CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12755 from Security-Onion-Solutions/2.4/detections-defaults

Browse Source 
2.4/detections defaults
This commit is contained in:
Josh Brower
2024-04-04 11:33:59 -04:00
committed by GitHub
parent 1d7e47f589 49d5fa95a2
commit f72cbd5f23
3 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
salt/soc/defaults.yaml
View File

@@ -2122,11 +2122,11 @@ soc:
query: "so_detection.isEnabled:false" query: "so_detection.isEnabled:false"
- name: "Detection Type - Suricata (NIDS)" - name: "Detection Type - Suricata (NIDS)"
query: "so_detection.language:suricata" query: "so_detection.language:suricata"
- name: "Detection Type - Sigma - All" - name: "Detection Type - Sigma (Elastalert) - All"
query: "so_detection.language:sigma" query: "so_detection.language:sigma"
- name: "Detection Type - Sigma - Windows" - name: "Detection Type - Sigma (Elastalert) - Windows"
query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"' query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"'
- name: "Detection Type - Yara (Strelka)" - name: "Detection Type - YARA (Strelka)"
query: "so_detection.language:yara" query: "so_detection.language:yara"
- name: "Security Onion - Grid Detections" - name: "Security Onion - Grid Detections"
query: "so_detection.ruleset:securityonion-resources" query: "so_detection.ruleset:securityonion-resources"

5
salt/soc/merged.map.jinja
View File

@@ -30,6 +30,11 @@
{# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #} {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
{% do SOCMERGED.config.server.modules.pop('cases') %} {% do SOCMERGED.config.server.modules.pop('cases') %}
{# do not automatically enable Sigma rules if install is Eval or Import #}
{% if grains['role'] in ['so-eval', 'so-import'] %}
{% do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': ""}) %}
{% endif %}
{# remove these modules if detections is disabled #} {# remove these modules if detections is disabled #}
{% if not SOCMERGED.config.server.client.detectionsEnabled %} {% if not SOCMERGED.config.server.client.detectionsEnabled %}
{% do SOCMERGED.config.server.modules.pop('elastalertengine') %} {% do SOCMERGED.config.server.modules.pop('elastalertengine') %}

5
salt/soc/soc_soc.yaml
View File

@@ -88,6 +88,11 @@ soc:
global: True global: True
advanced: True advanced: True
helpLink: sigma.html helpLink: sigma.html
autoEnabledSigmaRules:
description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical'
global: True
advanced: True
helpLink: sigma.html
denyRegex: denyRegex:
description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.' description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
global: True global: True