From 654955518b4d5e11a1134dc0a5c6afd8037813aa Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 16 Nov 2024 11:58:41 -0500 Subject: [PATCH 1/3] Add SigmaAutoEnable --- sigma.rst | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/sigma.rst b/sigma.rst index 7d4965f3..e64d438b 100644 --- a/sigma.rst +++ b/sigma.rst @@ -93,3 +93,50 @@ Repos can be accessed via https or from the local filesystem. For example: file:///nsm/rules/detect-sigma/repos/my-custom-rep + +Enable Sigma Rules on Import +~~~~~~~~~~~~~~ + +:: + + soc > config > server > modules > elastalertengine > autoEnabledSigmaRules > default [adv] + + +This configuration options allows you to specify which rules are automatically enabled upon initial import. The format for this filter is a YAML list that supports flexible filtering criteria based on a number of fields in a Sigma rule. A rule is enabled only if it matches all specified filters - if there is more than one filter for a field, then it has to match at least one. + +Configuration Format + +Each item in the YAML list represents a set of filters, using the following fields: + + ruleset + Type: List of strings + Description: Specifies the ruleset(s) to filter by (e.g., "core", "securityonion-resources", "*" for any ruleset). + + level + Type: List of strings + Description: Specifies the severity level(s) (e.g., "critical", "high", "*" for any level). + + product + Type: List of strings + Description: Specifies the product(s) to filter by (e.g., "windows", "*" for all products). + + category + Type: List of strings + Description: Specifies the event category or categories (e.g., "process_creation", "registry_event", "*" for any category). + + service + Type: List of strings + Description: Specifies the service(s) to filter by (e.g., "security", "dns-client", "*" for any service). + +For example: + +:: + + Enabled_On_Import: + # Enable all critical and high rules from the "securityonion-resources" ruleset + - ruleset: ["securityonion-resources"] + level: ["critical", "high"] + product: ["*"] + category: ["*"] + service: ["*"] + From 65881aae69916486c360aec584373efc02fdf808 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 19 Nov 2024 12:03:17 -0500 Subject: [PATCH 2/3] Update sigma.rst --- sigma.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sigma.rst b/sigma.rst index e64d438b..cdf1a782 100644 --- a/sigma.rst +++ b/sigma.rst @@ -114,7 +114,7 @@ Each item in the YAML list represents a set of filters, using the following fiel level Type: List of strings - Description: Specifies the severity level(s) (e.g., "critical", "high", "*" for any level). + Description: Specifies the severity level(s) (e.g., "critical", "high", "*" for any level. This is not a greater than or equal check - just a string match). product Type: List of strings From 46d69a0fe33690dcc421e2b37e66069f19db7b36 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 21 Nov 2024 09:17:21 -0500 Subject: [PATCH 3/3] Update for new setting --- sigma.rst | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sigma.rst b/sigma.rst index cdf1a782..a7cef41e 100644 --- a/sigma.rst +++ b/sigma.rst @@ -99,7 +99,7 @@ Enable Sigma Rules on Import :: - soc > config > server > modules > elastalertengine > autoEnabledSigmaRules > default [adv] + soc > config > server > modules > elastalertengine > enabledSigmaRules > default This configuration options allows you to specify which rules are automatically enabled upon initial import. The format for this filter is a YAML list that supports flexible filtering criteria based on a number of fields in a Sigma rule. A rule is enabled only if it matches all specified filters - if there is more than one filter for a field, then it has to match at least one. @@ -118,7 +118,7 @@ Each item in the YAML list represents a set of filters, using the following fiel product Type: List of strings - Description: Specifies the product(s) to filter by (e.g., "windows", "*" for all products). + Description: Specifies the product(s) to filter by (e.g., "windows", "*" for any products). category Type: List of strings @@ -132,7 +132,6 @@ For example: :: - Enabled_On_Import: # Enable all critical and high rules from the "securityonion-resources" ruleset - ruleset: ["securityonion-resources"] level: ["critical", "high"]