From a9b7b9ee9222260845b8f220d7cadcce531e6f24 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Dec 2021 17:41:48 -0500 Subject: [PATCH] Jinjafy case params --- salt/soc/files/soc/cases.eventfields.json | 3 ++ salt/soc/files/soc/cases.queries.json | 5 +++ salt/soc/files/soc/presets.category.json | 7 ++++ salt/soc/files/soc/presets.pap.json | 9 ++++++ salt/soc/files/soc/presets.severity.json | 9 ++++++ salt/soc/files/soc/presets.tag.json | 8 +++++ salt/soc/files/soc/presets.tlp.json | 9 ++++++ salt/soc/files/soc/soc.json | 39 +++++++++++++++++++++-- 8 files changed, 87 insertions(+), 2 deletions(-) create mode 100644 salt/soc/files/soc/cases.eventfields.json create mode 100644 salt/soc/files/soc/cases.queries.json create mode 100644 salt/soc/files/soc/presets.category.json create mode 100644 salt/soc/files/soc/presets.pap.json create mode 100644 salt/soc/files/soc/presets.severity.json create mode 100644 salt/soc/files/soc/presets.tag.json create mode 100644 salt/soc/files/soc/presets.tlp.json diff --git a/salt/soc/files/soc/cases.eventfields.json b/salt/soc/files/soc/cases.eventfields.json new file mode 100644 index 000000000..901c34345 --- /dev/null +++ b/salt/soc/files/soc/cases.eventfields.json @@ -0,0 +1,3 @@ +{ + "default": ["soc_timestamp", "case.title", "case.status", "case.severity", "case.createTime"] +} \ No newline at end of file diff --git a/salt/soc/files/soc/cases.queries.json b/salt/soc/files/soc/cases.queries.json new file mode 100644 index 000000000..f407d3ebe --- /dev/null +++ b/salt/soc/files/soc/cases.queries.json @@ -0,0 +1,5 @@ +[ + { "name": "New Cases", "query": "!case.status:closed" }, + { "name": "Closed Cases", "query": "case.status:closed" }, + { "name": "Templates", "query": "case.category:template" } +] \ No newline at end of file diff --git a/salt/soc/files/soc/presets.category.json b/salt/soc/files/soc/presets.category.json new file mode 100644 index 000000000..0f48a8e82 --- /dev/null +++ b/salt/soc/files/soc/presets.category.json @@ -0,0 +1,7 @@ +{ + "labels": [ + "General", + "Template" + ], + "customEnabled": true +} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.pap.json b/salt/soc/files/soc/presets.pap.json new file mode 100644 index 000000000..f1e8570dd --- /dev/null +++ b/salt/soc/files/soc/presets.pap.json @@ -0,0 +1,9 @@ +{ + "labels": [ + "White", + "Green", + "Amber", + "Red" + ], + "customEnabled": false +} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.severity.json b/salt/soc/files/soc/presets.severity.json new file mode 100644 index 000000000..f04574787 --- /dev/null +++ b/salt/soc/files/soc/presets.severity.json @@ -0,0 +1,9 @@ +{ + "labels": [ + "Low", + "Medium", + "High", + "Critical" + ], + "customEnabled": false +} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.tag.json b/salt/soc/files/soc/presets.tag.json new file mode 100644 index 000000000..545b513f8 --- /dev/null +++ b/salt/soc/files/soc/presets.tag.json @@ -0,0 +1,8 @@ +{ + "labels": [ + "false-positive", + "confirmed", + "pending" + ], + "customEnabled": true +} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.tlp.json b/salt/soc/files/soc/presets.tlp.json new file mode 100644 index 000000000..f1e8570dd --- /dev/null +++ b/salt/soc/files/soc/presets.tlp.json @@ -0,0 +1,9 @@ +{ + "labels": [ + "White", + "Green", + "Amber", + "Red" + ], + "customEnabled": false +} \ No newline at end of file diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index dbe8218c3..92cb75329 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -18,6 +18,11 @@ {%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %} {%- import_json "soc/files/soc/menu.actions.json" as menu_actions %} {%- import_json "soc/files/soc/tools.json" as tools %} +{%- import_json "soc/files/soc/presets.category.json" as presets_category %} +{%- import_json "soc/files/soc/presets.pap.json" as presets_pap %} +{%- import_json "soc/files/soc/presets.severity.json" as presets_severity %} +{%- import_json "soc/files/soc/presets.tag.json" as presets_tag %} +{%- import_json "soc/files/soc/presets.tlp.json" as presets_tlp %} {%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} {%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} @@ -182,8 +187,38 @@ { "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true, "enablesToggles":["acknowledged"] } ], "queries": {{ alerts_queries | json }}, - "actions": {{ menu_actions | json }} - } + "actions": {{ menu_actions | json }} + }, + "cases": { + "advanced": false, + "groupItemsPerPage": 50, + "groupFetchLimit": 100, + "eventItemsPerPage": 50, + "eventFetchLimit": 500, + "relativeTimeValue": 12, + "relativeTimeUnit": 60, + "mostRecentlyUsedLimit": 5, + "ackEnabled": false, + "escalateEnabled": false, + "escalateRelatedEventsEnabled": false, + "viewEnabled": true, + "eventFields": {{ cases_eventfields | json }}, + "queryBaseFilter": "_index:so-case AND kind:case", + "queryToggleFilters": [ + ], + "queries": {{ cases_queries | json }}, + "actions": {{ menu_actions | json }} + }, + "case": { + "mostRecentlyUsedLimit": 5, + "presets": { + "category": {{ presets_category | json }}, + "pap": {{ presets_pap | json }}, + "severity": {{ presets_severity | json }}, + "tag": {{ presets_tag | json }}, + "tlp": {{ presets_tlp | json }} + } + } } } }