mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-04-11 23:32:02 +02:00
c6c538363d
Adds sensoroni agent configuration for the new fileanalyze module that replaces the Strelka file analysis containers: - defaults.yaml: default config values (watchDirs, concurrency, dedup, etc.) - sensoroni.json: Jinja2 template to render module config when enabled - soc_sensoroni.yaml: SOC config schema with descriptions for all settings
509 lines
17 KiB
YAML
509 lines
17 KiB
YAML
sensoroni:
|
|
enabled:
|
|
description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: grid
|
|
config:
|
|
analyze:
|
|
enabled:
|
|
description: Enable or disable the analyzer.
|
|
forcedType: bool
|
|
advanced: True
|
|
helpLink: cases
|
|
timeout_ms:
|
|
description: Timeout period for the analyzer.
|
|
advanced: True
|
|
helpLink: cases
|
|
parallel_limit:
|
|
description: Parallel limit for the analyzer.
|
|
advanced: True
|
|
helpLink: cases
|
|
export:
|
|
timeout_ms:
|
|
description: Timeout period for the exporter to finish export-related tasks.
|
|
advanced: True
|
|
helpLink: reports
|
|
cache_refresh_interval_ms:
|
|
description: Refresh interval for cache updates. Longer intervals result in less compute usage but risks stale data included in reports.
|
|
advanced: True
|
|
helpLink: reports
|
|
export_metric_limit:
|
|
description: Maximum number of metric values to include in each metric aggregation group.
|
|
advanced: True
|
|
helpLink: reports
|
|
export_event_limit:
|
|
description: Maximum number of events to include per event list.
|
|
advanced: True
|
|
helpLink: reports
|
|
csv_separator:
|
|
description: Separator character to use for CSV exports.
|
|
advanced: False
|
|
helpLink: reports
|
|
node_checkin_interval_ms:
|
|
description: Interval in ms to checkin to the soc_host.
|
|
advanced: True
|
|
helpLink: grid
|
|
node_description:
|
|
description: Description of the specific node.
|
|
helpLink: grid
|
|
node: True
|
|
forcedType: string
|
|
sensoronikey:
|
|
description: Shared key for sensoroni authentication.
|
|
helpLink: grid
|
|
global: True
|
|
sensitive: True
|
|
advanced: True
|
|
soc_host:
|
|
description: Host for sensoroni agents to connect to.
|
|
helpLink: grid
|
|
global: True
|
|
advanced: True
|
|
suripcap:
|
|
pcapMaxCount:
|
|
description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface.
|
|
helpLink: pcap
|
|
advanced: True
|
|
fileanalyze:
|
|
enabled:
|
|
description: Enable or disable the file analysis module. When enabled, this replaces Strelka for file scanning on sensor nodes.
|
|
forcedType: bool
|
|
advanced: False
|
|
helpLink: strelka
|
|
watchDirs:
|
|
description: Directories to watch for new files to analyze. Typically the Zeek or Suricata extracted file directories.
|
|
advanced: True
|
|
helpLink: strelka
|
|
processedDir:
|
|
description: Directory to move files to after scanning is complete.
|
|
advanced: True
|
|
helpLink: strelka
|
|
historyDir:
|
|
description: Directory for on-disk deduplication history. Each scanned file hash is recorded here to survive restarts.
|
|
advanced: True
|
|
helpLink: strelka
|
|
logFile:
|
|
description: Path to the JSON log file where scan results are written. This file is picked up by the existing filebeat pipeline.
|
|
advanced: True
|
|
helpLink: strelka
|
|
concurrency:
|
|
description: Maximum number of files to scan concurrently.
|
|
advanced: True
|
|
helpLink: strelka
|
|
maxDepth:
|
|
description: Maximum recursive extraction depth for nested archives.
|
|
advanced: True
|
|
helpLink: strelka
|
|
recycleSeconds:
|
|
description: Interval in seconds to recycle the file watcher to pick up new subdirectories.
|
|
advanced: True
|
|
helpLink: strelka
|
|
dedupMaxEntries:
|
|
description: Maximum number of entries in the in-memory deduplication cache.
|
|
advanced: True
|
|
helpLink: strelka
|
|
dedupTTLSeconds:
|
|
description: Time-to-live in seconds for deduplication cache entries.
|
|
advanced: True
|
|
helpLink: strelka
|
|
yaraRulesPath:
|
|
description: Path to compiled YARA rules file.
|
|
advanced: True
|
|
helpLink: strelka
|
|
passwordsPath:
|
|
description: Path to password dictionary for encrypted file cracking attempts.
|
|
advanced: True
|
|
helpLink: strelka
|
|
scannerTimeout:
|
|
description: Timeout in seconds for individual scanner execution.
|
|
advanced: True
|
|
helpLink: strelka
|
|
analyzers:
|
|
echotrail:
|
|
api_key:
|
|
description: API key for the Echotrail analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: True
|
|
advanced: False
|
|
forcedType: string
|
|
base_url:
|
|
description: Base URL for the Echotrail analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: False
|
|
advanced: False
|
|
forcedType: string
|
|
elasticsearch:
|
|
api_key:
|
|
description: API key for the Elasticsearch analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: True
|
|
advanced: True
|
|
forcedType: string
|
|
base_url:
|
|
description: Connection URL for the Elasticsearch analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: False
|
|
advanced: False
|
|
forcedType: string
|
|
auth_user:
|
|
description: Username for the Elasticsearch analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: False
|
|
advanced: False
|
|
forcedType: string
|
|
auth_pwd:
|
|
description: User password for the Elasticsearch analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: True
|
|
advanced: False
|
|
forcedType: string
|
|
num_results:
|
|
description: Number of documents to return for the Elasticsearch analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
index:
|
|
description: Search index for the Elasticsearch analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: False
|
|
advanced: False
|
|
forcedType: string
|
|
time_delta_minutes:
|
|
description: Time (in minutes) to search back for the Elasticsearch analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: int
|
|
timestamp_field_name:
|
|
description: Specified name for a documents' timestamp field for the Elasticsearch analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
map:
|
|
description: Map between observable types and search field for the Elasticsearch analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: False
|
|
advanced: False
|
|
forcedType: string
|
|
cert_path:
|
|
description: Path to a TLS certificate for the Elasticsearch analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: False
|
|
advanced: False
|
|
forcedType: string
|
|
emailrep:
|
|
api_key:
|
|
description: API key for the EmailRep analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: True
|
|
advanced: True
|
|
forcedType: string
|
|
base_url:
|
|
description: Base URL for the EmailRep analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
greynoise:
|
|
api_key:
|
|
description: API key for the GreyNoise analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: True
|
|
advanced: True
|
|
forcedType: string
|
|
api_version:
|
|
description: API version for the GreyNoise analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
base_url:
|
|
description: Base URL for the GreyNoise analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
localfile:
|
|
file_path:
|
|
description: File path for the LocalFile analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: "[]string"
|
|
malwarebazaar:
|
|
api_key:
|
|
description: API key for the malwarebazaar analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: True
|
|
advanced: False
|
|
forcedType: string
|
|
otx:
|
|
api_key:
|
|
description: API key for the OTX analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: True
|
|
advanced: True
|
|
forcedType: string
|
|
base_url:
|
|
description: Base URL for the OTX analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
pulsedive:
|
|
api_key:
|
|
description: API key for the Pulsedive analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: True
|
|
advanced: True
|
|
forcedType: string
|
|
base_url:
|
|
description: Base URL for the Pulsedive analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
spamhaus:
|
|
lookup_host:
|
|
description: Host to use for lookups.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
nameservers:
|
|
description: Nameservers used for queries.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
multiline: True
|
|
advanced: True
|
|
forcedTypes: "[]string"
|
|
sublime_platform:
|
|
api_key:
|
|
description: API key for the Sublime Platform analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: True
|
|
advanced: True
|
|
forcedType: string
|
|
base_url:
|
|
description: Base URL for the Sublime Platform analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
live_flow:
|
|
description: Determines if live flow analysis is used.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: bool
|
|
mailbox_email_address:
|
|
description: Source mailbox address used for live flow analysis.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
message_source_id:
|
|
description: ID of the message source used for live flow analysis.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
threatfox:
|
|
api_key:
|
|
description: API key for the threatfox analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: True
|
|
advanced: False
|
|
forcedType: string
|
|
urlscan:
|
|
api_key:
|
|
description: API key for the Urlscan analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: True
|
|
advanced: True
|
|
forcedType: string
|
|
base_url:
|
|
description: Base URL for the Urlscan analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
enabled:
|
|
description: Analyzer enabled
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: bool
|
|
timeout:
|
|
description: Timeout for the Urlscan analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: int
|
|
visibility:
|
|
description: Type of visibility.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
urlhaus:
|
|
api_key:
|
|
description: API key for the urlhaus analyzer.
|
|
helpLink: cases#configuring-analyzers
|
|
global: False
|
|
sensitive: True
|
|
advanced: False
|
|
forcedType: string
|
|
virustotal:
|
|
api_key:
|
|
description: API key for the VirusTotal analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: True
|
|
advanced: True
|
|
forcedType: string
|
|
base_url:
|
|
description: Base URL for the VirusTotal analyzer.
|
|
helpLink: cases
|
|
global: False
|
|
sensitive: False
|
|
advanced: True
|
|
forcedType: string
|
|
files:
|
|
templates:
|
|
reports:
|
|
standard:
|
|
case_report__md:
|
|
title: Case Report Template
|
|
description: The template used when generating a case report. Supports markdown format.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
productivity_report__md:
|
|
title: Productivity Report Template
|
|
description: The template used when generating a comprehensive productivity report. Supports markdown format.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
assistant_session_report__md:
|
|
title: Assistant Session Report Template
|
|
description: The template used when generating an assistant session report. Supports markdown format.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
custom:
|
|
generic_report1__md:
|
|
title: Custom Report 1
|
|
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
generic_report2__md:
|
|
title: Custom Report 2
|
|
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
generic_report3__md:
|
|
title: Custom Report 3
|
|
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
generic_report4__md:
|
|
title: Custom Report 4
|
|
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
generic_report5__md:
|
|
title: Custom Report 5
|
|
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
generic_report6__md:
|
|
title: Custom Report 6
|
|
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
generic_report7__md:
|
|
title: Custom Report 7
|
|
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
generic_report8__md:
|
|
title: Custom Report 8
|
|
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
generic_report9__md:
|
|
title: Custom Report 9
|
|
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
helpLink: reports
|
|
addl_generic_report__md:
|
|
title: Additional Custom Report
|
|
description: A duplicatable custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. This is an unsupported feature due to the inability to edit duplicated reports via the SOC app.
|
|
advanced: True
|
|
file: True
|
|
global: True
|
|
syntax: md
|
|
duplicates: True
|
|
helpLink: reports
|