From a5e60363cf41793de89026c6f55d40ab2ad8c7d7 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 11 Aug 2023 13:38:16 -0400 Subject: [PATCH 1/2] add missing annotations to avoid soc crash --- salt/soc/soc_soc.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index e3d704e804..03fd47e80b 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -45,9 +45,10 @@ soc: actions: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True + forcedType: "[]{}" eventFields: default: - description: The list of fields to show as columns in the Hunt/Dashboards event table, when no other specific mapping applies. Mappings are defined by the format ":event.module:event.dataset". + description: Event fields mappings are defined by the format ":event.module:event.dataset", so if you would like to customize which fields show for syslog events of originating from zeek you will find that entry in the left panel that looks like :zeek:syslog. This default entry is used for all events that do not match an existing mapping defined on the left side of this configuration screen. global: True advanced: True server: @@ -139,6 +140,7 @@ soc: description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL. global: True advanced: True + forcedType: "[]{}" hunt: &appSettings groupItemsPerPage: description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. @@ -164,6 +166,12 @@ soc: queries: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True + forcedType: "[]{}" + queryToggleFilters: + description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. + global: True + advanced: True + forcedType: "[]{}" alerts: *appSettings cases: *appSettings dashboards: *appSettings From 1fb3a595735fdbebf9eed6e8649b5a919d1f2f61 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 11 Aug 2023 13:41:58 -0400 Subject: [PATCH 2/2] add missing annotations to avoid soc crash --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 03fd47e80b..b2ed893f69 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -48,7 +48,7 @@ soc: forcedType: "[]{}" eventFields: default: - description: Event fields mappings are defined by the format ":event.module:event.dataset", so if you would like to customize which fields show for syslog events of originating from zeek you will find that entry in the left panel that looks like :zeek:syslog. This default entry is used for all events that do not match an existing mapping defined on the left side of this configuration screen. + description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. This 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. global: True advanced: True server: