Merge pull request #12755 from Security-Onion-Solutions/2.4/detection…

…s-defaults 2.4/detections defaults
Security-Onion-Solutions · Apr 4, 2024 · f72cbd5 · f72cbd5
2 parents 1d7e47f + 49d5fa9
commit f72cbd5
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 3 deletions.
diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
@@ -2122,11 +2122,11 @@ soc:
               query: "so_detection.isEnabled:false"
             - name: "Detection Type - Suricata (NIDS)"
               query: "so_detection.language:suricata"
-            - name: "Detection Type - Sigma - All"
+            - name: "Detection Type - Sigma (Elastalert) - All"
               query: "so_detection.language:sigma"
-            - name: "Detection Type - Sigma - Windows"
+            - name: "Detection Type - Sigma (Elastalert) - Windows"
               query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"'
-            - name: "Detection Type - Yara (Strelka)"
+            - name: "Detection Type - YARA (Strelka)"
               query: "so_detection.language:yara"
             - name: "Security Onion - Grid Detections"
               query: "so_detection.ruleset:securityonion-resources"

diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja
@@ -30,6 +30,11 @@
 {# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #}
 {% do SOCMERGED.config.server.modules.pop('cases') %}
 
+{# do not automatically enable Sigma rules if install is Eval or Import #}
+{% if grains['role'] in ['so-eval', 'so-import'] %}
+  {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': ""}) %}
+{% endif %}
+
 {# remove these modules if detections is disabled #}
 {% if not SOCMERGED.config.server.client.detectionsEnabled %}
 {%   do SOCMERGED.config.server.modules.pop('elastalertengine') %}

diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
@@ -88,6 +88,11 @@ soc:
             global: True
             advanced: True
             helpLink: sigma.html
+          autoEnabledSigmaRules:
+            description: 'Sigma rules to automatically enable on initial import. Format is $Ruleset+$Level - for example, for the core community ruleset and critical level rules: core+critical'
+            global: True
+            advanced: True
+            helpLink: sigma.html
           denyRegex:
             description: 'Regex used to filter imported Sigma rules. Deny regex takes precedence over the Allow regex setting.'
             global: True