CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into vlb2

Browse Source
This commit is contained in:
Josh Patterson
2025-08-26 14:55:06 -04:00
parent e10d00d114 304985b61e
commit ac2c044a94
11 changed files with 485 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
salt/sensoroni/config.sls
View File

@@ -43,6 +43,22 @@ analyzerscripts:
- source: salt://sensoroni/files/analyzers - source: salt://sensoroni/files/analyzers
- show_changes: False - show_changes: False
templatesdir:
file.directory:
- name: /opt/so/conf/sensoroni/templates
- user: 939
- group: 939
- makedirs: True
sensoronitemplates:
file.recurse:
- name: /opt/so/conf/sensoroni/templates
- source: salt://sensoroni/files/templates
- user: 939
- group: 939
- file_mode: 664
- show_changes: False
sensoroni_sbin: sensoroni_sbin:
file.recurse: file.recurse:
- name: /usr/sbin - name: /usr/sbin

1
salt/sensoroni/enabled.sls
View File

@@ -22,6 +22,7 @@ so-sensoroni:
- /nsm/pcapout:/nsm/pcapout:rw - /nsm/pcapout:/nsm/pcapout:rw
- /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw - /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw
- /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
- /nsm/suripcap/:/nsm/suripcap:rw - /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %} {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}

1
salt/sensoroni/files/sensoroni.json
View File

@@ -21,6 +21,7 @@
}, },
{%- endif %} {%- endif %}
"importer": {}, "importer": {},
"export": {},
"statickeyauth": { "statickeyauth": {
"apiKey": "{{ GLOBALS.sensoroni_key }}" "apiKey": "{{ GLOBALS.sensoroni_key }}"
{% if GLOBALS.is_sensor %} {% if GLOBALS.is_sensor %}

39
salt/sensoroni/files/templates/reports/custom/generic_report1.md Normal file
View File

@@ -0,0 +1,39 @@
{{- /* query.myDocEvents.Oql = metadata.type: _doc | groupby event.module, event.dataset | sortby @timestamp desc */ -}}
{{- /* query.myDocEvents.MetricLimit = 10 */ -}}
{{- /* query.myDocEvents.EventLimit = 100 */ -}}
Security Onion Custom Report
============================
{{ if .Error }}
**NOTE: This report encountered a problem extracting the relevant data and may not be complete.**
**Error:** {{.Error}}
{{ end }}
Records must have been created or updated during the following time frame in order to be reflected in this report.
**Report Start Date:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .BeginDate}}
**Report End Date:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .EndDate}}
## Sample Doc Events
**Total Events:** {{ formatNumber "%d" "en" .Results.myDocEvents.TotalEvents}}
### Event Counts By Module and Dataset
| Count | Proportion | Module | Dataset |
| ----- | ---------- | ------ | ------- |
{{ range sortMetrics "Value" "desc" .Results.myDocEvents.Metrics.groupby_0_event_module_event_dataset -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} | {{index .Keys 1}} |
{{end}}
### Individual Events (Limited to first {{.Results.myDocEvents.Criteria.EventLimit}})
| Event Time | Module | Dataset | Category |
| ---------- | ------ | ------- | -------- |
{{ range .Results.myDocEvents.Events -}}
| {{.Timestamp}} | {{.Payload.event_module}} | {{.Payload.event_dataset}} | {{.Payload.event_category}} |
{{end}}

133
salt/sensoroni/files/templates/reports/standard/case_report.md Normal file
View File

@@ -0,0 +1,133 @@
Security Onion Case Report
==========================
## Case Details
**Case ID:** {{.Case.Id}}
**Title:** {{.Case.Title}}
## Description
{{.Case.Description}}
## Details
**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Case.CreateTime}}
**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Case.UpdateTime}}
**Author:** {{getUserDetail "email" .Case.UserId}}
**Status:** {{.Case.Status}}
**TLP:** {{.Case.Tlp}}
**PAP:** {{.Case.Pap}}
**Severity:** {{.Case.Severity}}
**Priority:** {{.Case.Priority}}
**Category:** {{.Case.Category}}
**Tags:** {{join .Case.Tags ", " }}
**Assignee:** {{getUserDetail "email" .Case.AssigneeId}}
**Hours Logged:** {{ formatNumber "%.2f" "en" .TotalHours}}
## Comments
{{ range sortComments "CreateTime" "asc" .Comments }}
**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}}
**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .UpdateTime}}
**Author:** {{getUserDetail "email" .UserId}}
**Hours Logged:** {{ formatNumber "%.2f" "en" .Hours}}
{{.Description}}
---
{{end}}
## Detections
{{ range sortDetections "Title" "asc" .Detections }}
**Title:** {{.Title}}
**Description:** {{.Description}}
**Severity:** {{.Severity}}
**Rule Engine:** {{.Engine}}
**Rule Set:** {{.Ruleset}}
**Community Rule:** {{.IsCommunity}}
**Tags:** {{.Tags}}
{{.Content}}
---
{{end}}
## Attachments
{{ range sortArtifacts "CreateTime" "asc" .Attachments }}
**Added:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}}
**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .UpdateTime}}
**Added By:** {{getUserDetail "email" .UserId}}
**TLP:** {{.Tlp}}
**Filename:** {{.Value}}
**Size:** {{ formatNumber "%.0d" "en" .StreamLen}} bytes
**SHA256:** {{.Sha256}}
**SHA1:** {{.Sha1}}
**MD5:** {{.Md5}}
**Tags:** {{.Tags}}
**Protected (Zipped):** {{.Protected}}
{{.Description}}
---
{{end}}
## Observables
| Date Added | Tlp | Type | IOC | Value | Description |
| ---------- | --- | ---- | --- | ----- | ----------- |
{{ range sortArtifacts "CreateTime" "asc" .Observables -}}
| {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}} | {{.Tlp}} | {{.ArtifactType}} | {{.Ioc}} | {{.Value}} | {{.Description}} |
{{end}}
## Related Events
| Event Time | Log ID | Source IP | Destination IP |
| ---------- | ------ | --------- | -------------- |
{{ range sortRelatedEvents "fields:soc_timestamp" "asc" .RelatedEvents -}}
| {{.Fields.soc_timestamp}} | {{.Fields.log_id_uid}} | {{.Fields.source_ip}} | {{.Fields.destination_ip}} |
{{end}}
## Case History
| Date | User | Object | Operation |
| ---- | ---- | ------ | --------- |
{{ range sortHistory "CreateTime" "asc" .History -}}
| {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}} | {{getUserDetail "email" .UserId}} | {{.Kind}} | {{.Operation}} |
{{end}}

189
salt/sensoroni/files/templates/reports/standard/productivity_report.md Normal file
View File

@@ -0,0 +1,189 @@
Security Onion Productivity Report
==================================
{{ if .Error }}
**NOTE: This report encountered a problem extracting the relevant data and may not be complete.**
**Error:** {{.Error}}
{{ end }}
Records must have been created or updated during the following time frame in order to be reflected in this report.
**Report Start Date:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .BeginDate}}
**Report End Date:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .EndDate}}
## Ingested Events
**Total Events:** {{ formatNumber "%d" "en" .TotalEvents}}
### Events By Module
| Count | Proportion | Module |
| ----- | ---------- | ------ |
{{ range sortMetrics "Value" "desc" .TotalEventsByModule -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Events By Module and Severity Label
| Count | Proportion | Module | Severity |
| ----- | ---------- | ------ | -------- |
{{ range sortMetrics "Value" "desc" .TotalEventsByModuleDataset -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} | {{index .Keys 1}} |
{{end}}
## Alerts
**Total Alerts:** {{ formatNumber "%d" "en" .TotalAlerts}}
{{ range sortMetrics "Value" "desc" .TotalAlertsByAcknowledged -}}
{{ if index .Keys 0 | eq "true" }}
**Acknowledged Alerts:** {{ formatNumber "%.0f" "en" .Value}} ({{ formatNumber "%.1f" "en" .Percentage}}%)
{{ end }}
{{end}}
{{ range sortMetrics "Value" "desc" .TotalAlertsByEscalated -}}
{{ if index .Keys 0 | eq "true" }}
**Escalated Alerts:** {{ formatNumber "%.0f" "en" .Value}} ({{ formatNumber "%.1f" "en" .Percentage}}%)
{{ end }}
{{end}}
### Alerts By Severity
| Count | Proportion | Severity |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalAlertsBySeverityLabel -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Alerts By Module
| Count | Proportion | Module |
| ----- | ---------- | ------ |
{{ range sortMetrics "Value" "desc" .TotalAlertsByModule -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Alerts By Module and Severity Label
| Count | Proportion | Module | Severity |
| ----- | ---------- | ------ | -------- |
{{ range sortMetrics "Value" "desc" .TotalAlertsByModuleSeverityLabel -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} | {{index .Keys 1}} |
{{end}}
### Alerts By Ruleset
| Count | Proportion | Ruleset |
| ----- | ---------- | ------- |
{{ range sortMetrics "Value" "desc" .TotalAlertsByRuleset -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Alerts By Rule Category
| Count | Proportion | Category |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalAlertsByCategory -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
## Cases
**Total Cases:** {{ formatNumber "%d" "en" .TotalCases}}
**Average Elapsed Time To Complete:** {{ formatNumber "%.1f" "en" .AverageHoursToComplete }} hours
### Cases By Status
| Count | Proportion | Status |
| ----- | ---------- | ------ |
{{ range sortMetrics "Value" "desc" .TotalCasesByStatus -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Assignee
| Count | Proportion | Assignee |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalCasesByAssignee -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0 | getUserDetail "email"}} |
{{end}}
### Cases By Status and Assignee
| Count | Proportion | Status | Assignee |
| ----- | ---------- | ------ | -------- |
{{ range sortMetrics "Value" "desc" .TotalCasesByStatusAssignee -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} | {{index .Keys 1 | getUserDetail "email"}} |
{{end}}
### Cases By Severity
| Count | Proportion | Severity |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalCasesBySeverity -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Priority
| Count | Proportion | Priority |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalCasesByPriority -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Traffic Light Protocol (TLP)
| Count | Proportion | TLP |
| ----- | ---------- | ----|
{{ range sortMetrics "Value" "desc" .TotalCasesByTlp -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Permissible Actions Protocol (PAP)
| Count | Proportion | PAP |
| ----- | ---------- | --- |
{{ range sortMetrics "Value" "desc" .TotalCasesByPap -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Category
| Count | Proportion | Category |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalCasesByCategory -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Tags
| Count | Proportion | Tags |
| ----- | ---------- | ---- |
{{ range sortMetrics "Value" "desc" .TotalCasesByTags -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Comments By User
| Count | Proportion | User |
| ----- | ---------- | ---- |
{{ range sortMetrics "Value" "desc" .TotalCommentsByUserId -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0 | getUserDetail "email"}} |
{{end}}
## Time Tracking
**Total Hours:** {{ formatNumber "%.2f" "en" .TotalHours}}
### Hours By User
| Hours | Proportion | User |
| ----- | ---------- | ---- |
{{ range sortMetrics "Value" "desc" .TotalHoursByUserId -}}
| {{ formatNumber "%.2f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0 | getUserDetail "email"}} |
{{end}}

91
salt/sensoroni/soc_sensoroni.yaml
View File

@@ -306,3 +306,94 @@ sensoroni:
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
files:
templates:
reports:
standard:
case_report__md:
title: Case report Template
description: The template used when generating a case report. Supports markdown format.
file: True
global: True
syntax: md
helpLink: reports.html
productivity_report__md:
title: Productivity Report Template
description: The template used when generating a comprehensive productivity report. Supports markdown format.
file: True
global: True
syntax: md
helpLink: reports.html
custom:
generic_report1__md:
title: Custom Report 1
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report2__md:
title: Custom Report 2
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report3__md:
title: Custom Report 3
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report4__md:
title: Custom Report 4
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report5__md:
title: Custom Report 5
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report6__md:
title: Custom Report 6
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report7__md:
title: Custom Report 7
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report8__md:
title: Custom Report 8
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report9__md:
title: Custom Report 9
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
addl_generic_report__md:
title: Additional Custom Report
description: A duplicatable custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. This is an unsupported feature due to the inability to edit duplicated reports via the SOC app.
advanced: True
file: True
global: True
syntax: md
duplicates: True
helpLink: reports.html

1
salt/soc/defaults.map.jinja
View File

@@ -35,5 +35,6 @@
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %} {% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %} {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
{% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}
{% set SOCDEFAULTS = SOCDEFAULTS.soc %} {% set SOCDEFAULTS = SOCDEFAULTS.soc %}

2
salt/soc/defaults.yaml
View File

@@ -1358,6 +1358,7 @@ soc:
htmlDir: html htmlDir: html
importUploadDir: /nsm/soc/uploads importUploadDir: /nsm/soc/uploads
forceUserOtp: false forceUserOtp: false
customReportsPath: /opt/sensoroni/templates/reports/custom
modules: modules:
cases: soc cases: soc
filedatastore: filedatastore:
@@ -1576,6 +1577,7 @@ soc:
casesEnabled: true casesEnabled: true
detectionsEnabled: true detectionsEnabled: true
inactiveTools: ['toolUnused'] inactiveTools: ['toolUnused']
exportNodeId:
tools: tools:
- name: toolKibana - name: toolKibana
description: toolKibanaHelp description: toolKibanaHelp

1
salt/soc/enabled.sls
View File

@@ -48,6 +48,7 @@ so-soc:
- /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
- /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
- /opt/so/conf/soc/soc_clients_roles:/opt/sensoroni/rbac/clients_roles:rw - /opt/so/conf/soc/soc_clients_roles:/opt/sensoroni/rbac/clients_roles:rw
- /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
- /opt/so/conf/soc/queue:/opt/sensoroni/queue:rw - /opt/so/conf/soc/queue:/opt/sensoroni/queue:rw
- /opt/so/saltstack:/opt/so/saltstack:rw - /opt/so/saltstack:/opt/so/saltstack:rw
- /opt/so/conf/soc/migrations:/opt/so/conf/soc/migrations:rw - /opt/so/conf/soc/migrations:/opt/so/conf/soc/migrations:rw

11
salt/soc/soc_soc.yaml
View File

@@ -138,6 +138,11 @@ soc:
title: Require TOTP title: Require TOTP
description: Require all users to enable Time-based One Time Passwords (MFA) upon login to SOC. description: Require all users to enable Time-based One Time Passwords (MFA) upon login to SOC.
global: True global: True
customReportsPath:
title: Custom Reports Path
description: Path to custom markdown templates for PDF report generation. All markdown files in this directory will be available as custom reports in the SOC Reports interface.
global: True
advanced: True
subgrids: subgrids:
title: Subordinate Grids title: Subordinate Grids
description: | description: |
@@ -561,6 +566,8 @@ soc:
forcedType: "[]{}" forcedType: "[]{}"
syntax: json syntax: json
uiElements: uiElements:
- field: rulesetName
label: Playbook Source Name
- field: repo - field: repo
label: Repo URL label: Repo URL
required: True required: True
@@ -606,6 +613,10 @@ soc:
global: True global: True
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
exportNodeId:
description: The node ID on which export jobs will be executed.
global: True
advanced: True
hunt: &appSettings hunt: &appSettings
groupItemsPerPage: groupItemsPerPage:
description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI.