From ff04bb507a8204963138dab32224d101842fb5f6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 30 Sep 2020 15:06:54 -0400 Subject: [PATCH] Remove default Elastalert rules to stop automated alerts from being sent to thehive --- .../files/rules/so/suricata_thehive.yaml | 47 ------------------- .../files/rules/so/wazuh_thehive.yaml | 45 ------------------ salt/soc/files/soc/soc.json | 10 ++-- 3 files changed, 7 insertions(+), 95 deletions(-) delete mode 100644 salt/elastalert/files/rules/so/suricata_thehive.yaml delete mode 100644 salt/elastalert/files/rules/so/wazuh_thehive.yaml diff --git a/salt/elastalert/files/rules/so/suricata_thehive.yaml b/salt/elastalert/files/rules/so/suricata_thehive.yaml deleted file mode 100644 index 74f62b547..000000000 --- a/salt/elastalert/files/rules/so/suricata_thehive.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{% set es = salt['pillar.get']('global:managerip', '') %} -{% set hivehost = salt['pillar.get']('global:managerip', '') %} -{% set hivekey = salt['pillar.get']('global:hivekey', '') %} -{% set MANAGER = salt['pillar.get']('global:url_base', '') %} - -# Elastalert rule to forward Suricata alerts from Security Onion to a specified TheHive instance. -# -es_host: {{es}} -es_port: 9200 -name: Suricata-Alert -type: any -index: "*:so-ids-*" -buffer_time: - minutes: 5 -query_key: ["rule.uuid","source.ip","destination.ip"] -realert: - days: 1 -filter: -- query: - query_string: - query: "event.module: suricata AND rule.severity:(1 OR 2)" - -alert: hivealerter - -hive_connection: - hive_host: http://{{hivehost}} - hive_port: 9000/thehive - hive_apikey: {{hivekey}} - -hive_proxies: - http: '' - https: '' - -hive_alert_config: - title: '{match[rule][name]}' - type: 'NIDS' - source: 'SecurityOnion' - description: "`SOC Hunt Pivot:` \n\n \n\n `Kibana Dashboard Pivot:` \n\n \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}" - severity: 2 - tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}'] - tlp: 3 - status: 'New' - follow: True - -hive_observable_data_mapping: - - ip: '{match[source][ip]}' - - ip: '{match[destination][ip]}' diff --git a/salt/elastalert/files/rules/so/wazuh_thehive.yaml b/salt/elastalert/files/rules/so/wazuh_thehive.yaml deleted file mode 100644 index 7e5c6e7c0..000000000 --- a/salt/elastalert/files/rules/so/wazuh_thehive.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{% set es = salt['pillar.get']('global:managerip', '') %} -{% set hivehost = salt['pillar.get']('global:managerip', '') %} -{% set hivekey = salt['pillar.get']('global:hivekey', '') %} -{% set MANAGER = salt['pillar.get']('global:url_base', '') %} - -# Elastalert rule to forward high level Wazuh alerts from Security Onion to a specified TheHive instance. -# -es_host: {{es}} -es_port: 9200 -name: Wazuh-Alert -type: any -index: "*:so-ossec-*" -buffer_time: - minutes: 5 -realert: - days: 1 -filter: -- query: - query_string: - query: "event.module: ossec AND rule.level>=8" - -alert: hivealerter - -hive_connection: - hive_host: http://{{hivehost}} - hive_port: 9000/thehive - hive_apikey: {{hivekey}} - -hive_proxies: - http: '' - https: '' - -hive_alert_config: - title: '{match[rule][name]}' - type: 'wazuh' - source: 'SecurityOnion' - description: "`SOC Hunt Pivot:` \n\n \n\n `Kibana Dashboard Pivot:` \n\n " - severity: 2 - tags: ['{match[rule][id]}','{match[host][name]}'] - tlp: 3 - status: 'New' - follow: True - -hive_observable_data_mapping: - - other: '{match[host][name]}' diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index e9dba7c54..f2cab04e7 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -1,5 +1,6 @@ {%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%} {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') -%} +{%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') -%} {% set FEATURES = salt['pillar.get']('elastic:features', False) %} { "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", @@ -24,7 +25,12 @@ "statickeyauth": { "anonymousCidr": "172.17.0.0/24", "apiKey": "{{ SENSORONIKEY }}" - } + }, + "thehive": { + "hostUrl": "http://{{ MANAGERIP }}:9000/thehive", + "key": "{{ THEHIVEKEY }}", + "verifyCert": false + } }, "client": { "hunt": { @@ -150,7 +156,6 @@ "actions": [ { "name": "", "description": "actionHuntHelp", "icon": "fa-search", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, - { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}", "target": "_blank" }, { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } ] @@ -185,7 +190,6 @@ "actions": [ { "name": "", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "_blank" }, { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "_blank" }, - { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}", "target": "_blank" }, { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } ]