From 9babc445ce111d620049507101c8b1cd96e315d6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 9 Sep 2020 12:07:18 -0400 Subject: [PATCH 1/5] Add Google search quick action to Hunt; Change VirusTotal quick action to be applicable to all field values --- salt/soc/files/soc/soc.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 81efcb447..181ba7a0c 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -145,7 +145,8 @@ "actions": [ { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}" }, { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}" }, - { "name": "", "description": "actionVirtusTotalHelp", "icon": "fa-globe", "link": "https://www.virustotal.com/gui/ip-address/{value}/detection", "fields": [ "source.ip", "destination.ip" ] } + { "name": "", "description": "actionGoogleHelp", "icon": "fa-google", "link": "https://www.google.com/search?q={value}" }, + { "name": "", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}" } ] } } From fc4ad1d556200124b4e989bc825b8f6422f1d88d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 9 Sep 2020 12:22:38 -0400 Subject: [PATCH 2/5] Add Google search quick action to Hunt; Change VirusTotal quick action to be applicable to all field values --- salt/soc/files/soc/soc.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 181ba7a0c..f3c103dc4 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -145,8 +145,8 @@ "actions": [ { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}" }, { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}" }, - { "name": "", "description": "actionGoogleHelp", "icon": "fa-google", "link": "https://www.google.com/search?q={value}" }, - { "name": "", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}" } + { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}" }, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}" } ] } } From 90ba1be97891f28c1ece1fc5b02f6246bcc3d56e Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 9 Sep 2020 12:55:14 -0400 Subject: [PATCH 3/5] Improve formatting of NIDS selection screen --- setup/so-whiptail | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index d760373af..94459bb10 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -621,8 +621,7 @@ whiptail_nids() { [ -n "$TESTING" ] && return NIDS=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose which IDS to run. \n - Snort 3.0 support will be added once it is out of beta:" 25 75 4 \ + "Choose which IDS to run. \n\n(Snort 3.0 support will be added once it is out of beta)" 25 75 4 \ "Suricata" "Suricata" ON \ "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) From 82b582540ef2b451680614d8347f8a005700fd7c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 9 Sep 2020 12:56:19 -0400 Subject: [PATCH 4/5] Add period --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 94459bb10..ce8b22011 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -621,7 +621,7 @@ whiptail_nids() { [ -n "$TESTING" ] && return NIDS=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose which IDS to run. \n\n(Snort 3.0 support will be added once it is out of beta)" 25 75 4 \ + "Choose which IDS to run. \n\n(Snort 3.0 support will be added once it is out of beta.)" 25 75 4 \ "Suricata" "Suricata" ON \ "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) From a5b87850df451306fc10194e0cf92ed87753c283 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 9 Sep 2020 14:07:36 -0400 Subject: [PATCH 5/5] Remove user sync between SOC and Cortex due to the unnecesary complexities involved with this style of integration --- salt/common/tools/sbin/so-user | 4 ---- 1 file changed, 4 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 57f51fe9a..e354bcce4 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -202,7 +202,6 @@ case "${operation}" in createUser "$email" echo "Successfully added new user to SOC" check_container thehive && echo $password | so-thehive-user-add "$email" - check_container cortex && echo $password | so-cortex-user-add "$email" check_container fleet && echo $password | so-fleet-user-add "$email" ;; @@ -226,7 +225,6 @@ case "${operation}" in updateStatus "$email" 'active' echo "Successfully enabled user" check_container thehive && so-thehive-user-enable "$email" true - check_container cortex && so-cortex-user-enable "$email" true check_container fleet && so-fleet-user-enable "$email" true ;; @@ -237,7 +235,6 @@ case "${operation}" in updateStatus "$email" 'locked' echo "Successfully disabled user" check_container thehive && so-thehive-user-enable "$email" false - check_container cortex && so-cortex-user-enable "$email" false check_container fleet && so-fleet-user-enable "$email" false ;; @@ -248,7 +245,6 @@ case "${operation}" in deleteUser "$email" echo "Successfully deleted user" check_container thehive && so-thehive-user-enable "$email" false - check_container cortex && so-cortex-user-enable "$email" false check_container fleet && so-fleet-user-enable "$email" false ;;