diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index fe190ea69..d756489e1 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1415,17 +1415,21 @@ soc: license: Elastic-2.0 folder: sigma/stable community: true + rulesetName: securityonion-resources - repo: file:///nsm/rules/custom-local-repos/local-sigma license: Elastic-2.0 community: false + rulesetName: local-sigma airgap: - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources license: Elastic-2.0 folder: sigma/stable community: true + rulesetName: securityonion-resources - repo: file:///nsm/rules/custom-local-repos/local-sigma license: Elastic-2.0 community: false + rulesetName: local-sigma sigmaRulePackages: - core - emerging_threats_addon @@ -1500,16 +1504,20 @@ soc: - repo: https://github.com/Security-Onion-Solutions/securityonion-yara license: DRL community: true + rulesetName: securityonion-yara - repo: file:///nsm/rules/custom-local-repos/local-yara license: Elastic-2.0 community: false + rulesetName: local-yara airgap: - repo: file:///nsm/rules/detect-yara/repos/securityonion-yara license: DRL community: true + rulesetName: securityonion-yara - repo: file:///nsm/rules/custom-local-repos/local-yara license: Elastic-2.0 community: false + rulesetName: local-yara yaraRulesFolder: /opt/sensoroni/yara/rules stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state integrityCheckFrequencySeconds: 1200 diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 91ab6e3c1..58560e89e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -344,6 +344,23 @@ soc: advanced: True forcedType: "[]{}" helpLink: sigma.html + syntax: json + uiElements: + - field: rulesetName + label: Ruleset Name + - field: repo + label: Repo URL + required: True + - field: branch + label: Branch + - field: license + label: License + required: True + - field: folder + label: Folder + - field: community + label: Community + forcedType: bool airgap: *eerulesRepos sigmaRulePackages: description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, the new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing non-overlapping Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.' @@ -459,6 +476,23 @@ soc: advanced: True forcedType: "[]{}" helpLink: yara.html + syntax: json + uiElements: + - field: rulesetName + label: Ruleset Name + - field: repo + label: Repo URL + required: True + - field: branch + label: Branch + - field: license + label: License + required: True + - field: folder + label: Folder + - field: community + label: Community + forcedType: bool airgap: *serulesRepos suricataengine: aiRepoUrl: @@ -592,7 +626,7 @@ soc: label: Query required: True - field: showSubtitle - label: Show Query in Dropdown. + label: Show Query in Dropdown. forcedType: bool queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query.