Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cogburn/detection playbooks #12296

Merged
merged 3 commits into from
Jan 31, 2024
Merged

Cogburn/detection playbooks #12296

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0fa4d92
socsigmarepo
coreyogburn Oct 19, 2023
858166b
WIP: Detections Changes
coreyogburn Jan 30, 2024
585147d
Added so-detection mapping in elasticsearch
coreyogburn Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 30 additions & 1 deletion salt/elasticsearch/defaults.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,35 @@ elasticsearch:
sort:
field: '@timestamp'
order: desc
so-detection:
index_sorting: false
index_template:
composed_of:
- detection-mappings
- detection-settings
index_patterns:
- so-detection*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
mapping:
total_fields:
limit: 1500
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
so-common:
close: 30
delete: 365
Expand Down Expand Up @@ -8909,7 +8938,7 @@ elasticsearch:
actions:
set_priority:
priority: 50
min_age: 30d
min_age: 30d
so-logs-ti_otx_x_threat:
index_sorting: false
index_template:
Expand Down
108 changes: 108 additions & 0 deletions salt/elasticsearch/templates/component/so/detection-mappings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
{
"template": {
"mappings": {
"properties": {
"so_audit_doc_id": {
"ignore_above": 1024,
"type": "keyword"
},
"@timestamp": {
"type": "date"
},
"so_kind": {
"ignore_above": 1024,
"type": "keyword"
},
"so_operation": {
"ignore_above": 1024,
"type": "keyword"
},
"so_detection": {
"properties": {
"publicId": {
"type": "text"
},
"title": {
"type": "text"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"author": {
"type": "text"
},
"description": {
"type": "text"
},
"content": {
"type": "text"
},
"isEnabled": {
"type": "boolean"
},
"isReporting": {
"type": "boolean"
},
"isCommunity": {
"type": "boolean"
},
"note": {
"type": "text"
},
"engine": {
"ignore_above": 1024,
"type": "keyword"
},
"overrides": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"isEnabled": {
"type": "boolean"
},
"createdAt": {
"type": "date"
},
"updatedAt": {
"type": "date"
},
"regex": {
"type": "text"
},
"value": {
"type": "text"
},
"thresholdType": {
"ignore_above": 1024,
"type": "keyword"
},
"track": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "text"
},
"count": {
"type": "long"
},
"seconds": {
"type": "long"
},
"customFilter": {
"type": "text"
}
}
}
}
}
}
}
},
"_meta": {
"ecs_version": "1.12.2"
}
}
7 changes: 7 additions & 0 deletions salt/elasticsearch/templates/component/so/detection-settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"template": {},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion Detections indices"
}
}
53 changes: 2 additions & 51 deletions salt/manager/init.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.

Expand Down Expand Up @@ -61,7 +61,7 @@ manager_sbin:
- user: 939
- group: 939
- file_mode: 755
- exclude_pat:
- exclude_pat:
- "*_test.py"

yara_update_scripts:
Expand Down Expand Up @@ -103,55 +103,6 @@ rules_dir:
- group: socore
- makedirs: True

{% if STRELKAMERGED.rules.enabled %}

strelkarepos:
file.managed:
- name: /opt/so/conf/strelka/repos.txt
- source: salt://strelka/rules/repos.txt.jinja
- template: jinja
- defaults:
STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}
- makedirs: True

strelka-yara-update:
{% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %}
cron.present:
{% else %}
cron.absent:
{% endif %}
- user: socore
- name: '/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1'
- identifier: strelka-yara-update
- hour: '7'
- minute: '1'

strelka-yara-download:
{% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %}
cron.present:
{% else %}
cron.absent:
{% endif %}
- user: socore
- name: '/usr/sbin/so-yara-download >> /opt/so/log/yarasync/yara-download.log 2>&1'
- identifier: strelka-yara-download
- hour: '7'
- minute: '1'

{% if not GLOBALS.airgap %}
update_yara_rules:
cmd.run:
- name: /usr/sbin/so-yara-update
- onchanges:
- file: yara_update_scripts

download_yara_rules:
cmd.run:
- name: /usr/sbin/so-yara-download
- onchanges:
- file: yara_update_scripts
{% endif %}
{% endif %}
{% else %}

{{sls}}_state_not_allowed:
Expand Down
51 changes: 0 additions & 51 deletions salt/manager/tools/sbin_jinja/so-yara-download
View file
Open in desktop

This file was deleted.

41 changes: 0 additions & 41 deletions salt/manager/tools/sbin_jinja/so-yara-update
View file
Open in desktop

This file was deleted.

7 changes: 7 additions & 0 deletions salt/soc/config.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,13 @@ socuploaddir:
- group: 939
- makedirs: True

socsigmarepo:
file.directory:
- name: /opt/so/rules
- user: 939
- group: 939
- mode: 775

{% else %}

{{sls}}_state_not_allowed:
Expand Down
14 changes: 14 additions & 0 deletions salt/soc/files/bin/compile_yara.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
import os
import yara
import glob
import sys

def compile_yara_rules(rules_dir: str) -> None:
compiled_rules_path: str = os.path.join(rules_dir, "rules.yar.compiled")
rule_files: list[str] = glob.glob(os.path.join(rules_dir, '**/*.yar'), recursive=True)

if rule_files:
rules: yara.Rules = yara.compile(filepaths={os.path.basename(f): f for f in rule_files})
rules.save(compiled_rules_path)

compile_yara_rules(sys.argv[1])
10 changes: 0 additions & 10 deletions salt/strelka/backend/config.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,16 +50,6 @@ backend_taste:
- user: 939
- group: 939

{% if STRELKAMERGED.rules.enabled %}
strelkarules:
file.recurse:
- name: /opt/so/conf/strelka/rules
- source: salt://strelka/rules
- user: 939
- group: 939
- clean: True
{% endif %}

{% else %}

{{sls}}_state_not_allowed:
Expand Down
9 changes: 8 additions & 1 deletion salt/strelka/config.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.

Expand All @@ -21,6 +21,13 @@ strelkarulesdir:
- group: 939
- makedirs: True

strelkareposdir:
file.directory:
- name: /opt/so/conf/strelka/repos
- user: 939
- group: 939
- makedirs: True

strelkadatadir:
file.directory:
- name: /nsm/strelka
Expand Down
Loading