Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update rule templates #13208

Merged
merged 2 commits into from
Jun 14, 2024
Merged

Update rule templates #13208

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7556587
Update rule templates
defensivedepth Jun 14, 2024
7af94c1
Change spelling
defensivedepth Jun 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 46 additions & 22 deletions salt/soc/defaults.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2256,34 +2256,58 @@ soc:
major: high
templateDetections:
suricata: |
alert tcp any any <> any any (msg:""; sid:[publicId];)
# This is a Suricata rule template. Replace all template values with your own values.
# The rule identifier (sid) is pregenerated and known to be unique for this Security Onion installation.
# Docs: https://docs.suricata.io/en/latest/rules/intro.html
# Delete these comments before attempting to "Create" the rule

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Example Rule Title - 'example' String Detected"; content:"example"; sid:[publicId]; rev:1;)
strelka: |
rule {
meta:
description = "";
strings:
$x = "string";
condition:
all of them;
/*
This is a YARA rule template. Replace all template values with your own values.
The YARA rule name is the unique identifier for the rule.
Docs: https://yara.readthedocs.io/en/stable/writingrules.html#writing-yara-rules
*/

rule Example // This identifier _must_ be unique
{
meta:
description="Generic YARA Rule"
author = "@SecurityOnion"
date = "YYYY-MM-DD"
reference = "https://local.invalid"
strings:
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }
condition:
filesize < 3MB and ($my_text_string or $my_hex_string)
}
elastalert: |
title:
# This is a Sigma rule template, which uses YAML. Replace all template values with your own values.
# The id (UUIDv4) is pregenerated and can safely be used.
# Click "Convert" to convert the Sigma rule to use Security Onion field mappings within an EQL query
#
# Rule Creation Guide: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide
# Logsources: https://sigmahq.io/docs/basics/log-sources.html

title: 'A Short Capitalized Title With Less Than 50 Characters'
id: [publicId]
status:
description:
status: 'experimental'
description: |
This should be a detailed description of what this Detection focuses on: what we are trying to find and why we are trying to find it.
references:
-
author:
date:
- 'https://local.invalid'
author: '@SecurityOnion'
date: 'YYYY/MM/DD'
tags:
-
logsource:
product:
category:
- detection.threat_hunting
- attack.technique_id
logsource:
category: process_creation
product: windows
detection:
selection:
Image: 'whoami.exe'
User: 'backup'
condition: selection
falsepositives:
-
level:

level: 'high' # info | low | medium | high | critical
Loading