Merge pull request #13800 from Security-Onion-Solutions/cogburn/detection-status-hunt

Cogburn/detection status hunt
2025-12-06 17:22:49 +01:00 · 2024-10-24 16:31:59 -06:00
parent ba699b8d06 6ce52bf9ab
commit a76a2d8e9f
2 changed files with 19 additions and 2 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2244,7 +2244,7 @@ soc:
              description: Show all custom detections
            - name: "All Detections - Enabled"
              query: "so_detection.isEnabled:true | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity"
-              description: Show all enalbed Detections
+              description: Show all enabled Detections
            - name: "All Detections - Disabled"
              query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity"
              description: Show all disabled Detections
@@ -2263,6 +2263,16 @@ soc:
            - name: "Detections with Overrides"
              query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled"
              description: Show Detections that have Overrides
+          detectionEngineStatusQueries: |
+            suricata:
+              default: 'tags:so-soc AND suricata | groupby log.level | groupby event.action | groupby soc.fields.error'
+              IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
+            elastalert:
+              default: 'tags:so-soc AND elastalert | groupby log.level | groupby event.action | groupby soc.fields.error'
+              IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
+            strelka:
+              default: 'tags:so-soc AND strelka | groupby log.level | groupby event.action | groupby soc.fields.error'
+              IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
        detection:
          showUnreviewedAiSummaries: false
          presets:
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -461,7 +461,14 @@ soc:
        alerts: *appSettings
        cases: *appSettings
        dashboards: *appSettings
-        detections: *appSettings
+        detections:
+          <<: *appSettings
+          detectionEngineStatusQueries:
+            description: Queries mapped to the detection engine statuses. Acceptable statuses are "Migrating", "Importing", "MigrationFailure", "IntegrityFailure", "SyncFailure", "ImportPending", "Syncing", and "Healthy" and will fallback to a "default" entry if specified.
+            global: True
+            syntax: yaml
+            multiline: True
+            forcedType: "string"
        detection:
          showUnreviewedAiSummaries:
            description: Show AI summaries in detections even if they have not yet been reviewed by a human.