From e930d1dec62cd57a0615a8973b92e01ace0636d1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:28:06 -0500 Subject: [PATCH] roll back SOC changes --- salt/soc/soc_soc.yaml | 58 +++---------------------------------------- 1 file changed, 3 insertions(+), 55 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d8a00bbfd..fc336a2df 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,29 +60,16 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. JavaScript Function or Links must be specified. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True - syntax: json forcedType: "[]{}" uiElements: - - field: name - label: Name - required: True - field: description label: Description - field: icon label: Icon - field: links label: Links - multiline: True - - field: jsCall - label: JavaScript Function - - field: target - label: Target (_blank, _self, mynewtab) - - field: categories - label: Categories - multiline: True - forcedType: "[]string" eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. @@ -277,14 +264,6 @@ soc: global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: community - label: Community - - field: license - label: License - - field: repo - label: Repo helpLink: sigma.html airgap: *eerulesRepos sigmaRulePackages: @@ -401,15 +380,6 @@ soc: advanced: True forcedType: "[]{}" helpLink: yara.html - syntax: json - uiElements: - - field: community - label: Community - - field: license - label: License - - field: repo - label: Repo - helpLink: sigma.html airgap: *serulesRepos suricataengine: aiRepoUrl: @@ -502,18 +472,10 @@ soc: description: List of external tools to remove from the SOC UI. global: True tools: - description: List of available external tools visible in the SOC UI. + description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL. global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: link - label: Link hunt: &appSettings groupItemsPerPage: description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. @@ -537,28 +499,14 @@ soc: description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list. global: True queries: - description: List of default queries to show in the query list. All entries must include the "name" key and "query" key. + description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" - syntax: json - uiElements: - - field: name - label: Name - - field: query - label: Query queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: enabled - label: Enabled - - field: filter - label: Filter - - field: name - label: Name alerts: <<: *appSettings maxBulkEscalateEvents: