Add Sigma pipelines

2025-12-28 03:43:31 +01:00 · 2024-02-07 15:02:52 -05:00
parent 378c99ae88
commit b7b501d289
3 changed files with 38 additions and 0 deletions
--- a/salt/soc/final_sigma_pipeline.yaml
+++ b/salt/soc/final_sigma_pipeline.yaml
@@ -0,0 +1,7 @@
+name: Security Onion - Final Pipeline
+priority: 95
+transformations:
+    - id: override_field_name_mapping
+      type: field_name_mapping
+      mapping:
+        FieldNameToOverride: NewFieldName
--- a/salt/soc/so_sigma_pipeline.yaml
+++ b/salt/soc/so_sigma_pipeline.yaml
@@ -0,0 +1,18 @@
+name: Security Onion Baseline Pipeline
+priority: 90
+transformations:
+    - id: baseline_field_name_mapping
+      type: field_name_mapping
+      mapping:
+        cs-method: http.method
+        c-uri: http.uri
+        c-useragent: http.useragent
+        cs-version: http.version
+        uid: user.uid
+        sid: rule.uuid
+        answer: answers
+        query: dns.query.name
+        src_ip: destination.ip.keyword
+        src_port: source.port
+        dst_ip: destination.ip.keyword
+        dst_port: destination.port
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -32,6 +32,14 @@ soc:
        global: True
        advanced: True
        helpLink: soc-customization.html
+      final_sigma_pipeline__yaml:
+        title: Final Sigma Pipeline
+        description: Final Processing Pipeline for Sigma Rules
+        syntax: yaml
+        file: True
+        global: True
+        advanced: True
+        helpLink: soc-customization.html
  config:
    licenseKey:
      title: License Key
@@ -62,6 +70,11 @@ soc:
        global: True
        advanced: True
      modules:
+        elastalertengine:
+          sigmaRulePackages:
+            description: 'One of the following: core | core+ | core++ | all'
+            global: True
+            advanced: False
        elastic:
          index:
            description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.