Merge pull request #12956 from Security-Onion-Solutions/jertel/testcy

test regexes for detections
2025-12-06 09:12:45 +01:00 · 2024-05-07 08:45:38 -07:00
parent bc24227732 4ebe070cd8
commit b4817fa062
3 changed files with 17 additions and 0 deletions
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -132,6 +132,7 @@ soc:
            description: Duration (in milliseconds) to wait for a response from the Elasticsearch host before giving up and showing an error on the SOC UI.
            global: True
            advanced: True
+            forcedType: int
          casesEnabled:
            description: Set to true if the SOC case management module, natively integrated with Elasticsearch, should be enabled.
            global: True
@@ -176,10 +177,12 @@ soc:
            description: Duration (in milliseconds) to wait for a response from the Salt API when executing tasks known for being long running before giving up and showing an error on the SOC UI.
            global: True
            advanced: True
+            forcedType: int
          relayTimeoutMs:
            description: Duration (in milliseconds) to wait for a response from the Salt API when executing common grid management tasks before giving up and showing an error on the SOC UI.
            global: True
            advanced: True
+            forcedType: int
        strelkaengine:
          allowRegex:
            description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
@@ -233,17 +236,21 @@ soc:
          description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
          global: True
          advanced: True
+          forcedType: int
        webSocketTimeoutMs:
          description: Duration (in milliseconds) to wait for a response from the SOC server websocket before giving up and reconnecting.
          global: True
          advanced: True
+          forcedType: int
        tipTimeoutMs:
          description: Duration (in milliseconds) to show the popup tips, which typically indicate a successful operation.
          global: True
+          forcedType: int
        cacheExpirationMs:
          description: Duration (in milliseconds) of cached data within the browser, including users and settings.
          global: True
          advanced: True
+          forcedType: int
        casesEnabled:
          description: Set to true to enable case management in SOC.
          global: True
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1257,6 +1257,13 @@ soc_pillar() {
 		"  config:"\
 		"    server:"\
 		"      srvKey: '$SOCSRVKEY'"\
+		"      modules:"\
+		"        elastalertengine:"\
+		"          allowRegex: '$ELASTALERT_ALLOW_REGEX'"\
+		"        strelkaengine:"\
+		"          allowRegex: '$STRELKA_ALLOW_REGEX'"\
+		"        suricataengine:"\
+		"          allowRegex: '$SURICATA_ALLOW_REGEX'"\
 		"" > "$soc_pillar_file"

 	if [[ $telemetry -ne 0 ]]; then
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -245,6 +245,9 @@ if [ -n "$test_profile" ]; then
 	WEBUSER=onionuser@somewhere.invalid
 	WEBPASSWD1=0n10nus3r
 	WEBPASSWD2=0n10nus3r
+	STRELKA_ALLOW_REGEX="EquationGroup_Toolset_Apr17__ELV_.*"
+	ELASTALERT_ALLOW_REGEX="Security Onion"
+	SURICATA_ALLOW_REGEX="200033\\d"

 	update_sudoers_for_testing
 fi