Merge pull request #621 from Security-Onion-Solutions/jertel/an2

support notification only Sigma Detections
Security-Onion-Solutions · Aug 26, 2024 · 476aecc · 476aecc
2 parents b04f49d + f1d7677
commit 476aecc
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 0 deletions.
diff --git a/server/modules/elastalert/elastalert.go b/server/modules/elastalert/elastalert.go
@@ -23,6 +23,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"reflect"
+	"slices"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -1806,6 +1807,11 @@ func (e *ElastAlertEngine) wrapRule(det *model.Detection, rule string) (string,
 	}
 
 	if licensing.IsEnabled(licensing.FEAT_NTF) {
+		if slices.Contains(det.Tags, "so.notification") {
+			// This is a detection for sending notifications only, do not add a new alert to Security Onion.
+			wrapper.Alert = nil
+		}
+
 		// Add any custom alerters to the rule.
 		for _, alerter := range alerters {
 			alerter = strings.TrimSpace(alerter)

diff --git a/server/modules/elastalert/elastalert_test.go b/server/modules/elastalert/elastalert_test.go
@@ -452,6 +452,73 @@ foo: bar
 	assert.YAMLEq(t, expected, wrappedRule)
 }
 
+func TestSigmaToElastAlertNotificationOnlyLicensed(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	iom := mock.NewMockIOManager(ctrl)
+
+	iom.EXPECT().ExecCommand(gomock.Cond(func(x any) bool {
+		cmd := x.(*exec.Cmd)
+
+		if !strings.HasSuffix(cmd.Path, "sigma") {
+			return false
+		}
+
+		if !slices.Contains(cmd.Args, "convert") {
+			return false
+		}
+
+		if cmd.Stdin == nil {
+			return false
+		}
+
+		return true
+	})).Return([]byte("<eql>"), 0, time.Duration(0), nil)
+
+	engine := ElastAlertEngine{
+		IOManager:               iom,
+		additionalAlerters:      []string{"email", "slack"},
+		additionalAlerterParams: "foo: bar",
+	}
+
+	det := &model.Detection{
+		PublicID: "00000000-0000-0000-0000-000000000000",
+		Content:  "totally good sigma",
+		Title:    "Test Detection",
+		Tags:     []string{"so.notification"},
+		Severity: model.SeverityHigh,
+	}
+
+	query, err := engine.sigmaToElastAlert(context.Background(), det)
+	assert.NoError(t, err)
+
+	// License
+	licensing.Test(licensing.FEAT_NTF, 0, 0, "", "")
+	wrappedRule, err := engine.wrapRule(det, query)
+	assert.NoError(t, err)
+
+	expected := `detection_title: Test Detection
+detection_public_id: 00000000-0000-0000-0000-000000000000
+event.module: sigma
+event.dataset: sigma.alert
+event.severity: 4
+sigma_level: high
+alert:
+    - email
+    - slack
+index: .ds-logs-*
+name: Test Detection -- 00000000-0000-0000-0000-000000000000
+type: any
+realert:
+    seconds: 0
+filter:
+    - eql: <eql>
+foo: bar
+`
+	assert.YAMLEq(t, expected, wrappedRule)
+}
+
 func TestAdditionalAlertersSev0(t *testing.T) {
 	engine := ElastAlertEngine{
 		additionalAlerters:      []string{"email", "slack"},