CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13800 from Security-Onion-Solutions/cogburn/detection-status-hunt

Browse Source 
Cogburn/detection status hunt
This commit is contained in:
coreyogburn
2024-10-24 16:31:59 -06:00
committed by GitHub
parent ba699b8d06 6ce52bf9ab
commit a76a2d8e9f
2 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
salt/soc/defaults.yaml
View File

@@ -2244,7 +2244,7 @@ soc:
description: Show all custom detections description: Show all custom detections
- name: "All Detections - Enabled" - name: "All Detections - Enabled"
query: "so_detection.isEnabled:true | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity" query: "so_detection.isEnabled:true | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity"
description: Show all enalbed Detections description: Show all enabled Detections
- name: "All Detections - Disabled" - name: "All Detections - Disabled"
query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity" query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity"
description: Show all disabled Detections description: Show all disabled Detections
@@ -2263,6 +2263,16 @@ soc:
- name: "Detections with Overrides" - name: "Detections with Overrides"
query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled" query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled"
description: Show Detections that have Overrides description: Show Detections that have Overrides
detectionEngineStatusQueries: |
suricata:
default: 'tags:so-soc AND suricata | groupby log.level | groupby event.action | groupby soc.fields.error'
IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
elastalert:
default: 'tags:so-soc AND elastalert | groupby log.level | groupby event.action | groupby soc.fields.error'
IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
strelka:
default: 'tags:so-soc AND strelka | groupby log.level | groupby event.action | groupby soc.fields.error'
IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
detection: detection:
showUnreviewedAiSummaries: false showUnreviewedAiSummaries: false
presets: presets:

9
salt/soc/soc_soc.yaml
View File

@@ -461,7 +461,14 @@ soc:
alerts: *appSettings alerts: *appSettings
cases: *appSettings cases: *appSettings
dashboards: *appSettings dashboards: *appSettings
detections: *appSettings detections:
<<: *appSettings
detectionEngineStatusQueries:
description: Queries mapped to the detection engine statuses. Acceptable statuses are "Migrating", "Importing", "MigrationFailure", "IntegrityFailure", "SyncFailure", "ImportPending", "Syncing", and "Healthy" and will fallback to a "default" entry if specified.
global: True
syntax: yaml
multiline: True
forcedType: "string"
detection: detection:
showUnreviewedAiSummaries: showUnreviewedAiSummaries:
description: Show AI summaries in detections even if they have not yet been reviewed by a human. description: Show AI summaries in detections even if they have not yet been reviewed by a human.