securityonion/salt/soctopus/files/templates/osquery.template

{% set es = salt['pillar.get']('global:managerip', '') %}
{% set hivehost = salt['pillar.get']('global:managerip', '') %}
{% set hivekey = salt['pillar.get']('global:hivekey', '') %}
alert: hivealerter

hive_connection:
  hive_host: http://{{hivehost}}
  hive_port: 9000/thehive
  hive_apikey: {{hivekey}}
  
hive_proxies:
  http: ''
  https: ''

hive_observable_data_mapping:
  - ip: '{match[osquery][EndpointIP1]}'
  - ip: '{match[osquery][EndpointIP2]}'
  - other: '{match[osquery][hostIdentifier]}'
  - other: '{match[osquery][hostname]}'

hive_alert_config:
  title: '{rule[name]} -- {match[osquery][hostname]} -- {match[osquery][name]}'
  type: 'osquery'
  source: 'SecurityOnion'
  description: "`Play:` https://{{es}}/playbook/issues/6000 \n\n `View Event:` <https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{match[_id]}'),sort:!('@timestamp',desc))>  \n\n `Hostname:` __{match[osquery][hostname]}__  `Live Query:`__[Pivot Link](https://{{es}}/fleet/queries/new?host_uuids={match[osquery][LiveQuery]})__ `Pack:`  __{match[osquery][name]}__ `Data:` {match[osquery][columns]}"
  severity: 2
  tags: ['playbook','osquery']
  tlp: 3
  status: 'New'
  follow: True
  caseTemplate: '5000'
  
 
alert: modules.so.playbook-es.PlaybookESAlerter
elasticsearch_host: "{{ es }}:9200"
play_title: ""
event.module: "playbook"
event.dataset: "alert"
event.severity:
rule.category: 
play_url: "https://{{ es }}/playbook/issues/6000"
kibana_pivot: "https://{{es}}/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))"
soc_pivot: "https://{{es}}/#/hunt"
sigma_level: ""