Thursday, June 9, 2022

SecurityOnion@Home - Custom Alert Queries

 After the update to 2.3.130, I saw a discussion post about sorting and not staying on Alerts, which lead me down a rabbit hole about alerts.  I noticed that there were a few prebuilt alerts, but how do I add new ones?  

After a few minutes, I found a discussion post that referenced the alerts.queries.json file.  Did some searching, and like all the other files that are customizable for the soc they are under: 

/opt/so/saltstack/default/salt/soc/files/soc/

The three files currently are: alerts.queries.json, dashboard.queries.json, and hunt.queries.json.

An example was I added geodata to the alerts.queries.json

{ "name": "Group By Source IP/Port/Geo, Destination IP/Port/Geo, Name", "query": "* | groupby source.ip source.port source.geo.region_iso_code destination.ip destination.port destination.geo.region_iso_code rule.name" },

So I now have a new alert that can do checks on (This was just proof that it was available because at the time there was no reference in the documentation.  

I took the next step and forked the Securityonion docs, and made a change to add the Custom Queries, which the SecurityOnion team merged with the official 2.3 documentation.   After reviewing the update I saw that they added the dashboard/hunt queries reference  (At the time I did not know those were also available) 

No comments:

Post a Comment