata | groupby log.level | groupby event.action | groupby soc.fields.error' IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' elastalert: + default: 'tags:so-soc AND elastalert | groupby log.level | groupby event.action | groupby soc.fields.error' IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' strelka: + default: 'tags:so-soc AND strelka | groupby log.level | groupby event.action | groupby soc.fields.error' IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' detection: showUnreviewedAiSummaries: false