Playbook - initial commit

salt/common/nginx/nginx.conf.so-eval

@@ -113,6 +113,31 @@ http {
 
         }
 
+        location /playbook/ {
+          proxy_pass http://{{ masterip }}:3200/playbook/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+	
+	
+        location /navigator/ {
+          auth_basic            "Security Onion";
+          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          proxy_pass http://{{ masterip }}:4200/navigator/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
         location /api/ {
           proxy_pass https://{{ masterip }}:8080/api/;
           proxy_read_timeout    90;

salt/firewall/init.sls

@@ -228,6 +228,28 @@ enable_master_osquery_8080_{{ip}}:
     - position: 1
     - save: True
 
+enable_master_playbook_3200_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 3200
+    - position: 1
+    - save: True
+    
+enable_master_navigator_4200_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 4200
+    - position: 1
+    - save: True
+
 {% endfor %}
 
 # Make it so all the minions can talk to salt and update etc.

salt/soctopus/files/SOCtopus.conf

@@ -45,5 +45,9 @@ rtir_creator = root
 slack_url = YOURSLACKWORKSPACE
 slack_webhook = YOURSLACKWEBHOOK
 
+[playbook]
+playbook_url = http://{{ip}}:3200/playbook
+playbook_key = a4a34538782804adfcb8dfae96262514ad70c37c
+
 [log]
 logfile = /tmp/soctopus.log

salt/soctopus/files/templates/generic.template

@@ -0,0 +1,41 @@
+{% set es = salt['pillar.get']('static:masterip', '') %}
+{% set hivehost = salt['pillar.get']('static:masterip', '') %}
+{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
+es_host: {{es}}
+es_port: 9200
+name: Alert-Name
+type: frequency
+index: "*:logstash-*"
+num_events: 1
+timeframe:
+    minutes: 10
+buffer_time:
+    minutes: 10
+allow_buffer_time_overlap: true
+
+filter:
+- query:
+   query_string:
+      query: 'select from test'
+
+alert: modules.so.thehive.TheHiveAlerter
+
+hive_connection:
+  hive_host: https://{{hivehost}}/thehive/
+  hive_apikey: {{hivekey}}
+
+hive_proxies:
+  http: ''
+  https: ''
+
+hive_alert_config:
+  title: '{rule[name]}'
+  type: 'external'
+  source: 'SecurityOnion'
+  description: '`Data:` {match[message]}'
+  severity: 2
+  tags: ['elastalert', 'SecurityOnion']
+  tlp: 3
+  status: 'New'
+  follow: True
+  caseTemplate: '5000'

salt/soctopus/files/templates/osquery.template

@@ -0,0 +1,48 @@
+{% set es = salt['pillar.get']('static:masterip', '') %}
+{% set hivehost = salt['pillar.get']('static:masterip', '') %}
+{% set hivekey = salt['pillar.get']('static:hivekey', '') %}
+es_host: {{es}}
+es_port: 9200
+name: Alert-Name
+type: frequency
+index: "*:logstash-*"
+num_events: 1
+timeframe:
+    minutes: 10
+buffer_time:
+    minutes: 10
+allow_buffer_time_overlap: true
+
+filter:
+- query:
+   query_string:
+      query: 'select from test'
+
+alert: modules.so.thehive.TheHiveAlerter
+
+hive_connection:
+  hive_host: https://{{hivehost}}/thehive/
+  hive_apikey: {{hivekey}}
+
+hive_proxies:
+  http: ''
+  https: ''
+
+hive_alert_config:
+  title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
+  type: 'external'
+  source: 'SecurityOnion'
+  description: '`Hostname:` __{match[osquery][hostname]}__  `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:`  __{match[osquery][name]}__ `Data:` {match[osquery][columns]}'
+  severity: 2
+  tags: ['elastalert', 'SecurityOnion']
+  tlp: 3
+  status: 'New'
+  follow: True
+  caseTemplate: '5000'
+
+hive_observable_data_mapping:
+  - ip: '{match[osquery][EndpointIP1]}'
+  - ip: '{match[osquery][EndpointIP2]}'
+  - other: '{match[osquery][hostIdentifier]}'
+  - other: '{match[osquery][hostname]}'
+  - ip: '{match[osquery][columns][address]}'

salt/soctopus/init.sls

@@ -13,6 +13,21 @@ soctopussync:
     - group: 939
     - template: jinja
 
+playbookrulesdir:
+  file.directory:
+    - name: /opt/so/rules/elastalert/playbook
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+playbookrulessync:
+  file.recurse:
+    - name: /opt/so/rules/elastalert/playbook
+    - source: salt://soctopus/files/templates
+    - user: 939
+    - group: 939
+    - template: jinja
+
 so-soctopusimage:
   cmd.run:
     - name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.1.0
@@ -26,5 +41,6 @@ so-soctopus:
     - name: so-soctopus
     - binds:
       - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro
+      - /opt/so/rules/elastalert/playbook:/etc/playbook-rules:rw
     - port_bindings:
       - 0.0.0.0:7000:7000