Add and Update IDH Plays

salt/idh/plays/idh_git.yml

@@ -0,0 +1,21 @@
+title: SO IDH - Git Clone Request
+id: 7e48bfa0-8175-4c0f-8f5a-a8b9a005a4c3
+status: experimental
+description: Detects when the Git service on a SO IDH node has had a git clone request.
+author: Security Onion Solutions
+license: MIT
+references: 
+  - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
+  - https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
+logsource:
+  product: opencanary
+detection:
+  selection:
+    logtype:
+    - 16001
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical