After the update to 2.3.130, I saw a discussion post about sorting and not staying on Alerts, which lead me down a rabbit hole about alerts. I noticed that there were a few prebuilt alerts, but how do I add new ones?
After a few minutes, I found a discussion post that referenced the alerts.queries.json file. Did some searching, and like all the other files that are customizable for the soc they are under:
/opt/so/saltstack/default/salt/soc/files/soc/
The three files currently are: alerts.queries.json, dashboard.queries.json, and hunt.queries.json.
An example was I added geodata to the alerts.queries.json
{ "name": "Group By Source IP/Port/Geo, Destination IP/Port/Geo, Name", "query": "* | groupby source.ip source.port source.geo.region_iso_code destination.ip destination.port destination.geo.region_iso_code rule.name" },
So I now have a new alert that can do checks on (This was just proof that it was available because at the time there was no reference in the documentation.
I took the next step and forked the Securityonion docs, and made a change to add the Custom Queries, which the SecurityOnion team merged with the official 2.3 documentation. After reviewing the update I saw that they added the dashboard/hunt queries reference (At the time I did not know those were also available)
No comments:
Post a Comment