From a5ae481ea4db1a9cf2e5ea22142bb5b5eb61b4a0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:10:57 -0500 Subject: [PATCH 01/30] globals --- salt/global/soc_global.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml index 5a349a3c3..15cae92b3 100644 --- a/salt/global/soc_global.yaml +++ b/salt/global/soc_global.yaml @@ -12,11 +12,18 @@ global: mdengine: description: Which engine to use for meta data generation. Options are ZEEK and SURICATA. regex: ^(ZEEK|SURICATA)$ + options: + - ZEEK + - SURICATA regexFailureMessage: You must enter either ZEEK or SURICATA. global: True pcapengine: description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION. regex: ^(STENO|SURICATA|TRANSITION)$ + options: + - STENO + - SURICATA + - TRANSITION regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION. global: True ids: @@ -38,6 +45,9 @@ global: pipeline: description: Sets which pipeline technology for events to use. Currently only Redis is fully supported. Kafka is experimental and requires a Security Onion Pro license. regex: ^(REDIS|KAFKA)$ + options: + - REDIS + - KAFKA regexFailureMessage: You must enter either REDIS or KAFKA. global: True advanced: True From ee1af39c556a7c31c4ef36b1555c3ff1bb4aa2ec Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:17:08 -0500 Subject: [PATCH 02/30] elastalert --- salt/elastalert/soc_elastalert.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 764ec87fc..2ce04307b 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -1,5 +1,6 @@ elastalert: enabled: + forcedType: bool description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery. helpLink: elastalert.html alerter_parameters: From 6fec2170689683002a50d712d61b85118468b26f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:34:32 -0500 Subject: [PATCH 03/30] actions --- .../soc_elastic-fleet-package-registry.yaml | 1 + salt/elasticagent/soc_elasticagent.yaml | 1 + salt/elasticfleet/soc_elasticfleet.yaml | 1 + salt/soc/soc_soc.yaml | 7 +++++++ 4 files changed, 10 insertions(+) diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 3d8a2112b..4a544fbc6 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,4 +1,5 @@ elastic_fleet_package_registry: enabled: + forcedType: bool description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True diff --git a/salt/elasticagent/soc_elasticagent.yaml b/salt/elasticagent/soc_elasticagent.yaml index a24ac1985..4632ae946 100644 --- a/salt/elasticagent/soc_elasticagent.yaml +++ b/salt/elasticagent/soc_elasticagent.yaml @@ -1,4 +1,5 @@ elasticagent: enabled: + forcedType: bool description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events. advanced: True diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 7ca59401f..8ec558d37 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -3,6 +3,7 @@ elasticfleet: description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents. advanced: True helpLink: elastic-fleet.html + forcedType: bool enable_manager_output: description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers. advanced: True diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..332662c09 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,6 +63,13 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 2bc2e86b01ec2589a5343e0457798cc30b2706fe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:36:16 -0500 Subject: [PATCH 04/30] actions --- salt/soc/soc_soc.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 332662c09..fc336a2df 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -64,12 +64,12 @@ soc: global: True forcedType: "[]{}" uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: links - label: Links + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 6d7e0a7a72df924e637ae7f18338b4a6723384bd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:39:18 -0500 Subject: [PATCH 05/30] sensoroni --- salt/sensoroni/soc_sensoroni.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 71a2c779b..325abf326 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -1,5 +1,6 @@ sensoroni: enabled: + forcedType: bool description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. advanced: True helpLink: grid.html From c5e0b8a42e352f74ab319bfb23167e2ce9513c73 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:40:24 -0500 Subject: [PATCH 06/30] sensoroni --- salt/soc/soc_soc.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fc336a2df..d7fcd9644 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,13 +63,6 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" - uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: links - label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 101f6e744a1abed43218146124633896c6e1df87 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:44:35 -0500 Subject: [PATCH 07/30] sensoroni --- salt/soc/soc_soc.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..fc336a2df 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,6 +63,13 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 0c2797ecdc81235e2b4f2c8ed3b34cf195692ba4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:49:30 -0500 Subject: [PATCH 08/30] soc --- salt/soc/soc_soc.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fc336a2df..338356c05 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -62,6 +62,7 @@ soc: actions: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True + syntax: json forcedType: "[]{}" uiElements: - field: description From 25217c3262e14f7feb85344f7719a8233f331fc8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 14:14:25 -0500 Subject: [PATCH 09/30] soc --- salt/soc/soc_soc.yaml | 43 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 338356c05..ec6177b65 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,7 +60,7 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. global: True syntax: json forcedType: "[]{}" @@ -265,6 +265,14 @@ soc: global: True advanced: True forcedType: "[]{}" + syntax: json + uiElements: + - field: community + label: Community + - field: license + label: License + - field: repo + label: Repo helpLink: sigma.html airgap: *eerulesRepos sigmaRulePackages: @@ -381,6 +389,15 @@ soc: advanced: True forcedType: "[]{}" helpLink: yara.html + syntax: json + uiElements: + - field: community + label: Community + - field: license + label: License + - field: repo + label: Repo + helpLink: sigma.html airgap: *serulesRepos suricataengine: aiRepoUrl: @@ -473,10 +490,18 @@ soc: description: List of external tools to remove from the SOC UI. global: True tools: - description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL. + description: List of available external tools visible in the SOC UI. global: True advanced: True forcedType: "[]{}" + syntax: json + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: link + label: Link hunt: &appSettings groupItemsPerPage: description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. @@ -503,11 +528,25 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Name + - field: query + label: Query queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True advanced: True forcedType: "[]{}" + syntax: json + uiElements: + - field: enabled + label: Enabled + - field: filter + label: Filter + - field: name + label: Name alerts: <<: *appSettings maxBulkEscalateEvents: From 8bc500e4daa0e1c0cca94eca3e7e9b9929c033cb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 14:16:42 -0500 Subject: [PATCH 10/30] soc --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index ec6177b65..103d13d6e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -525,7 +525,7 @@ soc: description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list. global: True queries: - description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. + description: List of default queries to show in the query list. All entries must include the "name" key and "query" key. global: True forcedType: "[]{}" syntax: json From 6c00cdd726f7742f64eb22891570a22aeadeefd0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 16:15:00 -0500 Subject: [PATCH 11/30] Fix healthlink --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 103d13d6e..6b00d512b 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -397,7 +397,7 @@ soc: label: License - field: repo label: Repo - helpLink: sigma.html + helpLink: sigma.html airgap: *serulesRepos suricataengine: aiRepoUrl: From 3ba82bd5a47d3a71ca188db2b8e135698f33455e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:04:47 -0500 Subject: [PATCH 12/30] Fix actions --- salt/soc/soc_soc.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 6b00d512b..d061dd65e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -65,12 +65,19 @@ soc: syntax: json forcedType: "[]{}" uiElements: + - field: name + label: Name + required: True - field: description label: Description - field: icon label: Icon - field: links label: Links + multiline: True + required: True + - field: target + label: Target (_blank, _self, mynewtab) eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From d950e4ebb3136abfb5af3785741dcbc71c1ee0f8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:11:56 -0500 Subject: [PATCH 13/30] Add additional entries for actions --- salt/soc/soc_soc.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d061dd65e..73ed72f2a 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,7 +60,7 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. JavaScript Function or Links must be specified. global: True syntax: json forcedType: "[]{}" @@ -75,9 +75,13 @@ soc: - field: links label: Links multiline: True - required: True + - field: jsCall + label: JavaScript Function - field: target - label: Target (_blank, _self, mynewtab) + label: Target (_blank, _self, mynewtab) + - field: categories + label: Categories + multiline: True eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 1d3bae4a7acbf10a90074c5a382a52d3fc0dfd78 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:15:51 -0500 Subject: [PATCH 14/30] Add additional entries for actions --- salt/soc/soc_soc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 73ed72f2a..d8a00bbfd 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -81,7 +81,8 @@ soc: label: Target (_blank, _self, mynewtab) - field: categories label: Categories - multiline: True + multiline: True + forcedType: "[]string" eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From e930d1dec62cd57a0615a8973b92e01ace0636d1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:28:06 -0500 Subject: [PATCH 15/30] roll back SOC changes --- salt/soc/soc_soc.yaml | 58 +++---------------------------------------- 1 file changed, 3 insertions(+), 55 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d8a00bbfd..fc336a2df 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,29 +60,16 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. JavaScript Function or Links must be specified. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True - syntax: json forcedType: "[]{}" uiElements: - - field: name - label: Name - required: True - field: description label: Description - field: icon label: Icon - field: links label: Links - multiline: True - - field: jsCall - label: JavaScript Function - - field: target - label: Target (_blank, _self, mynewtab) - - field: categories - label: Categories - multiline: True - forcedType: "[]string" eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. @@ -277,14 +264,6 @@ soc: global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: community - label: Community - - field: license - label: License - - field: repo - label: Repo helpLink: sigma.html airgap: *eerulesRepos sigmaRulePackages: @@ -401,15 +380,6 @@ soc: advanced: True forcedType: "[]{}" helpLink: yara.html - syntax: json - uiElements: - - field: community - label: Community - - field: license - label: License - - field: repo - label: Repo - helpLink: sigma.html airgap: *serulesRepos suricataengine: aiRepoUrl: @@ -502,18 +472,10 @@ soc: description: List of external tools to remove from the SOC UI. global: True tools: - description: List of available external tools visible in the SOC UI. + description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL. global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: link - label: Link hunt: &appSettings groupItemsPerPage: description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. @@ -537,28 +499,14 @@ soc: description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list. global: True queries: - description: List of default queries to show in the query list. All entries must include the "name" key and "query" key. + description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" - syntax: json - uiElements: - - field: name - label: Name - - field: query - label: Query queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: enabled - label: Enabled - - field: filter - label: Filter - - field: name - label: Name alerts: <<: *appSettings maxBulkEscalateEvents: From 9d31050907a03efbc535cd3ba84c7d916c47f611 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:32:59 -0500 Subject: [PATCH 16/30] roll back SOC changes --- salt/soc/soc_soc.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fc336a2df..d7fcd9644 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,13 +63,6 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" - uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: links - label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 4b5048bd804addddcaf017ee1cb16bf3afb45f84 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:57:57 -0500 Subject: [PATCH 17/30] Add hunt queries --- salt/soc/soc_soc.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..ff2a0a4ad 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -495,6 +495,18 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" + uiElements: + - field: name + label: Name + required: True + - field: description + label: Description + - field: query + label: Query + required: True + - field: showSubtitle + label: Show Query in Dropdown. Must be true or false + regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 40303c2d7816801062b2158799a07c4824a1d31d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:10:59 -0500 Subject: [PATCH 18/30] Add hunt queries --- salt/soc/soc_soc.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index ff2a0a4ad..87d3c0ab5 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -506,7 +506,6 @@ soc: required: True - field: showSubtitle label: Show Query in Dropdown. Must be true or false - regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 1fdbe987b8371a040067a2a565fa30cae4354ff0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:15:37 -0500 Subject: [PATCH 19/30] Add hunt queries --- salt/soc/soc_soc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 87d3c0ab5..7566d99af 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -494,7 +494,7 @@ soc: queries: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True - forcedType: "[]{}" + forcedType: json uiElements: - field: name label: Name @@ -506,6 +506,7 @@ soc: required: True - field: showSubtitle label: Show Query in Dropdown. Must be true or false + regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From a0944f83593f2738d4a05b286c71fce8eb326239 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:17:57 -0500 Subject: [PATCH 20/30] Add hunt queries --- salt/soc/soc_soc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 7566d99af..b4f724b38 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -494,7 +494,8 @@ soc: queries: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True - forcedType: json + forcedType: "[]{}" + syntax: json uiElements: - field: name label: Name From 4696152f7860212f358a7e3fa95dea100ae0836a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:31:51 -0500 Subject: [PATCH 21/30] Add hunt queries --- salt/soc/soc_soc.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b4f724b38..d7fcd9644 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -495,19 +495,6 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" - syntax: json - uiElements: - - field: name - label: Name - required: True - - field: description - label: Description - - field: query - label: Query - required: True - - field: showSubtitle - label: Show Query in Dropdown. Must be true or false - regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 2ffaf2f6019f1cd88e363353d95c8ac6e489e385 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:42:03 -0500 Subject: [PATCH 22/30] Add hunt queries --- salt/soc/soc_soc.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..fef5ce382 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -495,6 +495,16 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Name + required: True + - field: description + label: Description + - field: query + label: Query + required: True queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From cf536469e68de10fbe6627873f3944a6615a58b4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:51:56 -0500 Subject: [PATCH 23/30] Some things I thought were bools are not bools --- salt/elastalert/soc_elastalert.yaml | 1 - .../soc_elastic-fleet-package-registry.yaml | 2 -- salt/elasticagent/soc_elasticagent.yaml | 1 - salt/sensoroni/soc_sensoroni.yaml | 1 - 4 files changed, 5 deletions(-) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 2ce04307b..764ec87fc 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -1,6 +1,5 @@ elastalert: enabled: - forcedType: bool description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery. helpLink: elastalert.html alerter_parameters: diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 4a544fbc6..18645490d 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,5 +1,3 @@ elastic_fleet_package_registry: - enabled: - forcedType: bool description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True diff --git a/salt/elasticagent/soc_elasticagent.yaml b/salt/elasticagent/soc_elasticagent.yaml index 4632ae946..a24ac1985 100644 --- a/salt/elasticagent/soc_elasticagent.yaml +++ b/salt/elasticagent/soc_elasticagent.yaml @@ -1,5 +1,4 @@ elasticagent: enabled: - forcedType: bool description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events. advanced: True diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 325abf326..71a2c779b 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -1,6 +1,5 @@ sensoroni: enabled: - forcedType: bool description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. advanced: True helpLink: grid.html From 72ffef94335c7a61ee92bfc0a0e9e64491144957 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:52:54 -0500 Subject: [PATCH 24/30] Some things I thought were bools are not bools --- .../soc_elastic-fleet-package-registry.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 18645490d..0624918b9 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,3 +1,4 @@ elastic_fleet_package_registry: + - enabled: description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True From 67f9cd39db4f9e4ac58a95b813ba1b048b9a4d72 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:53:29 -0500 Subject: [PATCH 25/30] Some things I thought were bools are not bools --- .../soc_elastic-fleet-package-registry.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 0624918b9..3d8a2112b 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,4 +1,4 @@ elastic_fleet_package_registry: - - enabled: + enabled: description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True From 945a467ec8c32c905a74ba3c809296887c3706a6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:54:17 -0500 Subject: [PATCH 26/30] Some things I thought were bools are not bools --- salt/elasticfleet/soc_elasticfleet.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 8ec558d37..7ca59401f 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -3,7 +3,6 @@ elasticfleet: description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents. advanced: True helpLink: elastic-fleet.html - forcedType: bool enable_manager_output: description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers. advanced: True From b01fb733a960944a7af005fa8344880ea0f5b6ff Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:56:26 -0500 Subject: [PATCH 27/30] Some things I thought were bools are not bools --- salt/soc/soc_soc.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fef5ce382..b4f724b38 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -505,6 +505,9 @@ soc: - field: query label: Query required: True + - field: showSubtitle + label: Show Query in Dropdown. Must be true or false + regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From b51aa56e86b68d9ca9e4cef8429eb9aa847092f6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 15:15:26 -0500 Subject: [PATCH 28/30] Some things I thought were bools are not bools --- salt/soc/soc_soc.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b4f724b38..42c56ab52 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -506,8 +506,8 @@ soc: label: Query required: True - field: showSubtitle - label: Show Query in Dropdown. Must be true or false - regex: ^(true|false)$ + label: Show Query in Dropdown. + forcedType: bool queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 3021ed5d36f7fce48560042d7111b100d1aa1dd8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 15:56:26 -0500 Subject: [PATCH 29/30] Add Actions --- salt/soc/soc_soc.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 42c56ab52..480f8c5e7 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,6 +63,31 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" + syntax: json + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links + required: True + forcedType: "[]string" + multiline: True + - field: name + label: Name + required: True + - field: target + label: Target + - field: jscall + label: JavaScript Call + - field: category + label: Category + options: + - hunt + - alerts + - dashboards + forcedType: "[]string" eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 03ebc2d86e882d7a1ca28c0a7278b9d3e68cec45 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 15:58:10 -0500 Subject: [PATCH 30/30] Add Actions --- salt/soc/soc_soc.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 480f8c5e7..8e6ba42a8 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -65,6 +65,9 @@ soc: forcedType: "[]{}" syntax: json uiElements: + - field: name + label: Name + required: True - field: description label: Description - field: icon @@ -74,9 +77,6 @@ soc: required: True forcedType: "[]string" multiline: True - - field: name - label: Name - required: True - field: target label: Target - field: jscall