Add local custom Playbooks

salt/manager/init.sls

@@ -206,6 +206,7 @@ git_config_set_safe_dirs:
     - multivar:
       - /nsm/rules/custom-local-repos/local-sigma
       - /nsm/rules/custom-local-repos/local-yara
+      - /nsm/rules/custom-local-repos/local-playbooks
       - /nsm/securityonion-resources
       - /opt/so/conf/soc/ai_summary_repos/securityonion-resources
       - /nsm/airgap-resources/playbooks

salt/soc/config.sls

@@ -249,6 +249,22 @@ add_readme_custom_local_sigma_repo_template:
     - context:
         repo_type: "sigma"
 
+create_custom_local_playbooks_repo_template:
+  git.present:
+    - name: /nsm/rules/custom-local-repos/local-playbooks
+    - bare: False
+    - force: True
+
+add_readme_custom_local_playbooks_repo_template:
+  file.managed:
+    - name: /nsm/rules/custom-local-repos/local-playbooks/README
+    - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
+    - user: 939
+    - group: 939
+    - template: jinja
+    - context:
+        repo_type: "playbooks"
+
 socore_own_custom_repos:
   file.directory:
     - name: /nsm/rules/custom-local-repos/

salt/soc/defaults.yaml

@@ -1487,10 +1487,14 @@ soc:
               - repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
                 branch: main
                 folder: securityonion-normalized
+              - repo: file:///nsm/rules/custom-local-repos/local-playbooks
+                branch: main
             airgap:
               - repo: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks
                 branch: main
                 folder: securityonion-normalized
+              - repo: file:///nsm/rules/custom-local-repos/local-playbooks
+                branch: main
         assistant:
           apiUrl: https://onionai.securityonion.net
         salt:

salt/soc/files/soc/detections_custom_repo_template_readme.jinja

@@ -91,4 +91,51 @@ Finally, commit it:
 
 The next time the Elastalert / Sigma engine syncs, the new rule should be imported
 If there are errors, review the sync log to troubleshoot further.
+
+{% elif repo_type == 'playbooks' %}
+# Playbooks Local Custom Repository
+
+This folder has already been initialized as a git repo 
+and your Security Onion grid is configured to import any Playbook files found here. 
+
+Just add your playbook file and commit it.
+
+For example:
+
+** Note: If this is your first time making changes to this repo, you may run into the following error:
+
+fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-playbooks'
+To add an exception for this directory, call:
+	git config --global --add safe.directory /nsm/rules/custom-local-repos/local-playbooks
+
+This means that the user you are running commands as does not match the user that is used for this git repo (socore).
+You will need to make sure your playbook files are accessible to the socore user, so either su to socore 
+or add the exception and then chown the playbook files later.
+
+Also, you will be asked to set some configuration:
+```
+Author identity unknown
+*** Please tell me who you are.
+Run
+  git config --global user.email "you@example.com"
+  git config --global user.name "Your Name"
+to set your account's default identity.
+Omit --global to set the identity only in this repository.
+```
+
+Run these commands, ommitting the `--global`.
+
+With that out of the way:
+
+First, create the playbook file with a .yml or .yaml extension:
+`vi my_custom_playbook.yml`
+
+Next, use git to stage the new playbook to be committed:
+`git add my_custom_playbook.yml`
+
+Finally, commit it:
+`git commit -m "Initial commit of my_custom_playbook.yml"`
+
+The next time SOC restarts, the new playbook should be imported
+If there are errors, review the SOC log to troubleshoot further.
 {% endif %}