From fc896049823685ad15a564a2832c353ab2dc6c29 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 6 Aug 2024 11:23:00 -0600 Subject: [PATCH] New Config Values/Annotations for Ai Summaries Each engine pulls the same repo into the same location and shows the summaries. Which repo and where to keep them is advanced, but turning AI summaries on or off is not. --- salt/soc/defaults.yaml | 9 +++++++++ salt/soc/soc_soc.yaml | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index b9cd3148d..2fac7dbb6 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1312,6 +1312,9 @@ soc: kratos: hostUrl: elastalertengine: + aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources + aiRepoPath: /opt/sensoroni/repos + showAiSummaries: true autoUpdateEnabled: true autoEnabledSigmaRules: default: @@ -1391,6 +1394,9 @@ soc: userFiles: - rbac/users_roles strelkaengine: + aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources + aiRepoPath: /opt/sensoroni/repos + showAiSummaries: true autoEnabledYaraRules: - securityonion-yara autoUpdateEnabled: true @@ -1412,6 +1418,9 @@ soc: stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state integrityCheckFrequencySeconds: 1200 suricataengine: + aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources + aiRepoPath: /opt/sensoroni/repos + showAiSummaries: true autoUpdateEnabled: true communityRulesImportFrequencySeconds: 86400 communityRulesImportErrorSeconds: 300 diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index da0f5de99..9ab329438 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -87,6 +87,17 @@ soc: global: True modules: elastalertengine: + aiRepoUrl: + description: URL to the AI repository. This is used to pull in AI models for use in ElastAlert rules. + global: True + advanced: True + aiRepoPath: + description: Path to the AI repository. This is used to pull in AI models for use in ElastAlert rules. + global: True + advanced: True + showAiSummaries: + description: Show AI summaries for ElastAlert rules. + global: True additionalAlerters: title: Additional Alerters description: Specify additional alerters to enable for all Sigma rules, one alerter name per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. Note that the configuration parameters for these alerters must be provided in the ElastAlert configuration section. Filter for 'Alerter' to find this related setting. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key. @@ -193,6 +204,17 @@ soc: advanced: True forcedType: int strelkaengine: + aiRepoUrl: + description: URL to the AI repository. This is used to pull in AI models for use in ElastAlert rules. + global: True + advanced: True + aiRepoPath: + description: Path to the AI repository. This is used to pull in AI models for use in ElastAlert rules. + global: True + advanced: True + showAiSummaries: + description: Show AI summaries for ElastAlert rules. + global: True autoEnabledYaraRules: description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' global: True @@ -216,6 +238,17 @@ soc: helpLink: yara.html airgap: *serulesRepos suricataengine: + aiRepoUrl: + description: URL to the AI repository. This is used to pull in AI models for use in Suricata rules. + global: True + advanced: True + aiRepoPath: + description: Path to the AI repository. This is used to pull in AI models for use in Suricata rules. + global: True + advanced: True + showAiSummaries: + description: Show AI summaries for Suricata rules. + global: True communityRulesImportFrequencySeconds: description: 'How often to check for new Suricata rules (in seconds).' global: True