From f66cca96ce935cd6ff1e95a5516514527018c387 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Wed, 3 Apr 2024 16:17:29 -0400 Subject: [PATCH 1/2] YARA casing --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 1d0eb0e38..9bb302057 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2053,7 +2053,7 @@ soc: query: "so_detection.language:sigma" - name: "Detection Type - Sigma - Windows" query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"' - - name: "Detection Type - Yara (Strelka)" + - name: "Detection Type - YARA (Strelka)" query: "so_detection.language:yara" - name: "Security Onion - Grid Detections" query: "so_detection.ruleset:securityonion-resources" From 49d5fa95a2953638eb75da5dc39e8ad460012041 Mon Sep 17 00:00:00 2001 From: DefensiveDepth Date: Thu, 4 Apr 2024 11:26:44 -0400 Subject: [PATCH 2/2] Detections tweaks --- salt/soc/defaults.yaml | 4 ++-- salt/soc/merged.map.jinja | 5 +++++ salt/soc/soc_soc.yaml | 5 +++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9bb302057..603fc5910 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2049,9 +2049,9 @@ soc: query: "so_detection.isEnabled:false" - name: "Detection Type - Suricata (NIDS)" query: "so_detection.language:suricata" - - name: "Detection Type - Sigma - All" + - name: "Detection Type - Sigma (Elastalert) - All" query: "so_detection.language:sigma" - - name: "Detection Type - Sigma - Windows" + - name: "Detection Type - Sigma (Elastalert) - Windows" query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"' - name: "Detection Type - YARA (Strelka)" query: "so_detection.language:yara" diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index b2362a20e..4cd08a218 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -30,6 +30,11 @@ {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #} {% do SOCMERGED.config.server.modules.pop('cases') %} +{# do not automatically enable Sigma rules if install is Eval or Import #} +{% if grains['role'] in ['so-eval', 'so-import'] %} + {% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': ""}) %} +{% endif %} + {# remove these modules if detections is disabled #} {% if not SOCMERGED.config.server.client.detectionsEnabled %} {% do SOCMERGED.config.server.modules.pop('elastalertengine') %} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index eae52e31b..ec3f68f3f 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -83,6 +83,11 @@ soc: global: True advanced: True helpLink: sigma.html + autoEnabledSigmaRules: + description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical' + global: True + advanced: True + helpLink: sigma.html denyRegex: description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' global: True