-
Notifications
You must be signed in to change notification settings - Fork 0
/
droid_config.toml
144 lines (104 loc) · 4.08 KB
/
droid_config.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# This is a TOML document config
title = "droid configuration file"
[base]
raw_rules_directory = "rules/raw"
sigma_validation_config = "validation/validate.yml"
[platforms]
[platforms.azure]
## For searches
days_ago = 30
timeout = 120 # Search timeout for azure
## For alerts
# general config
# prefix for MSSP (optional)
alert_prefix = "[PIZZA]"
# Run query every X hour
query_frequency = 1
# Lookup data from the last X hour
query_period = 1
# Alert threshold
threshold_operator = "GreaterThan"
threshold_value = 1
# Suppress alert status
suppress_status = true
# Suppress alert for X hours
suppress_period = 2
# Incident settings
incident_status = true
grouping_status = true
# Limit the group to alerts created within X hours
grouping_period = 5
# Reopen close incident status
grouping_reopen = false
# Grouping matching method: "AllEntities or AnyAlert"
grouping_method = "AllEntities"
## Authentication
# here: "default" or "app" / See the documentation
search_auth = "default"
export_auth = "default"
workspace_name = "Sentinel-Pizza-Planet" # base workspace name
# List all Sentinel workspace where you have access on
graph_query = 'resources | where name contains "SecurityInsights" | extend workspaceId = tostring(properties.workspaceResourceId) | project name, workspaceId'
# Required to set alerts
subscription_id = 'dda8c596-bc5b-4108-a2c7-ae842355cfc7' # Required to set the alert
resource_group = 'pizza_planet_resource_group'
[platforms.azure.pipelines]
windows_process_creation = ["windows-audit", "azure_windows", "windows-logsources"]
[platforms.microsoft_defender]
## For searches
days_ago = 30
timeout = 120 # Search timeout for azure
## Authentication
# See the documentation
search_auth = "default"
export_auth = "default"
[platforms.microsoft_defender.pipelines.windows_process_creation]
pipelines = ["pipelines/mde_process_creation.yml", "microsoft_365_defender"]
product = "windows"
category = "process_creation"
[platforms.splunk]
url = "prod.splunk.pizza-planet.local"
verify_cert = true
port = "8089"
app = "pizza_app_rules"
# user and password are passed in environment variable
test_earliest_time = "-24h@h"
test_latest_time = "now"
job_ttl = 86400
acl_update_owner = "nobody"
acl_update_perms_read = "group1, group2"
## For alerts
# General config
earliest_time = "-1h@h"
latest_time = "now"
cron_schedule = "*/20 * * * *"
[platforms.splunk.pipelines.windows_process_access]
pipelines = ["pipelines/splunk_process_access.yml", "splunk_windows"]
product = "windows"
category = "process_access"
#[platforms.splunk.pipelines.windows_process_creation]
#pipelines = ["splunk_windows", "pipelines/splunk_process_creation.yml"]
#product = "windows"
#category = "process_creation"
#format = "data_model"
[platforms.splunk.savedsearch_parameters]
alert_type = "number of events"
app = "pizza_app_rules"
sharing = "app"
alert_comparator = "greater than"
alert_threshold = 0
"alert.track" = 1
allow_skew = "67%"
"alert.suppress" = 1
"alert.digest_mode" = 0 # Per result (per row)
#"alert.suppress.period" = "8h"
#"alert.suppress.fields" = "pizza_client,host" # Optional
# [platforms.splunk.savedsearch_parameters.suppress_fields_groups.group_name]
# Optional: define a suppress fields groups by logsource (.e.g. web)
#[platforms.splunk.savedsearch_parameters.suppress_fields_groups.windows_image_load]
#category = "image_load"
#product = "windows"
#"alert.suppress.fields" = "pizza_client,host,ImageLoaded"
[platforms.splunk.action]
actions = "webhook"
"action.webhook.param.url" = "webhook" # Place your webhook URL or replace it in your env variable