From ad0b0a5e95e06ae4a74f95db81ce3ab98782ec6c Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 9 Oct 2024 12:54:55 -0600 Subject: [PATCH] Refactor to String To accomodate the config screen, the annotation now specifies it as a multiline string with a yaml syntax. The user can edit the yaml to add or remove queries. The UI will parse the YAML before use. Also updated the IntegrityFailure queries to specify table columns more relevant to a sync failure than the default ones. --- salt/soc/defaults.yaml | 9 +++++---- salt/soc/soc_soc.yaml | 6 ++++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index d96e41a70..fe131ca58 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2263,13 +2263,14 @@ soc: - name: "Detections with Overrides" query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled" description: Show Detections that have Overrides - detectionEngineStatusQueries: + detectionEngineStatusQueries: | suricata: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"suricata"' + default: + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' elastalert: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"elastalert"' + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' strelka: - IntegrityFailure: 'tags:so-soc AND soc.fields.error: "integrity check failed; discrepancies found" AND soc.fields.detectionEngine:"strelka"' + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' detection: showUnreviewedAiSummaries: false presets: diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 06f562a6a..14296dade 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -464,9 +464,11 @@ soc: detections: <<: *appSettings detectionEngineStatusQueries: - description: Queries mapped to the detection engine status. + description: Queries mapped to the detection engine statuses. Acceptable statuses are "Migrating", "Importing", "MigrationFailure", "IntegrityFailure", "SyncFailure", "ImportPending", "Syncing", and "Healthy" and will fallback to a "default" entry if specified. global: True - forcedType: "{}" + syntax: yaml + multiline: True + forcedType: "string" detection: showUnreviewedAiSummaries: description: Show AI summaries in detections even if they have not yet been reviewed by a human.