Merge branch '2.4/dev' into vertlybimp

Security-Onion-Solutions · Oct 29, 2024 · 0c4426a · 0c4426a
2 parents feb7003 + 6a3e541
commit 0c4426a
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 6 deletions.
diff --git a/salt/elasticsearch/templates/component/so/detection-mappings.json b/salt/elasticsearch/templates/component/so/detection-mappings.json
@@ -21,10 +21,10 @@
           "properties": {
             "publicId": {
               "ignore_above": 1024,
-	      "type": "keyword"
+              "type": "keyword"
             },
             "title": {
-	      "ignore_above": 1024,
+              "ignore_above": 1024,
               "type": "keyword"
             },
             "severity": {
@@ -38,15 +38,15 @@
             "description": {
               "type": "text"
             },
-	    "category": {
+            "category": {
               "ignore_above": 1024,
               "type": "keyword"
             },
-	    "product": {
+            "product": {
               "ignore_above": 1024,
               "type": "keyword"
             },
-	    "service": {
+            "service": {
               "ignore_above": 1024,
               "type": "keyword"
             },
@@ -64,7 +64,7 @@
             },
             "tags": {
               "ignore_above": 1024,
-	      "type": "keyword"
+        "type": "keyword"
             },
             "ruleset": {
               "ignore_above": 1024,
@@ -97,6 +97,9 @@
                 "updatedAt": {
                   "type": "date"
                 },
+                "note": {
+                  "type": "text"
+                },
                 "regex": {
                   "type": "text"
                 },

diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -106,3 +106,23 @@ transformations:
         - type: include_fields
           fields:
           - event.code
+    # Maps process_creation rules to endpoint process creation logs
+    # This is an OS-agnostic mapping, to account for logs that don't specify source OS
+    - id: endpoint_process_create_windows_add-fields
+      type: add_condition
+      conditions:
+        event.category: 'process'
+        event.type: 'start'
+      rule_conditions:
+      - type: logsource
+        category: process_creation
+    # Maps file_event rules to endpoint file creation logs
+    # This is an OS-agnostic mapping, to account for logs that don't specify source OS
+    - id: endpoint_file_create_add-fields
+      type: add_condition
+      conditions:
+        event.category: 'file'
+        event.type: 'creation'
+      rule_conditions:
+      - type: logsource
+        category: file_event