securityonion/salt/soc/merged.map.jinja

{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
   https://securityonion.net/license; you may not use this file except in compliance with the
   Elastic License 2.0. #}

{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %}
{% from 'logstash/map.jinja' import LOGSTASH_NODES %}
{% from 'manager/map.jinja' import MANAGERMERGED %}
{% set DOCKER_EXTRA_HOSTS = LOGSTASH_NODES %}
{% do DOCKER_EXTRA_HOSTS.append({GLOBALS.influxdb_host:pillar.node_data[GLOBALS.influxdb_host].ip}) %}

{% set SOCMERGED = salt['pillar.get']('soc', SOCDEFAULTS, merge=true) %}

{% do SOCMERGED.config.server.update({'proxy': MANAGERMERGED.proxy}) %}
{% do SOCMERGED.config.server.update({'additionalCA': MANAGERMERGED.additionalCA}) %}
{% do SOCMERGED.config.server.update({'insecureSkipVerify': MANAGERMERGED.insecureSkipVerify}) %}

{# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #}
{% if SOCMERGED.config.server.modules.cases != 'soc' %}
{%   do SOCMERGED.config.server.modules.elastic.update({'casesEnabled': false}) %}
{%   do SOCMERGED.config.server.client.update({'casesEnabled': false}) %}
{%   do SOCMERGED.config.server.client.hunt.update({'escalateRelatedEventsEnabled': false}) %}
{%   do SOCMERGED.config.server.client.alerts.update({'escalateRelatedEventsEnabled': false}) %}
{%   if SOCMERGED.config.server.modules.cases == 'elasticcases' %}
{%     do SOCMERGED.config.server.modules.update({
         'elasticcases': {
           'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':5601',
           'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user,
           'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass,
         }
       }) %}
{%   endif %}
{% endif %}
{# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
{% do SOCMERGED.config.server.modules.pop('cases') %}

{# set Sigma rules based on role if defined and default if not #}
{% if GLOBALS.role in SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules %}
{%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules[GLOBALS.role]}) %}
{% else %}
{%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %}
{% endif %}

{# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #}
{% if GLOBALS.airgap %}
{%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %}
{%   do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.airgap}) %}
{%   do SOCMERGED.config.server.update({'airgapEnabled': true}) %}
{% else %}
{%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.default}) %}
{%   do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.default}) %}
{%   do SOCMERGED.config.server.update({'airgapEnabled': false}) %}
{% endif %}

{# remove these modules if detections is disabled #}
{% if not SOCMERGED.config.server.client.detectionsEnabled %}
{%   do SOCMERGED.config.server.modules.pop('elastalertengine') %}
{%   do SOCMERGED.config.server.modules.pop('strelkaengine') %}
{%   do SOCMERGED.config.server.modules.pop('suricataengine') %}
{% elif pillar.global.airgap %}
  {# if system is Airgap, don't autoupdate Yara & Sigma rules #}
  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoUpdateEnabled': false}) %}
  {%   do SOCMERGED.config.server.modules.strelkaengine.update({'autoUpdateEnabled': false}) %}
{% endif %}

{% set standard_actions = SOCMERGED.config.pop('actions') %}

{% if pillar.global.endgamehost != '' %}
{# this is added to prevent endgame_dict from being added to standard_actions for each time this file is rendered #}
{# since this map file is rendered 3 times, it causes endgame_dict to appened 3 times if custom actions are defined in the pillar #}
{%   set endgame = namespace(add=true) %}
{%   for d in standard_actions %}
{%     if d.name is defined %}
{%       if d.name == 'Endgame' %}
{%         set endgame.add = false %}
{%       endif %}
{%     endif %}
{%   endfor %}
{%   set endgame_dict = {
       "name": "Endgame",
       "description": "Endgame Endpoint Investigation and Response",
       "icon": "fa-external-link-alt",
       "target": "_blank",
       "links": ["https://" ~ pillar.global.endgamehost ~ "/endpoints/{:agent.id}"]
     }
%}
{%   if endgame.add %}
{%     do standard_actions.append(endgame_dict) %}
{%   endif %}
{% endif %}

{%   do SOCMERGED.config.server.client.hunt.update({'actions': standard_actions}) %}
{%   do SOCMERGED.config.server.client.dashboards.update({'actions': standard_actions}) %}
{%   do SOCMERGED.config.server.client.update({'job': {'actions': standard_actions}}) %}
{%   do SOCMERGED.config.server.client.alerts.update({'actions': standard_actions}) %}
{%   do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %}
{%   do SOCMERGED.config.server.client.detections.update({'actions': standard_actions}) %}

{# replace the _x_ with . for soc ui to config conversion #}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.api': SOCMERGED.config.eventFields.pop(':endpoint:events_x_api') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.file': SOCMERGED.config.eventFields.pop(':endpoint:events_x_file') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.library': SOCMERGED.config.eventFields.pop(':endpoint:events_x_library') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.network': SOCMERGED.config.eventFields.pop(':endpoint:events_x_network') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.process': SOCMERGED.config.eventFields.pop(':endpoint:events_x_process') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.registry': SOCMERGED.config.eventFields.pop(':endpoint:events_x_registry') }) %}
{% do SOCMERGED.config.eventFields.update({':endpoint:events.security': SOCMERGED.config.eventFields.pop(':endpoint:events_x_security') }) %}
{% set standard_eventFields = SOCMERGED.config.pop('eventFields') %}
{%   do SOCMERGED.config.server.client.hunt.update({'eventFields': standard_eventFields}) %}
{%   do SOCMERGED.config.server.client.dashboards.update({'eventFields': standard_eventFields}) %}