diff --git a/salt/backup/soc_backup.yaml b/salt/backup/soc_backup.yaml index bedecb1ca..87ce2551e 100644 --- a/salt/backup/soc_backup.yaml +++ b/salt/backup/soc_backup.yaml @@ -1,10 +1,10 @@ backup: locations: description: List of locations to back up to the destination. - helpLink: backup.html + helpLink: backup global: True destination: description: Directory to store the configuration backups in. - helpLink: backup.html + helpLink: backup global: True \ No newline at end of file diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml index 416c5fc60..5d3af93fb 100644 --- a/salt/bpf/soc_bpf.yaml +++ b/salt/bpf/soc_bpf.yaml @@ -3,14 +3,14 @@ bpf: description: List of BPF filters to apply to the PCAP engine. multiline: True forcedType: "[]string" - helpLink: bpf.html + helpLink: bpf suricata: description: List of BPF filters to apply to Suricata. This will apply to alerts and, if enabled, to metadata and PCAP logs generated by Suricata. multiline: True forcedType: "[]string" - helpLink: bpf.html + helpLink: bpf zeek: description: List of BPF filters to apply to Zeek. multiline: True forcedType: "[]string" - helpLink: bpf.html + helpLink: bpf diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index f855259b6..82913bdd7 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -1,42 +1,42 @@ docker: gateway: description: Gateway for the default docker interface. - helpLink: docker.html + helpLink: docker advanced: True range: description: Default docker IP range for containers. - helpLink: docker.html + helpLink: docker advanced: True containers: so-dockerregistry: &dockerOptions final_octet: description: Last octet of the container IP address. - helpLink: docker.html + helpLink: docker readonly: True advanced: True global: True port_bindings: description: List of port bindings for the container. - helpLink: docker.html + helpLink: docker advanced: True multiline: True forcedType: "[]string" custom_bind_mounts: description: List of custom local volume bindings. advanced: True - helpLink: docker.html + helpLink: docker multiline: True forcedType: "[]string" extra_hosts: description: List of additional host entries for the container. advanced: True - helpLink: docker.html + helpLink: docker multiline: True forcedType: "[]string" extra_env: description: List of additional ENV entries for the container. advanced: True - helpLink: docker.html + helpLink: docker multiline: True forcedType: "[]string" so-elastic-fleet: *dockerOptions @@ -65,38 +65,38 @@ docker: so-suricata: final_octet: description: Last octet of the container IP address. - helpLink: docker.html + helpLink: docker readonly: True advanced: True global: True port_bindings: description: List of port bindings for the container. - helpLink: docker.html + helpLink: docker advanced: True multiline: True forcedType: "[]string" custom_bind_mounts: description: List of custom local volume bindings. advanced: True - helpLink: docker.html + helpLink: docker multiline: True forcedType: "[]string" extra_hosts: description: List of additional host entries for the container. advanced: True - helpLink: docker.html + helpLink: docker multiline: True forcedType: "[]string" extra_env: description: List of additional ENV entries for the container. advanced: True - helpLink: docker.html + helpLink: docker multiline: True forcedType: "[]string" ulimits: description: Ulimits for the container, in bytes. advanced: True - helpLink: docker.html + helpLink: docker multiline: True forcedType: "[]string" so-zeek: *dockerOptions diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 764ec87fc..bf85fed80 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -1,47 +1,47 @@ elastalert: enabled: description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery. - helpLink: elastalert.html + helpLink: elastalert alerter_parameters: title: Custom Configuration Parameters description: Optional configuration parameters made available as defaults for all rules and alerters. Use YAML format for these parameters, and reference the ElastAlert 2 documentation, located at https://elastalert2.readthedocs.io, for available configuration parameters. Requires a valid Security Onion license key. global: True multiline: True syntax: yaml - helpLink: elastalert.html + helpLink: elastalert forcedType: string jira_api_key: title: Jira API Key description: Optional configuration parameter for Jira API Key, used instead of the Jira username and password. Requires a valid Security Onion license key. global: True sensitive: True - helpLink: elastalert.html + helpLink: elastalert forcedType: string jira_pass: title: Jira Password description: Optional configuration parameter for Jira password. Requires a valid Security Onion license key. global: True sensitive: True - helpLink: elastalert.html + helpLink: elastalert forcedType: string jira_user: title: Jira Username description: Optional configuration parameter for Jira username. Requires a valid Security Onion license key. global: True - helpLink: elastalert.html + helpLink: elastalert forcedType: string smtp_pass: title: SMTP Password description: Optional configuration parameter for SMTP password, required for authenticating email servers. Requires a valid Security Onion license key. global: True sensitive: True - helpLink: elastalert.html + helpLink: elastalert forcedType: string smtp_user: title: SMTP Username description: Optional configuration parameter for SMTP username, required for authenticating email servers. Requires a valid Security Onion license key. global: True - helpLink: elastalert.html + helpLink: elastalert forcedType: string files: custom: @@ -49,91 +49,91 @@ elastalert: description: Optional custom Certificate Authority for connecting to an AlertManager server. To utilize this custom file, the alertmanager_ca_certs key must be set to /opt/elastalert/custom/alertmanager_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. global: True file: True - helpLink: elastalert.html + helpLink: elastalert gelf_ca__crt: description: Optional custom Certificate Authority for connecting to a Graylog server. To utilize this custom file, the graylog_ca_certs key must be set to /opt/elastalert/custom/graylog_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. global: True file: True - helpLink: elastalert.html + helpLink: elastalert http_post_ca__crt: description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the legacy HTTP POST alerter. To utilize this custom file, the http_post_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. global: True file: True - helpLink: elastalert.html + helpLink: elastalert http_post2_ca__crt: description: Optional custom Certificate Authority for connecting to a generic HTTP server, via the newer HTTP POST 2 alerter. To utilize this custom file, the http_post2_ca_certs key must be set to /opt/elastalert/custom/http_post2_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. global: True file: True - helpLink: elastalert.html + helpLink: elastalert ms_teams_ca__crt: description: Optional custom Certificate Authority for connecting to Microsoft Teams server. To utilize this custom file, the ms_teams_ca_certs key must be set to /opt/elastalert/custom/ms_teams_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. global: True file: True - helpLink: elastalert.html + helpLink: elastalert pagerduty_ca__crt: description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the pagerduty_ca_certs key must be set to /opt/elastalert/custom/pagerduty_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. global: True file: True - helpLink: elastalert.html + helpLink: elastalert rocket_chat_ca__crt: description: Optional custom Certificate Authority for connecting to PagerDuty server. To utilize this custom file, the rocket_chart_ca_certs key must be set to /opt/elastalert/custom/rocket_chat_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. global: True file: True - helpLink: elastalert.html + helpLink: elastalert smtp__crt: description: Optional custom certificate for connecting to an SMTP server. To utilize this custom file, the smtp_cert_file key must be set to /opt/elastalert/custom/smtp.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. global: True file: True - helpLink: elastalert.html + helpLink: elastalert smtp__key: description: Optional custom certificate key for connecting to an SMTP server. To utilize this custom file, the smtp_key_file key must be set to /opt/elastalert/custom/smtp.key in the Alerter Parameters setting. Requires a valid Security Onion license key. global: True file: True - helpLink: elastalert.html + helpLink: elastalert slack_ca__crt: description: Optional custom Certificate Authority for connecting to Slack. To utilize this custom file, the slack_ca_certs key must be set to /opt/elastalert/custom/slack_ca.crt in the Alerter Parameters setting. Requires a valid Security Onion license key. global: True file: True - helpLink: elastalert.html + helpLink: elastalert config: disable_rules_on_error: description: Disable rules on failure. global: True - helpLink: elastalert.html + helpLink: elastalert run_every: minutes: description: Amount of time in minutes between searches. global: True - helpLink: elastalert.html + helpLink: elastalert buffer_time: minutes: description: Amount of time in minutes to look through. global: True - helpLink: elastalert.html + helpLink: elastalert old_query_limit: minutes: description: Amount of time in minutes between queries to start at the most recently run query. global: True - helpLink: elastalert.html + helpLink: elastalert es_conn_timeout: description: Timeout in seconds for connecting to and reading from Elasticsearch. global: True - helpLink: elastalert.html + helpLink: elastalert max_query_size: description: The maximum number of documents that will be returned from Elasticsearch in a single query. global: True - helpLink: elastalert.html + helpLink: elastalert alert_time_limit: days: description: The retry window for failed alerts. global: True - helpLink: elastalert.html + helpLink: elastalert index_settings: shards: description: The number of shards for elastalert indices. global: True - helpLink: elastalert.html + helpLink: elastalert replicas: description: The number of replicas for elastalert indices. global: True - helpLink: elastalert.html + helpLink: elastalert diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index d78189f96..a212f669f 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -2,13 +2,13 @@ elasticfleet: enabled: description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents. advanced: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet enable_manager_output: description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers. advanced: True global: True forcedType: bool - helpLink: elastic-fleet.html + helpLink: elastic-fleet files: soc: elastic-defend-disabled-filters__yaml: @@ -17,7 +17,7 @@ elasticfleet: syntax: yaml file: True global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True elastic-defend-custom-filters__yaml: title: Custom Elastic Defend filters @@ -25,31 +25,31 @@ elasticfleet: syntax: yaml file: True global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True logging: zeek: excluded: description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, Elastic Agent will attempt to process it. If an ingest node pipeline is not available to process the logs, you may experience errors. forcedType: "[]string" - helpLink: zeek.html + helpLink: zeek config: defend_filters: enable_auto_configuration: description: Enable auto-configuration and management of the Elastic Defend Exclusion filters. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True subscription_integrations: description: Enable the installation of integrations that require an Elastic license. global: True forcedType: bool - helpLink: elastic-fleet.html + helpLink: elastic-fleet auto_upgrade_integrations: description: Enables or disables automatically upgrading Elastic Agent integrations. global: True forcedType: bool - helpLink: elastic-fleet.html + helpLink: elastic-fleet outputs: logstash: bulk_max_size: @@ -57,67 +57,67 @@ elasticfleet: global: True forcedType: int advanced: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet worker: description: The number of workers per configured host publishing events. global: True forcedType: int advanced: true - helpLink: elastic-fleet.html + helpLink: elastic-fleet queue_mem_events: title: queued events description: The number of events the queue can store. This value should be evenly divisible by the smaller of 'bulk_max_size' to avoid sending partial batches to the output. global: True forcedType: int advanced: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet timeout: description: The number of seconds to wait for responses from the Logstash server before timing out. Eg 30s regex: ^[0-9]+s$ advanced: True global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet loadbalance: description: If true and multiple Logstash hosts are configured, the output plugin load balances published events onto all Logstash hosts. If false, the output plugin sends all events to one host (determined at random) and switches to another host if the selected one becomes unresponsive. forcedType: bool advanced: True global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet compression_level: description: The gzip compression level. The compression level must be in the range of 1 (best speed) to 9 (best compression). regex: ^[1-9]$ forcedType: int advanced: True global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet server: custom_fqdn: description: Custom FQDN for Agents to connect to. One per line. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True forcedType: "[]string" enable_auto_configuration: description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True endpoints_enrollment: description: Endpoint enrollment key. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet sensitive: True advanced: True es_token: description: Elastic auth token. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet sensitive: True advanced: True grid_enrollment: description: Grid enrollment key. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet sensitive: True advanced: True optional_integrations: @@ -125,57 +125,57 @@ elasticfleet: enabled_nodes: description: Fleet nodes with the Sublime Platform integration enabled. Enter one per line. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True forcedType: "[]string" api_key: description: API key for Sublime Platform. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True forcedType: string sensitive: True base_url: description: Base URL for Sublime Platform. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True forcedType: string poll_interval: description: Poll interval for alerts from Sublime Platform. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True forcedType: string limit: description: The maximum number of message groups to return from Sublime Platform. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True forcedType: int kismet: base_url: description: Base URL for Kismet. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True forcedType: string poll_interval: description: Poll interval for wireless device data from Kismet. Integration is currently configured to return devices seen as active by any Kismet sensor within the last 10 minutes. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True forcedType: string api_key: description: API key for Kismet. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True forcedType: string sensitive: True enabled_nodes: description: Fleet nodes with the Kismet integration enabled. Enter one per line. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet advanced: True forcedType: "[]string" diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 288b0229a..87de0e086 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -2,7 +2,7 @@ elasticsearch: enabled: description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING - Disabling this process is unsupported. advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch version: description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure." readonly: True @@ -10,20 +10,20 @@ elasticsearch: advanced: True esheap: description: Specify the memory heap size in (m)egabytes for Elasticsearch. - helpLink: elasticsearch.html + helpLink: elasticsearch index_clean: description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings. forcedType: bool - helpLink: elasticsearch.html + helpLink: elasticsearch vm: max_map_count: description: The maximum number of memory map areas a process may use. Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts could be too low, which may result in out of memory exceptions. forcedType: int - helpLink: elasticsearch.html + helpLink: elasticsearch retention: retention_pct: decription: Total percentage of space used by Elasticsearch for multi node clusters - helpLink: elasticsearch.html + helpLink: elasticsearch global: True config: cluster: @@ -31,55 +31,55 @@ elasticsearch: description: The name of the Security Onion Elasticsearch cluster, for identification purposes. readonly: True global: True - helpLink: elasticsearch.html + helpLink: elasticsearch logsdb: enabled: description: Enables or disables the Elasticsearch logsdb index mode. When enabled, most logs-* datastreams will convert to logsdb from standard after rolling over. forcedType: bool global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch routing: allocation: disk: threshold_enabled: description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster. - helpLink: elasticsearch.html + helpLink: elasticsearch watermark: low: description: The lower percentage of used disk space representing a healthy node. - helpLink: elasticsearch.html + helpLink: elasticsearch high: description: The higher percentage of used disk space representing an unhealthy node. - helpLink: elasticsearch.html + helpLink: elasticsearch flood_stage: description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. - helpLink: elasticsearch.html + helpLink: elasticsearch script: max_compilations_rate: description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. global: True - helpLink: elasticsearch.html + helpLink: elasticsearch indices: query: bool: max_clause_count: description: Max number of boolean clauses per query. global: True - helpLink: elasticsearch.html + helpLink: elasticsearch pipelines: custom001: &pipelines description: description: Description of the ingest node pipeline global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch processors: description: Processors for the ingest node pipeline global: True advanced: True multiline: True - helpLink: elasticsearch.html + helpLink: elasticsearch custom002: *pipelines custom003: *pipelines custom004: *pipelines @@ -99,24 +99,24 @@ elasticsearch: description: Number of replicas required for all indices. Multiple replicas protects against data loss, but also increases storage costs. This setting will be applied to all indices. forcedType: int global: True - helpLink: elasticsearch.html + helpLink: elasticsearch refresh_interval: description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. global: True - helpLink: elasticsearch.html + helpLink: elasticsearch number_of_shards: description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. global: True - helpLink: elasticsearch.html + helpLink: elasticsearch sort: field: description: The field to sort by. Must set index_sorting to True. global: True - helpLink: elasticsearch.html + helpLink: elasticsearch order: description: The order to sort by. Must set index_sorting to True. global: True - helpLink: elasticsearch.html + helpLink: elasticsearch policy: phases: hot: @@ -126,16 +126,16 @@ elasticsearch: description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. forcedType: int global: True - helpLink: elasticsearch.html + helpLink: elasticsearch rollover: max_age: description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. global: True - helpLink: elasticsearch.html + helpLink: elasticsearch max_primary_shard_size: description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. global: True - helpLink: elasticsearch.html + helpLink: elasticsearch shrink: method: description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. @@ -183,13 +183,13 @@ elasticsearch: regex: ^[0-9]{1,5}d$ forcedType: string global: True - helpLink: elasticsearch.html + helpLink: elasticsearch actions: set_priority: priority: description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. global: True - helpLink: elasticsearch.html + helpLink: elasticsearch allocate: number_of_replicas: description: Set the number of replicas. Remains the same as the previous phase by default. @@ -202,14 +202,14 @@ elasticsearch: regex: ^[0-9]{1,5}d$ forcedType: string global: True - helpLink: elasticsearch.html + helpLink: elasticsearch actions: set_priority: priority: description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. forcedType: int global: True - helpLink: elasticsearch.html + helpLink: elasticsearch shrink: method: description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. @@ -262,13 +262,13 @@ elasticsearch: regex: ^[0-9]{1,5}d$ forcedType: string global: True - helpLink: elasticsearch.html + helpLink: elasticsearch so-logs: &indexSettings index_sorting: description: Sorts the index by event time, at the cost of additional processing resource consumption. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch index_template: index_patterns: description: Patterns for matching multiple indices or tables. @@ -276,7 +276,7 @@ elasticsearch: multiline: True global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch template: settings: index: @@ -285,35 +285,35 @@ elasticsearch: forcedType: int global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch mapping: total_fields: limit: description: Max number of fields that can exist on a single index. Larger values will consume more resources. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch refresh_interval: description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch number_of_shards: description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch sort: field: description: The field to sort by. Must set index_sorting to True. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch order: description: The order to sort by. Must set index_sorting to True. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch mappings: _meta: package: @@ -321,43 +321,43 @@ elasticsearch: description: Meta settings for the mapping. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch managed_by: description: Meta settings for the mapping. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch managed: description: Meta settings for the mapping. forcedType: bool global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch composed_of: description: The index template is composed of these component templates. forcedType: "[]string" global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch priority: description: The priority of the index template. forcedType: int global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch data_stream: hidden: description: Hide the data stream. forcedType: bool global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch allow_custom_routing: description: Allow custom routing for the data stream. forcedType: bool global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch policy: phases: hot: @@ -365,7 +365,7 @@ elasticsearch: description: Minimum age of index. This determines when the index should be moved to the hot tier. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch actions: set_priority: priority: @@ -373,18 +373,18 @@ elasticsearch: forcedType: int global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch rollover: max_age: description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch max_primary_shard_size: description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch shrink: method: description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. @@ -433,7 +433,7 @@ elasticsearch: forcedType: string global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch actions: set_priority: priority: @@ -441,18 +441,18 @@ elasticsearch: forcedType: int global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch rollover: max_age: description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch max_primary_shard_size: description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch shrink: method: description: Shrink the index to a new index with fewer primary shards. Shrink operation is by count or size. @@ -506,7 +506,7 @@ elasticsearch: forcedType: string global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch actions: set_priority: priority: @@ -514,7 +514,7 @@ elasticsearch: forcedType: int global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch allocate: number_of_replicas: description: Set the number of replicas. Remains the same as the previous phase by default. @@ -528,25 +528,25 @@ elasticsearch: forcedType: string global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch _meta: package: name: description: Meta settings for the mapping. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch managed_by: description: Meta settings for the mapping. global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch managed: description: Meta settings for the mapping. forcedType: bool global: True advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch so-logs-system_x_auth: *indexSettings so-logs-system_x_syslog: *indexSettings so-logs-system_x_system: *indexSettings @@ -611,18 +611,18 @@ elasticsearch: description: Sorts the index by event time, at the cost of additional processing resource consumption. advanced: True readonly: True - helpLink: elasticsearch.html + helpLink: elasticsearch index_template: ignore_missing_component_templates: description: Ignore component templates if they aren't in Elasticsearch. advanced: True readonly: True - helpLink: elasticsearch.html + helpLink: elasticsearch index_patterns: description: Patterns for matching multiple indices or tables. advanced: True readonly: True - helpLink: elasticsearch.html + helpLink: elasticsearch template: settings: index: @@ -630,33 +630,33 @@ elasticsearch: description: Type of mode used for this index. Time series indices can be used for metrics to reduce necessary storage. advanced: True readonly: True - helpLink: elasticsearch.html + helpLink: elasticsearch number_of_replicas: description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. advanced: True readonly: True - helpLink: elasticsearch.html + helpLink: elasticsearch composed_of: description: The index template is composed of these component templates. advanced: True readonly: True - helpLink: elasticsearch.html + helpLink: elasticsearch priority: description: The priority of the index template. advanced: True readonly: True - helpLink: elasticsearch.html + helpLink: elasticsearch data_stream: hidden: description: Hide the data stream. advanced: True readonly: True - helpLink: elasticsearch.html + helpLink: elasticsearch allow_custom_routing: description: Allow custom routing for the data stream. advanced: True readonly: True - helpLink: elasticsearch.html + helpLink: elasticsearch so-metrics-fleet_server_x_agent_versions: *fleetMetricsSettings so_roles: so-manager: &soroleSettings @@ -667,7 +667,7 @@ elasticsearch: forcedType: "[]string" global: False advanced: True - helpLink: elasticsearch.html + helpLink: elasticsearch so-managersearch: *soroleSettings so-standalone: *soroleSettings so-searchnode: *soroleSettings diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 8aa42cd05..a5181e50f 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -3,7 +3,7 @@ firewall: analyst: &hostgroupsettings description: List of IP or CIDR blocks to allow access to this hostgroup. forcedType: "[]string" - helpLink: firewall.html + helpLink: firewall multiline: True regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ regexFailureMessage: You must enter a valid IP address or CIDR. @@ -11,7 +11,7 @@ firewall: anywhere: &hostgroupsettingsadv description: List of IP or CIDR blocks to allow access to this hostgroup. forcedType: "[]string" - helpLink: firewall.html + helpLink: firewall multiline: True advanced: True regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ @@ -22,7 +22,7 @@ firewall: dockernet: &ROhostgroupsettingsadv description: List of IP or CIDR blocks to allow access to this hostgroup. forcedType: "[]string" - helpLink: firewall.html + helpLink: firewall multiline: True advanced: True readonly: True @@ -53,7 +53,7 @@ firewall: customhostgroup0: &customhostgroupsettings description: List of IP or CIDR blocks to allow to this hostgroup. forcedType: "[]string" - helpLink: firewall.html + helpLink: firewall advanced: True multiline: True regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$ @@ -73,14 +73,14 @@ firewall: tcp: &tcpsettings description: List of TCP ports for this port group. forcedType: "[]string" - helpLink: firewall.html + helpLink: firewall advanced: True multiline: True duplicates: True udp: &udpsettings description: List of UDP ports for this port group. forcedType: "[]string" - helpLink: firewall.html + helpLink: firewall advanced: True multiline: True duplicates: True @@ -206,7 +206,7 @@ firewall: advanced: True multiline: True forcedType: "[]string" - helpLink: firewall.html + helpLink: firewall duplicates: True sensor: portgroups: *portgroupsdocker @@ -262,7 +262,7 @@ firewall: advanced: True multiline: True forcedType: "[]string" - helpLink: firewall.html + helpLink: firewall duplicates: True dockernet: portgroups: *portgroupshost diff --git a/salt/host/soc_host.yaml b/salt/host/soc_host.yaml index 8c790a8df..4d771a8d8 100644 --- a/salt/host/soc_host.yaml +++ b/salt/host/soc_host.yaml @@ -1,7 +1,7 @@ host: mainint: description: Main interface of the grid host. - helpLink: host.html + helpLink: ip-address mainip: description: Main IP address of the grid host. - helpLink: host.html \ No newline at end of file + helpLink: ip-address diff --git a/salt/hydra/soc_hydra.yaml b/salt/hydra/soc_hydra.yaml index 40e07ab1b..5242d0cc7 100644 --- a/salt/hydra/soc_hydra.yaml +++ b/salt/hydra/soc_hydra.yaml @@ -1,7 +1,7 @@ hydra: enabled: description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False. - helpLink: connect.html + helpLink: connect-api global: True config: ttl: @@ -9,16 +9,16 @@ hydra: description: Amount of time that the generated access token will be valid. Specified in the form of 2h, which means 2 hours. global: True forcedType: string - helpLink: connect.html + helpLink: connect-api log: level: description: Log level to use for Kratos logs. global: True - helpLink: connect.html + helpLink: connect-api format: description: Log output format for Kratos logs. global: True - helpLink: connect.html + helpLink: connect-api secrets: system: description: Secrets used for token generation. Generated during installation. @@ -26,4 +26,4 @@ hydra: sensitive: True advanced: True forcedType: "[]string" - helpLink: connect.html + helpLink: connect-api diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index 0d8ccb393..0ee103eb6 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -1,7 +1,7 @@ idh: enabled: description: Enables or disables the Intrusion Detection Honeypot (IDH) process. - helpLink: idh.html + helpLink: idh opencanary: config: logger: @@ -10,7 +10,7 @@ idh: readonly: True advanced: True global: True - helpLink: idh.html + helpLink: idh kwargs: formatters: plain: @@ -24,53 +24,53 @@ idh: filename: *loggingOptions portscan_x_enabled: &serviceOptions description: To enable this opencanary module, set this value to true. To disable set to false. This option only applies to IDH nodes within your grid. - helpLink: idh.html + helpLink: idh portscan_x_logfile: *loggingOptions portscan_x_synrate: description: Portscan - syn rate limiting advanced: True - helpLink: idh.html + helpLink: idh portscan_x_nmaposrate: description: Portscan - nmap OS rate limiting advanced: True - helpLink: idh.html + helpLink: idh portscan_x_lorate: description: Portscan - lo rate limiting advanced: True - helpLink: idh.html + helpLink: idh tcpbanner_x_maxnum: description: Portscan - maxnum advanced: True - helpLink: idh.html + helpLink: idh tcpbanner_x_enabled: *serviceOptions tcpbanner_1_x_enabled: *serviceOptions tcpbanner_1_x_port: &portOptions description: Port the service should listen on. advanced: True - helpLink: idh.html + helpLink: idh tcpbanner_1_x_datareceivedbanner: &bannerOptions description: Data Received Banner advanced: True - helpLink: idh.html + helpLink: idh tcpbanner_1_x_initbanner: *bannerOptions tcpbanner_1_x_alertstring_x_enabled: *serviceOptions tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions tcpbanner_1_x_keep_alive_secret: description: Keep Alive Secret advanced: True - helpLink: idh.html + helpLink: idh tcpbanner_1_x_keep_alive_probes: description: Keep Alive Probes advanced: True - helpLink: idh.html + helpLink: idh tcpbanner_1_x_keep_alive_interval: description: Keep Alive Interval advanced: True - helpLink: idh.html + helpLink: idh tcpbanner_1_x_keep_alive_idle: description: Keep Alive Idle advanced: True - helpLink: idh.html + helpLink: idh ftp_x_enabled: *serviceOptions ftp_x_port: *portOptions ftp_x_banner: *bannerOptions @@ -82,11 +82,11 @@ idh: http_x_skin: &skinOptions description: HTTP skin advanced: True - helpLink: idh.html + helpLink: idh http_x_skinlist: &skinlistOptions description: List of skins to use for the service. advanced: True - helpLink: idh.html + helpLink: idh httpproxy_x_enabled: *serviceOptions httpproxy_x_port: *portOptions httpproxy_x_skin: *skinOptions @@ -95,7 +95,7 @@ idh: mssql_x_version: &versionOptions description: Specify the version the service should present. advanced: True - helpLink: idh.html + helpLink: idh mssql_x_port: *portOptions mysql_x_enabled: *serviceOptions mysql_x_port: *portOptions @@ -119,7 +119,7 @@ idh: telnet_x_honeycreds: description: Credentials list for the telnet service. advanced: True - helpLink: idh.html + helpLink: idh tftp_x_enabled: *serviceOptions tftp_x_port: *portOptions vnc_x_enabled: *serviceOptions @@ -127,8 +127,8 @@ idh: openssh: enable: description: This is the real SSH service for the host machine. - helpLink: idh.html + helpLink: idh config: port: description: Port that the real SSH service will listen on and will only be accessible from the manager. - helpLink: idh.html + helpLink: idh diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 846152cf3..875e03d4a 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -1,358 +1,358 @@ influxdb: enabled: description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results. - helpLink: influxdb.html + helpLink: influxdb config: assets-path: description: Path to the InfluxDB user interface assets located inside the so-influxdb container. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb bolt-path: description: Path to the bolt DB file located inside the so-influxdb container. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb engine-path: description: Path to the engine directory located inside the so-influxdb container. This directory stores the time series data. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb feature-flags: description: List of key=value flags to enable. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb flux-log-enabled: description: Controls whether detailed flux query logging is enabled. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb hardening-enabled: description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb http-bind-address: description: The URL and port on which InfluxDB will listen for new connections. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb http-idle-timeout: description: Keep-alive timeout while a connection waits for new requests. A value of 0 is the same as no timeout enforced. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb http-read-header-timeout: description: The duration to wait for a request header before closing the connection. A value of 0 is the same as no timeout enforced. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb http-read-timeout: description: The duration to wait for the request to be fully read before closing the connection. A value of 0 is the same as no timeout enforced. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb http-write-timeout: description: The duration to wait for the response to be fully written before closing the connection. A value of 0 is the same as no timeout enforced. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb influxql-max-select-buckets: description: Maximum number of group-by clauses in a SELECT statement. A value of 0 is the same as unlimited. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb influxql-max-select-point: description: Maximum number of points that can be queried in a SELECT statement. A value of 0 is the same as unlimited. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb influxql-max-select-series: description: Maximum number of series that can be returned in a SELECT statement. A value of 0 is the same as unlimited. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb instance-id: description: Unique instance ID for this server, to avoid collisions in a replicated cluster. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb log-level: description: The log level to use for outputting log statements. Allowed values are debug, info, or error. global: True advanced: false regex: ^(info|debug|error)$ - helpLink: influxdb.html + helpLink: influxdb metrics-disabled: description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb no-tasks: description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb pprof-disabled: description: If true, the profiling data HTTP endpoint will be inaccessible. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb query-concurrency: description: Maximum number of queries to execute concurrently. A value of 0 is the same as unlimited. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb query-initial-memory-bytes: description: The initial number of bytes of memory to allocate for a new query. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb query-max-memory-bytes: description: The number of bytes of memory to allocate to all running queries. Should typically be the query bytes times the max concurrent queries. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb query-memory-bytes: description: Maximum number of bytes of memory to allocate to a query. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb query-queue-size: description: Maximum number of queries that can be queued at one time. If this value is reached, new queries will not be queued. A value of 0 is the same as unlimited. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb reporting-disabled: description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb secret-store: description: Determines the type of storage used for secrets. Allowed values are bolt or vault. global: True advanced: True regex: ^(bolt|vault)$ - helpLink: influxdb.html + helpLink: influxdb session-length: description: Number of minutes that a user login session can remain authenticated. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb session-renew-disabled: description: If true, user login sessions will renew after each request. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb sqlite-path: description: Path to the Sqlite3 database inside the container. This database stored user data and other information about the database. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-cache-max-memory-size: description: Maximum number of bytes to allocate to cache data per shard. If exceeded, new data writes will be rejected. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-cache-snapshot-memory-size: description: Number of bytes to allocate to cache snapshot data. When the cache reaches this size, it will be written to disk to increase available memory. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-cache-snapshot-write-cold-duration: description: Duration between snapshot writes to disk when the shard data hasn't been modified. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-compact-full-write-cold-duration: description: Duration between shard compactions when the shard data hasn't been modified. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-compact-throughput-burst: description: Maximum throughput (number of bytes per second) that compactions be written to disk. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-max-concurrent-compactions: description: Maximum number of concurrent compactions. A value of 0 is the same as half the available CPU processors (procs). global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-max-index-log-file-size: description: Maximum number of bytes of a write-ahead log (WAL) file before it will be compacted into an index on disk. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-no-validate-field-size: description: If true, incoming requests will skip the field size validation. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-retention-check-interval: description: Interval between reviewing each bucket's retention policy and the age of the associated data. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-series-file-max-concurrent-snapshot-compactions: description: Maximum number of concurrent snapshot compactions across all database partitions. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-series-id-set-cache-size: description: Maximum size of the series cache results. Higher values may increase performance for repeated data lookups. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-shard-precreator-advance-period: description: The duration before a successor shard group is created after the end-time has been reached. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-shard-precreator-check-interval: description: Interval between checking if new shards should be created. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-tsm-use-madv-willneed: description: If true, InfluxDB will manage TSM memory paging. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-validate-keys: description: If true, validates incoming requests for supported characters. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-wal-fsync-delay: description: Duration to wait before calling fsync. Useful for handling conflicts on slower disks. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-wal-max-concurrent-writes: description: Maximum number of concurrent write-ahead log (WAL) writes to disk. The value of 0 is the same as CPU processors (procs) x 2. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-wal-max-write-delay: description: Maximum duration to wait before writing the write-ahead log (WAL) to disk, when the concurrency limit has been exceeded. A value of 0 is the same as no timeout. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb storage-write-timeout: description: Maximum time to wait for a write-ahead log (WAL) to write to disk before aborting. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb store: description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations. global: True advanced: True regex: ^(disk|memory)$ - helpLink: influxdb.html + helpLink: influxdb tls-cert: description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb tls-key: description: The container path to the certificate key to use for TLS encryption of the HTTP requests and responses. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb tls-min-version: description: The minimum supported version of TLS to be enforced on all incoming HTTP requests. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb tls-strict-ciphers: description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb tracing-type: description: The tracing format for debugging purposes. Allowed values are log or jaeger, or leave blank to disable tracing. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb ui-disabled: description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb vault-addr: description: Vault server address. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb vault-cacert: description: Path to the Vault's single certificate authority certificate file within the container. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb vault-capath: description: Path to the Vault's certificate authority directory within the container. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb vault-client-cert: description: Vault client certificate path within the container. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb vault-client-key: description: Vault client certificate key path within the container. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb vault-client-timeout: description: Duration to wait for a response from the Vault server before aborting. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb vault-max-retries: description: Maximum number of retries when attempting to contact the Vault server. A value of 0 is the same as disabling retries. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb vault-skip-verify: description: Skip certification validation of the Vault server. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb vault-tls-server-name: description: SNI host to specify when using TLS to connect to the Vault server. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb vault-token: description: Vault token used for authentication. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb buckets: so_short_term: duration: description: Amount of time (in seconds) to keep short term data. global: True - helpLink: influxdb.html + helpLink: influxdb shard_duration: description: Amount of the time (in seconds) range covered by the shard group. global: True - helpLink: influxdb.html + helpLink: influxdb so_long_term: duration: description: Amount of time (in seconds) to keep long term downsampled data. global: True - helpLink: influxdb.html + helpLink: influxdb shard_duration: description: Amount of the time (in seconds) range covered by the shard group. global: True - helpLink: influxdb.html + helpLink: influxdb downsample: so_long_term: resolution: description: Amount of time to turn into a single data point. global: True - helpLink: influxdb.html + helpLink: influxdb diff --git a/salt/kafka/soc_kafka.yaml b/salt/kafka/soc_kafka.yaml index cb093600f..93a2b871e 100644 --- a/salt/kafka/soc_kafka.yaml +++ b/salt/kafka/soc_kafka.yaml @@ -1,257 +1,257 @@ kafka: enabled: description: Set to True to enable Kafka. To avoid grid problems, do not enable Kafka until the related configuration is in place. Requires a valid Security Onion license key. - helpLink: kafka.html + helpLink: kafka cluster_id: description: The ID of the Kafka cluster. readonly: True advanced: True sensitive: True - helpLink: kafka.html + helpLink: kafka controllers: description: A comma-separated list of hostnames that will act as Kafka controllers. These hosts will be responsible for managing the Kafka cluster. Note that only manager and receiver nodes are eligible to run Kafka. This configuration needs to be set before enabling Kafka. Failure to do so may result in Kafka topics becoming unavailable requiring manual intervention to restore functionality or reset Kafka, either of which can result in data loss. forcedType: string - helpLink: kafka.html + helpLink: kafka reset: description: Disable and reset the Kafka cluster. This will remove all Kafka data including logs that may have not yet been ingested into Elasticsearch and reverts the grid to using REDIS as the global pipeline. This is useful when testing different Kafka configurations such as rearranging Kafka brokers / controllers allowing you to reset the cluster rather than manually fixing any issues arising from attempting to reassign a Kafka broker into a controller. Enter 'YES_RESET_KAFKA' and submit to disable and reset Kafka. Make any configuration changes required and re-enable Kafka when ready. This action CANNOT be reversed. advanced: True - helpLink: kafka.html + helpLink: kafka logstash: description: By default logstash is disabled when Kafka is enabled. This option allows you to specify any hosts you would like to re-enable logstash on alongside Kafka. forcedType: "[]string" multiline: True advanced: True - helpLink: kafka.html + helpLink: kafka config: password: description: The password used for the Kafka certificates. readonly: True sensitive: True - helpLink: kafka.html + helpLink: kafka trustpass: description: The password used for the Kafka truststore. readonly: True sensitive: True - helpLink: kafka.html + helpLink: kafka broker: auto_x_create_x_topics_x_enable: description: Enable the auto creation of topics. title: auto.create.topics.enable forcedType: bool - helpLink: kafka.html + helpLink: kafka default_x_replication_x_factor: description: The default replication factor for automatically created topics. This value must be less than the amount of brokers in the cluster. Hosts specified in controllers should not be counted towards total broker count. title: default.replication.factor forcedType: int - helpLink: kafka.html + helpLink: kafka inter_x_broker_x_listener_x_name: description: The name of the listener used for inter-broker communication. title: inter.broker.listener.name - helpLink: kafka.html + helpLink: kafka listeners: description: Set of URIs that is listened on and the listener names in a comma-seperated list. - helpLink: kafka.html + helpLink: kafka listener_x_security_x_protocol_x_map: description: Comma-seperated mapping of listener name and security protocols. title: listener.security.protocol.map - helpLink: kafka.html + helpLink: kafka log_x_dirs: description: Where Kafka logs are stored within the Docker container. title: log.dirs - helpLink: kafka.html + helpLink: kafka log_x_retention_x_check_x_interval_x_ms: description: Frequency at which log files are checked if they are qualified for deletion. title: log.retention.check.interval.ms - helpLink: kafka.html + helpLink: kafka log_x_retention_x_hours: description: How long, in hours, a log file is kept. title: log.retention.hours forcedType: int - helpLink: kafka.html + helpLink: kafka log_x_segment_x_bytes: description: The maximum allowable size for a log file. title: log.segment.bytes forcedType: int - helpLink: kafka.html + helpLink: kafka num_x_io_x_threads: description: The number of threads used by Kafka. title: num.io.threads forcedType: int - helpLink: kafka.html + helpLink: kafka num_x_network_x_threads: description: The number of threads used for network communication. title: num.network.threads forcedType: int - helpLink: kafka.html + helpLink: kafka num_x_partitions: description: The number of log partitions assigned per topic. title: num.partitions forcedType: int - helpLink: kafka.html + helpLink: kafka num_x_recovery_x_threads_x_per_x_data_x_dir: description: The number of threads used for log recuperation at startup and purging at shutdown. This ammount of threads is used per data directory. title: num.recovery.threads.per.data.dir forcedType: int - helpLink: kafka.html + helpLink: kafka offsets_x_topic_x_replication_x_factor: description: The offsets topic replication factor. title: offsets.topic.replication.factor forcedType: int - helpLink: kafka.html + helpLink: kafka process_x_roles: description: The role performed by Kafka brokers. title: process.roles readonly: True - helpLink: kafka.html + helpLink: kafka socket_x_receive_x_buffer_x_bytes: description: Size, in bytes of the SO_RCVBUF buffer. A value of -1 will use the OS default. title: socket.receive.buffer.bytes #forcedType: int - soc needs to allow -1 as an int before we can use this - helpLink: kafka.html + helpLink: kafka socket_x_request_x_max_x_bytes: description: The maximum bytes allowed for a request to the socket. title: socket.request.max.bytes forcedType: int - helpLink: kafka.html + helpLink: kafka socket_x_send_x_buffer_x_bytes: description: Size, in bytes of the SO_SNDBUF buffer. A value of -1 will use the OS default. title: socket.send.buffer.byte #forcedType: int - soc needs to allow -1 as an int before we can use this - helpLink: kafka.html + helpLink: kafka ssl_x_keystore_x_location: description: The key store file location within the Docker container. title: ssl.keystore.location - helpLink: kafka.html + helpLink: kafka ssl_x_keystore_x_password: description: The key store file password. Invalid for PEM format. title: ssl.keystore.password sensitive: True - helpLink: kafka.html + helpLink: kafka ssl_x_keystore_x_type: description: The key store file format. title: ssl.keystore.type regex: ^(JKS|PKCS12|PEM)$ - helpLink: kafka.html + helpLink: kafka ssl_x_truststore_x_location: description: The trust store file location within the Docker container. title: ssl.truststore.location - helpLink: kafka.html + helpLink: kafka ssl_x_truststore_x_type: description: The trust store file format. title: ssl.truststore.type - helpLink: kafka.html + helpLink: kafka ssl_x_truststore_x_password: description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format. title: ssl.truststore.password sensitive: True - helpLink: kafka.html + helpLink: kafka transaction_x_state_x_log_x_min_x_isr: description: Overrides min.insync.replicas for the transaction topic. When a producer configures acks to "all" (or "-1"), this setting determines the minimum number of replicas required to acknowledge a write as successful. Failure to meet this minimum triggers an exception (either NotEnoughReplicas or NotEnoughReplicasAfterAppend). When used in conjunction, min.insync.replicas and acks enable stronger durability guarantees. For instance, creating a topic with a replication factor of 3, setting min.insync.replicas to 2, and using acks of "all" ensures that the producer raises an exception if a majority of replicas fail to receive a write. title: transaction.state.log.min.isr forcedType: int - helpLink: kafka.html + helpLink: kafka transaction_x_state_x_log_x_replication_x_factor: description: Set the replication factor higher for the transaction topic to ensure availability. Internal topic creation will not proceed until the cluster size satisfies this replication factor prerequisite. title: transaction.state.log.replication.factor forcedType: int - helpLink: kafka.html + helpLink: kafka client: security_x_protocol: description: 'Broker communication protocol. Options are: SASL_SSL, PLAINTEXT, SSL, SASL_PLAINTEXT' title: security.protocol regex: ^(SASL_SSL|PLAINTEXT|SSL|SASL_PLAINTEXT) - helpLink: kafka.html + helpLink: kafka ssl_x_keystore_x_location: description: The key store file location within the Docker container. title: ssl.keystore.location - helpLink: kafka.html + helpLink: kafka ssl_x_keystore_x_password: description: The key store file password. Invalid for PEM format. title: ssl.keystore.password sensitive: True - helpLink: kafka.html + helpLink: kafka ssl_x_keystore_x_type: description: The key store file format. title: ssl.keystore.type regex: ^(JKS|PKCS12|PEM)$ - helpLink: kafka.html + helpLink: kafka ssl_x_truststore_x_location: description: The trust store file location within the Docker container. title: ssl.truststore.location - helpLink: kafka.html + helpLink: kafka ssl_x_truststore_x_type: description: The trust store file format. title: ssl.truststore.type - helpLink: kafka.html + helpLink: kafka ssl_x_truststore_x_password: description: The trust store file password. If null, the trust store file is still use, but integrity checking is disabled. Invalid for PEM format. title: ssl.truststore.password sensitive: True - helpLink: kafka.html + helpLink: kafka controller: controller_x_listener_x_names: description: Set listeners used by the controller in a comma-seperated list. title: controller.listener.names - helpLink: kafka.html + helpLink: kafka listeners: description: Set of URIs that is listened on and the listener names in a comma-seperated list. - helpLink: kafka.html + helpLink: kafka listener_x_security_x_protocol_x_map: description: Comma-seperated mapping of listener name and security protocols. title: listener.security.protocol.map - helpLink: kafka.html + helpLink: kafka log_x_dirs: description: Where Kafka logs are stored within the Docker container. title: log.dirs - helpLink: kafka.html + helpLink: kafka log_x_retention_x_check_x_interval_x_ms: description: Frequency at which log files are checked if they are qualified for deletion. title: log.retention.check.interval.ms - helpLink: kafka.html + helpLink: kafka log_x_retention_x_hours: description: How long, in hours, a log file is kept. title: log.retention.hours forcedType: int - helpLink: kafka.html + helpLink: kafka log_x_segment_x_bytes: description: The maximum allowable size for a log file. title: log.segment.bytes forcedType: int - helpLink: kafka.html + helpLink: kafka process_x_roles: description: The role performed by controller node. title: process.roles readonly: True - helpLink: kafka.html + helpLink: kafka external_access: enabled: description: Enables or disables access to Kafka topics using user/password authentication. Used for producing / consuming messages via an external client. forcedType: bool - helpLink: kafka.html + helpLink: kafka listeners: description: Set of URIs that is listened on and the listener names in a comma-seperated list. title: listeners readonly: True advanced: True - helpLink: kafka.html + helpLink: kafka listener_x_security_x_protocol_x_map: description: External listener name and mapped security protocol. title: listener.security.protocol.map readonly: True advanced: True - helpLink: kafka.html + helpLink: kafka sasl_x_enabled_x_mechanisms: description: SASL/PLAIN is a simple username/password authentication mechanism, used with TLS to implement secure authentication. title: sasl.enabled.mechanisms readonly: True advanced: True - helpLink: kafka.html + helpLink: kafka sasl_x_mechanism_x_inter_x_broker_x_protocol: description: SASL mechanism used for inter-broker communication title: sasl.mechanism.inter.broker.protocol readonly: True advanced: True - helpLink: kafka.html + helpLink: kafka remote_users: user01: &remote_user username: diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml index 2c097ce1c..ae488d2ec 100644 --- a/salt/kibana/soc_kibana.yaml +++ b/salt/kibana/soc_kibana.yaml @@ -1,10 +1,10 @@ kibana: enabled: description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING - Disabling the process is unsupported, and will cause unexpected results. - helpLink: kibana.html + helpLink: kibana config: elasticsearch: requestTimeout: description: The length of time before the request reaches timeout. global: True - helpLink: kibana.html + helpLink: kibana diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index 1b8c016c1..13f50ac2b 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -2,79 +2,79 @@ kratos: enabled: description: Enables or disables the Kratos authentication system. WARNING - Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH. advanced: True - helpLink: kratos.html + helpLink: kratos oidc: enabled: description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key. global: True - helpLink: oidc.html + helpLink: oidc config: id: description: Customize the OIDC provider name. This name appears on the login page. Required. It is strongly recommended to leave this to the default value, unless you are aware of the other configuration pieces that will be affected by changing it. global: True forcedType: string - helpLink: oidc.html + helpLink: oidc provider: description: "Specify the provider type. Required. Valid values are: auth0, generic, github, google, microsoft" global: True forcedType: string regex: "auth0|generic|github|google|microsoft" regexFailureMessage: "Valid values are: auth0, generic, github, google, microsoft" - helpLink: oidc.html + helpLink: oidc client_id: description: Specify the client ID, also referenced as the application ID. Required. global: True forcedType: string - helpLink: oidc.html + helpLink: oidc client_secret: description: Specify the client secret. Required. global: True forcedType: string - helpLink: oidc.html + helpLink: oidc microsoft_tenant: description: Specify the Microsoft Active Directory Tenant ID. Required when provider is 'microsoft'. global: True forcedType: string - helpLink: oidc.html + helpLink: oidc subject_source: description: The source of the subject identifier. Typically 'userinfo'. Only used when provider is 'microsoft'. global: True forcedType: string regex: me|userinfo regexFailureMessage: "Valid values are: me, userinfo" - helpLink: oidc.html + helpLink: oidc auth_url: description: Provider's auth URL. Required when provider is 'generic'. global: True forcedType: string - helpLink: oidc.html + helpLink: oidc issuer_url: description: Provider's issuer URL. Required when provider is 'auth0' or 'generic'. global: True forcedType: string - helpLink: oidc.html + helpLink: oidc mapper_url: description: A file path or URL in Jsonnet format, used to map OIDC claims to the Kratos schema. Defaults to an included file that maps the email claim. Note that the contents of the included file can be customized via the "OIDC Claims Mapping" setting. advanced: True global: True forcedType: string - helpLink: oidc.html + helpLink: oidc token_url: description: Provider's token URL. Required when provider is 'generic'. global: True forcedType: string - helpLink: oidc.html + helpLink: oidc scope: description: List of scoped data categories to request in the authentication response. Typically 'email' and 'profile' are the minimum required scopes. However, GitHub requires `user:email', instead and Auth0 requires 'profile', 'email', and 'openid'. global: True forcedType: "[]string" - helpLink: oidc.html + helpLink: oidc pkce: description: Set to 'force' if the OIDC provider does not support auto-detection of PKCE, but does support PKCE. Set to `never` to disable PKCE. The default setting automatically attempts to detect if PKCE is supported. The provider's `well-known/openid-configuration` JSON response must contain the `S256` algorithm within the `code_challenge_methods_supported` list in order for the auto-detection to correctly detect PKCE is supported. global: True forcedType: string - helpLink: oidc.html + helpLink: oidc requested_claims: id_token: email: @@ -82,7 +82,7 @@ kratos: description: Specifies whether the email claim is necessary. Typically leave this value set to true. advanced: True global: True - helpLink: oidc.html + helpLink: oidc files: oidc__jsonnet: title: OIDC Claims Mapping @@ -90,20 +90,20 @@ kratos: advanced: True file: True global: True - helpLink: oidc.html + helpLink: oidc config: session: lifespan: description: Defines the length of a login session. global: True - helpLink: kratos.html + helpLink: kratos whoami: required_aal: description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place. global: True advanced: True - helpLink: kratos.html + helpLink: kratos selfservice: methods: password: @@ -111,143 +111,143 @@ kratos: description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. Some external tool interfaces may not be accessible if local password authentication is disabled. global: True advanced: True - helpLink: oidc.html + helpLink: oidc config: haveibeenpwned_enabled: description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled. global: True - helpLink: kratos.html + helpLink: kratos totp: enabled: description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in. global: True - helpLink: kratos.html + helpLink: kratos config: issuer: description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address. global: True - helpLink: kratos.html + helpLink: kratos webauthn: enabled: description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in. global: True - helpLink: kratos.html + helpLink: kratos config: passwordless: description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in. global: True - helpLink: kratos.html + helpLink: kratos rp: id: description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly. global: True advanced: True - helpLink: kratos.html + helpLink: kratos origin: description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly. global: True advanced: True - helpLink: kratos.html + helpLink: kratos display_name: description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations. global: True advanced: True - helpLink: kratos.html + helpLink: kratos flows: settings: privileged_session_max_age: description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change. global: True - helpLink: kratos.html + helpLink: kratos ui_url: description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation. global: True advanced: True - helpLink: kratos.html + helpLink: kratos required_aal: description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place. global: True advanced: True - helpLink: kratos.html + helpLink: kratos verification: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True - helpLink: kratos.html + helpLink: kratos login: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True - helpLink: kratos.html + helpLink: kratos lifespan: description: Defines the duration that a login form will remain valid. global: True - helpLink: kratos.html + helpLink: kratos error: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True - helpLink: kratos.html + helpLink: kratos registration: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. global: True advanced: True - helpLink: kratos.html + helpLink: kratos default_browser_return_url: description: Security Onion Console landing page URL. Leave as default to ensure proper operation. global: True advanced: True - helpLink: kratos.html + helpLink: kratos allowed_return_urls: description: Internal redirect URL. Leave as default to ensure proper operation. global: True advanced: True - helpLink: kratos.html + helpLink: kratos log: level: description: Log level to use for Kratos logs. global: True - helpLink: kratos.html + helpLink: kratos format: description: Log output format for Kratos logs. global: True - helpLink: kratos.html + helpLink: kratos secrets: default: description: Secret key used for protecting session cookie data. Generated during installation. global: True sensitive: True advanced: True - helpLink: kratos.html + helpLink: kratos serve: public: base_url: description: User accessible URL for authenticating to Kratos. Leave as default for proper operation. global: True advanced: True - helpLink: kratos.html + helpLink: kratos admin: base_url: description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation. global: True advanced: True - helpLink: kratos.html + helpLink: kratos hashers: bcrypt: cost: description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting. global: True advanced: True - helpLink: kratos.html + helpLink: kratos courier: smtp: connection_uri: description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation. global: True advanced: True - helpLink: kratos.html + helpLink: kratos diff --git a/salt/logstash/soc_logstash.yaml b/salt/logstash/soc_logstash.yaml index 9560b5c36..71255928b 100644 --- a/salt/logstash/soc_logstash.yaml +++ b/salt/logstash/soc_logstash.yaml @@ -1,13 +1,13 @@ logstash: enabled: description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend. - helpLink: logstash.html + helpLink: logstash assigned_pipelines: roles: standalone: &assigned_pipelines description: List of defined pipelines to add to this role. advanced: True - helpLink: logstash.html + helpLink: logstash multiline: True forcedType: "[]string" duplicates: True @@ -21,7 +21,7 @@ logstash: receiver: &defined_pipelines description: List of pipeline configurations assign to this group. advanced: True - helpLink: logstash.html + helpLink: logstash multiline: True forcedType: "[]string" duplicates: True @@ -39,7 +39,7 @@ logstash: advanced: True multiline: True forcedType: string - helpLink: logstash.html + helpLink: logstash duplicates: True custom002: *pipeline_config custom003: *pipeline_config @@ -53,35 +53,35 @@ logstash: settings: lsheap: description: Heap size to use for logstash - helpLink: logstash.html + helpLink: logstash global: False config: api_x_http_x_host: description: Host interface to listen to connections. - helpLink: logstash.html + helpLink: logstash readonly: True advanced: True path_x_logs: description: Path inside the container to wrote logs. - helpLink: logstash.html + helpLink: logstash readonly: True advanced: True pipeline_x_workers: description: Number of worker threads to process events in logstash. - helpLink: logstash.html + helpLink: logstash global: False pipeline_x_batch_x_size: description: Logstash batch size. - helpLink: logstash.html + helpLink: logstash global: False pipeline_x_ecs_compatibility: description: Sets ECS compatibility. This is set per pipeline so you should never need to change this. - helpLink: logstash.html + helpLink: logstash readonly: True advanced: True dmz_nodes: description: "List of receiver nodes in DMZs. Prevents sensors from sending to these receivers. Primarily used for external Elastic agents." - helpLink: logstash.html + helpLink: logstash multiline: True advanced: True forcedType: "[]string" diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index af66d62d8..7f67eef34 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -3,80 +3,80 @@ manager: enabled: description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis. global: True - helpLink: soup.html + helpLink: soup hour: description: The hour of the day in which the repo sync takes place. global: True - helpLink: soup.html + helpLink: soup minute: description: The minute within the hour to run the repo sync. global: True - helpLink: soup.html + helpLink: soup elastalert: description: Enable elastalert 1=enabled 0=disabled. global: True - helpLink: elastalert.html + helpLink: elastalert no_proxy: description: String of hosts to ignore the proxy settings for. global: True - helpLink: proxy.html + helpLink: proxy proxy: description: Proxy server to use for updates. global: True - helpLink: proxy.html + helpLink: proxy additionalCA: description: Additional CA certificates to trust in PEM format. global: True advanced: True multiline: True forcedType: string - helpLink: proxy.html + helpLink: proxy insecureSkipVerify: description: Disable TLS verification for outgoing requests. This will make your installation less secure to MITM attacks. Recommended only for debugging purposes. advanced: True forcedType: bool global: True - helpLink: proxy.html + helpLink: proxy agent_monitoring: enabled: description: Enable monitoring elastic agents for health issues. Can be used to trigger an alert when a 'critical' agent hasn't checked in with fleet for longer than the configured offline threshold. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet forcedType: bool config: critical_agents: description: List of 'critical' agents to log when they haven't checked in longer than the maximum allowed time. If there are no 'critical' agents specified all offline agents will be logged once they reach the offline threshold. global: True multiline: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet forcedType: "[]string" custom_kquery: description: For more granular control over what agents to monitor for offline|degraded status add a kquery here. It is recommended to create & test within Elastic Fleet first to ensure your agents are targeted correctly using the query. eg 'status:offline AND tags:INFRA' global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet forcedType: string advanced: True offline_threshold: description: The maximum allowed time in hours a 'critical' agent has been offline before being logged. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet forcedType: int realert_threshold: description: The time to pass before another alert for an offline agent exceeding the offline_threshold is generated. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet forcedType: int page_size: description: The amount of agents that can be processed per API request to fleet. global: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet forcedType: int advanced: True run_interval: description: The time in minutes between checking fleet agent statuses. global: True advanced: True - helpLink: elastic-fleet.html + helpLink: elastic-fleet forcedType: int managed_integrations: description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass @@ -84,4 +84,4 @@ manager: multiline: True global: True advanced: True - helpLink: elasticsearch.html \ No newline at end of file + helpLink: elasticsearch \ No newline at end of file diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index de1a083c2..c831a1a49 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -2,7 +2,7 @@ nginx: enabled: description: Enables or disables the Nginx web server and reverse proxy. WARNING - Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support. advanced: True - helpLink: nginx.html + helpLink: nginx external_suricata: description: Enable this to allow external access to Suricata Rulesets managed by Detections. advanced: True @@ -15,33 +15,33 @@ nginx: advanced: True forcedType: bool title: Replace Default Cert - helpLink: nginx.html + helpLink: nginx ssl__key: description: If you enabled the replace_cert option, paste the contents of your .key file here. file: True title: SSL/TLS Key File advanced: True global: True - helpLink: nginx.html + helpLink: nginx ssl__crt: description: If you enabled the replace_cert option, paste the contents of your .crt file here. file: True title: SSL/TLS Cert File advanced: True global: True - helpLink: nginx.html + helpLink: nginx alt_names: description: Provide a list of alternate names to allow remote systems the ability to refer to the SOC API as another hostname. global: True forcedType: '[]string' multiline: True - helpLink: nginx.html + helpLink: nginx config: throttle_login_burst: description: Number of login requests that can burst without triggering request throttling. Higher values allow more repeated login attempts. Values greater than zero are required in order to provide a usable login flow. global: True - helpLink: nginx.html + helpLink: nginx throttle_login_rate: description: Number of login API requests per minute that can be processed without triggering a rate limit. Higher values allow more repeated login attempts. Requests are counted by unique client IP and averaged over time. Note that a single login flow will perform multiple requests to the login API, so this value will need to be adjusted accordingly. global: True - helpLink: nginx.html + helpLink: nginx diff --git a/salt/ntp/soc_ntp.yaml b/salt/ntp/soc_ntp.yaml index 1b75099a1..b50d2886f 100644 --- a/salt/ntp/soc_ntp.yaml +++ b/salt/ntp/soc_ntp.yaml @@ -3,4 +3,4 @@ ntp: servers: description: NTP Server List title: NTP Servers - helpLink: ntp.html + helpLink: ntp diff --git a/salt/patch/soc_patch.yaml b/salt/patch/soc_patch.yaml index 1618a0f75..893e901e0 100644 --- a/salt/patch/soc_patch.yaml +++ b/salt/patch/soc_patch.yaml @@ -2,19 +2,19 @@ patch: os: enabled: description: Enable OS updates. WARNING - Disabling this setting will prevent important operating system updates from being applied on a scheduled basis. - helpLink: soup.html + helpLink: soup schedule_to_run: description: Currently running schedule for updates. - helpLink: soup.html + helpLink: soup schedules: auto: splay: &splayOptions description: Seconds to splay updates. - helpLink: soup.html + helpLink: soup schedule: hours: description: Run the OS updates every X hours. - helpLink: soup.html + helpLink: soup monday: splay: *splayOptions schedule: @@ -51,7 +51,7 @@ patch: Monday: &dailyOptions description: List of times to apply OS patches daily. multiline: True - helpLink: soup.html + helpLink: soup Tuesday: *dailyOptions Wednesday: *dailyOptions Thursday: *dailyOptions @@ -64,7 +64,7 @@ patch: Monday: &weekdayOptions description: List of times for weekdays. multiline: True - helpLink: soup.html + helpLink: soup Tuesday: *weekdayOptions Wednesday: *weekdayOptions Thursday: *weekdayOptions @@ -75,5 +75,5 @@ patch: Saturday: &weekendOptions description: List of times for weekend days. multiline: true - helpLink: soup.html + helpLink: soup Sunday: *weekendOptions diff --git a/salt/redis/soc_redis.yaml b/salt/redis/soc_redis.yaml index 621cc0fbb..e19cb88c6 100644 --- a/salt/redis/soc_redis.yaml +++ b/salt/redis/soc_redis.yaml @@ -1,18 +1,18 @@ redis: enabled: description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events. - helpLink: redis.html + helpLink: redis config: bind: description: The IP address to bind to. global: True advanced: True - helpLink: redis.html + helpLink: redis protected-mode: description: Force authentication to access redis. global: True advanced: True - helpLink: redis.html + helpLink: redis requirepass: description: Password for accessing Redis. global: True @@ -21,262 +21,262 @@ redis: description: TLS cert file location. global: True advanced: True - helpLink: redis.html + helpLink: redis tls-key-file: description: TLS key file location. global: True advanced: True - helpLink: redis.html + helpLink: redis tls-ca-cert-file: description: TLS CA file location. global: True advanced: True - helpLink: redis.html + helpLink: redis tls-port: description: Port to use TLS encryption on. global: True advanced: True - helpLink: redis.html + helpLink: redis tls-auth-clients: description: Force TLS authentication. global: True advanced: True - helpLink: redis.html + helpLink: redis port: description: Non TLS port for Redis access. global: True advanced: True - helpLink: redis.html + helpLink: redis tcp-backlog: description: Set the TCP backlog value. This is normally increasd in high request environments. global: True advanced: True - helpLink: redis.html + helpLink: redis timeout: description: Time in seconds to close an idle connection. 0 to disable. global: True - helpLink: redis.html + helpLink: redis tcp-keepalive: description: Time in seconds to send a keepalive. global: True - helpLink: redis.html + helpLink: redis tls-replication: description: Enable TLS replication links. global: True advanced: True - helpLink: redis.html + helpLink: redis tls-protocols: description: List of acceptable TLS protocols separated by spaces. global: True advanced: True - helpLink: redis.html + helpLink: redis tls-prefer-server-ciphers: description: Prefer the server side ciphers. global: True advanced: True - helpLink: redis.html + helpLink: redis tls-session-caching: description: Enable TLS session caching. global: True - helpLink: redis.html + helpLink: redis tls-session-cache-size: description: The number of TLS sessions to cache. global: True advanced: True - helpLink: redis.html + helpLink: redis tls-session-cache-timeout: description: Timeout in seconds to cache TLS sessions. global: True advanced: True - helpLink: redis.html + helpLink: redis loglevel: description: Log verbosity level. global: True - helpLink: redis.html + helpLink: redis logfile: description: Log file name. global: True advanced: True - helpLink: redis.html + helpLink: redis syslog-enabled: description: Enable syslog output. global: True advanced: True - helpLink: redis.html + helpLink: redis syslog-ident: description: Set the syslog identity. global: True advanced: True - helpLink: redis.html + helpLink: redis syslog-facility: description: Set the syslog facility. global: True advanced: True - helpLink: redis.html + helpLink: redis databases: description: Total amount of databases. global: True advanced: True - helpLink: redis.html + helpLink: redis always-show-logo: description: The amount of time that a write will wait before fsyncing. global: True advanced: True - helpLink: redis.html + helpLink: redis save: '900': description: Set the amount of keys that need to change to save after 15 minutes. global: True - helpLink: redis.html + helpLink: redis '300': description: Set the amount of keys that need to change to save after 5 minutes. global: True - helpLink: redis.html + helpLink: redis '60': description: Set the amount of keys that need to change to save after 1 minute global: True - helpLink: redis.html + helpLink: redis stop-writes-on-bgsave-error: description: Stop writes to redis is there is an error with the save. global: True advanced: True - helpLink: redis.html + helpLink: redis rdbcompression: description: Compress string objects with LZF. global: True advanced: True - helpLink: redis.html + helpLink: redis rdbchecksum: description: Enable checksum of rdb files. global: True advanced: True - helpLink: redis.html + helpLink: redis dbfilename: description: Filename of the rdb saves. global: True advanced: True - helpLink: redis.html + helpLink: redis acllog-max-len: description: Maximum length of the ACL log. global: True advanced: True - helpLink: redis.html + helpLink: redis maxmemory: description: Maximum memory for storing redis objects. global: True - helpLink: redis.html + helpLink: redis maxmemory-policy: description: The policy to use when maxmemory is reached. global: True - helpLink: redis.html + helpLink: redis maxmemory-samples: description: maxmemory sample size. global: True advanced: True - helpLink: redis.html + helpLink: redis lua-time-limit: description: Maximum execution time of LUA scripts. global: True advanced: True - helpLink: redis.html + helpLink: redis slowlog-log-slower-than: description: Time in microseconds to write to the slow log. global: True advanced: True - helpLink: redis.html + helpLink: redis slowlog-max-len: description: Maximum size of the slow log. global: True advanced: True - helpLink: redis.html + helpLink: redis hash-max-ziplist-entries: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis hash-max-ziplist-value: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis list-max-ziplist-size: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis list-compress-depth: description: Depth for list compression. global: True advanced: True - helpLink: redis.html + helpLink: redis set-max-intset-entries: description: Sets the limit on the size of the set in order to use the special memory saving encoding. global: True advanced: True - helpLink: redis.html + helpLink: redis zset-max-ziplist-entries: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis zset-max-ziplist-value: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis hll-sparse-max-bytes: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis stream-node-max-bytes: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis stream-node-max-entries: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis activerehashing: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis client-output-buffer-limit: normal: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis replica: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis pubsub: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis hz: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis dynamic-hz: description: Used for advanced performance tuning of Redis. global: True advanced: True - helpLink: redis.html + helpLink: redis rdb-save-incremental-fsync: description: fsync redis data. global: True advanced: True - helpLink: redis.html + helpLink: redis jemalloc-bg-thread: description: Jemalloc background thread for purging. global: True advanced: True - helpLink: redis.html + helpLink: redis diff --git a/salt/sensor/soc_sensor.yaml b/salt/sensor/soc_sensor.yaml index f97c8d849..17a650a07 100644 --- a/salt/sensor/soc_sensor.yaml +++ b/salt/sensor/soc_sensor.yaml @@ -1,15 +1,15 @@ sensor: interface: description: Main sensor monitoring interface. - helpLink: network.html + helpLink: network-visibility readonly: True mtu: description: Maximum Transmission Unit (MTU) of the sensor monitoring interface. - helpLink: network.html + helpLink: network-visibility readonly: True channels: description: Set the size of the nic channels. This is rarely changed from 1 - helpLink: network.html + helpLink: network-visibility forcedType: int node: True advanced: True diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index aca6c8e3f..acfc534f3 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -2,79 +2,79 @@ sensoroni: enabled: description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. advanced: True - helpLink: grid.html + helpLink: grid config: analyze: enabled: description: Enable or disable the analyzer. advanced: True - helpLink: cases.html + helpLink: cases timeout_ms: description: Timeout period for the analyzer. advanced: True - helpLink: cases.html + helpLink: cases parallel_limit: description: Parallel limit for the analyzer. advanced: True - helpLink: cases.html + helpLink: cases export: timeout_ms: description: Timeout period for the exporter to finish export-related tasks. advanced: True - helpLink: reports.html + helpLink: reports cache_refresh_interval_ms: description: Refresh interval for cache updates. Longer intervals result in less compute usage but risks stale data included in reports. advanced: True - helpLink: reports.html + helpLink: reports export_metric_limit: description: Maximum number of metric values to include in each metric aggregation group. advanced: True - helpLink: reports.html + helpLink: reports export_event_limit: description: Maximum number of events to include per event list. advanced: True - helpLink: reports.html + helpLink: reports csv_separator: description: Separator character to use for CSV exports. advanced: False - helpLink: reports.html + helpLink: reports node_checkin_interval_ms: description: Interval in ms to checkin to the soc_host. advanced: True - helpLink: grid.html + helpLink: grid node_description: description: Description of the specific node. - helpLink: grid.html + helpLink: grid node: True forcedType: string sensoronikey: description: Shared key for sensoroni authentication. - helpLink: grid.html + helpLink: grid global: True sensitive: True advanced: True soc_host: description: Host for sensoroni agents to connect to. - helpLink: grid.html + helpLink: grid global: True advanced: True suripcap: pcapMaxCount: description: The maximum number of PCAP packets to extract from eligible PCAP files, for PCAP jobs. If there are issues fetching excessively large packet streams consider lowering this value to reduce the number of collected packets returned to the user interface. - helpLink: sensoroni.html + helpLink: pcap advanced: True analyzers: echotrail: api_key: description: API key for the Echotrail analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: True advanced: False forcedType: string base_url: description: Base URL for the Echotrail analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False @@ -82,70 +82,70 @@ sensoroni: elasticsearch: api_key: description: API key for the Elasticsearch analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: True advanced: True forcedType: string base_url: description: Connection URL for the Elasticsearch analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False forcedType: string auth_user: description: Username for the Elasticsearch analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False forcedType: string auth_pwd: description: User password for the Elasticsearch analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: True advanced: False forcedType: string num_results: description: Number of documents to return for the Elasticsearch analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: False advanced: True forcedType: string index: description: Search index for the Elasticsearch analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False forcedType: string time_delta_minutes: description: Time (in minutes) to search back for the Elasticsearch analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: False advanced: True forcedType: int timestamp_field_name: description: Specified name for a documents' timestamp field for the Elasticsearch analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: False advanced: True forcedType: string map: description: Map between observable types and search field for the Elasticsearch analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False forcedType: string cert_path: description: Path to a TLS certificate for the Elasticsearch analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: False advanced: False @@ -153,14 +153,14 @@ sensoroni: emailrep: api_key: description: API key for the EmailRep analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the EmailRep analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True @@ -168,21 +168,21 @@ sensoroni: greynoise: api_key: description: API key for the GreyNoise analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: True advanced: True forcedType: string api_version: description: API version for the GreyNoise analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True forcedType: string base_url: description: Base URL for the GreyNoise analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True @@ -190,7 +190,7 @@ sensoroni: localfile: file_path: description: File path for the LocalFile analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True @@ -198,7 +198,7 @@ sensoroni: malwarebazaar: api_key: description: API key for the malwarebazaar analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: True advanced: False @@ -206,14 +206,14 @@ sensoroni: otx: api_key: description: API key for the OTX analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the OTX analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True @@ -221,14 +221,14 @@ sensoroni: pulsedive: api_key: description: API key for the Pulsedive analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the Pulsedive analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True @@ -236,14 +236,14 @@ sensoroni: spamhaus: lookup_host: description: Host to use for lookups. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True forcedType: string nameservers: description: Nameservers used for queries. - helpLink: cases.html + helpLink: cases global: False sensitive: False multiline: True @@ -252,35 +252,35 @@ sensoroni: sublime_platform: api_key: description: API key for the Sublime Platform analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the Sublime Platform analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True forcedType: string live_flow: description: Determines if live flow analysis is used. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True forcedType: bool mailbox_email_address: description: Source mailbox address used for live flow analysis. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True forcedType: string message_source_id: description: ID of the message source used for live flow analysis. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True @@ -288,7 +288,7 @@ sensoroni: threatfox: api_key: description: API key for the threatfox analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: True advanced: False @@ -296,35 +296,35 @@ sensoroni: urlscan: api_key: description: API key for the Urlscan analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the Urlscan analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True forcedType: string enabled: description: Analyzer enabled - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True forcedType: bool timeout: description: Timeout for the Urlscan analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True forcedType: int visibility: description: Type of visibility. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True @@ -332,7 +332,7 @@ sensoroni: urlhaus: api_key: description: API key for the urlhaus analyzer. - helpLink: sensoroni.html + helpLink: cases#configuring-analyzers global: False sensitive: True advanced: False @@ -340,14 +340,14 @@ sensoroni: virustotal: api_key: description: API key for the VirusTotal analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: True advanced: True forcedType: string base_url: description: Base URL for the VirusTotal analyzer. - helpLink: cases.html + helpLink: cases global: False sensitive: False advanced: True @@ -362,14 +362,14 @@ sensoroni: file: True global: True syntax: md - helpLink: reports.html + helpLink: reports productivity_report__md: title: Productivity Report Template description: The template used when generating a comprehensive productivity report. Supports markdown format. file: True global: True syntax: md - helpLink: reports.html + helpLink: reports assistant_session_report__md: title: Assistant Session Report Template description: The template used when generating an assistant session report. Supports markdown format. @@ -384,63 +384,63 @@ sensoroni: file: True global: True syntax: md - helpLink: reports.html + helpLink: reports generic_report2__md: title: Custom Report 2 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md - helpLink: reports.html + helpLink: reports generic_report3__md: title: Custom Report 3 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md - helpLink: reports.html + helpLink: reports generic_report4__md: title: Custom Report 4 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md - helpLink: reports.html + helpLink: reports generic_report5__md: title: Custom Report 5 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md - helpLink: reports.html + helpLink: reports generic_report6__md: title: Custom Report 6 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md - helpLink: reports.html + helpLink: reports generic_report7__md: title: Custom Report 7 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md - helpLink: reports.html + helpLink: reports generic_report8__md: title: Custom Report 8 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md - helpLink: reports.html + helpLink: reports generic_report9__md: title: Custom Report 9 description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. file: True global: True syntax: md - helpLink: reports.html + helpLink: reports addl_generic_report__md: title: Additional Custom Report description: A duplicatable custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. This is an unsupported feature due to the inability to edit duplicated reports via the SOC app. @@ -449,4 +449,4 @@ sensoroni: global: True syntax: md duplicates: True - helpLink: reports.html \ No newline at end of file + helpLink: reports diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 596ba4bd0..b99ef4363 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -6,7 +6,7 @@ soc: title: SOC Telemetry description: When this setting is enabled and the grid is not in airgap mode, SOC will provide feature usage data to the Security Onion development team via Google Analytics. This data helps Security Onion developers determine which product features are being used and can also provide insight into improving the user interface. When changing this setting, wait for the grid to fully synchronize and then perform a hard browser refresh on SOC, to force the browser cache to update and reflect the new setting. global: True - helpLink: telemetry.html + helpLink: telemetry files: soc: banner__md: @@ -15,28 +15,28 @@ soc: file: True global: True syntax: md - helpLink: soc-customization.html + helpLink: security-onion-console-customization motd__md: title: Overview Page description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser. file: True global: True syntax: md - helpLink: soc-customization.html + helpLink: security-onion-console-customization custom__js: title: Custom Javascript description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades. file: True global: True advanced: True - helpLink: soc-customization.html + helpLink: security-onion-console-customization custom_roles: title: Custom Roles description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system. file: True global: True advanced: True - helpLink: soc-customization.html + helpLink: security-onion-console-customization sigma_final_pipeline__yaml: title: Final Sigma Pipeline description: Final Processing Pipeline for Sigma Rules. @@ -44,7 +44,7 @@ soc: file: True global: True advanced: True - helpLink: soc-customization.html + helpLink: security-onion-console-customization config: licenseKey: title: License Key @@ -183,7 +183,7 @@ soc: enableReverseLookup: description: "Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. To add your own local lookups, create a CSV file at /nsm/custom-mappings/ip-descriptions.csv on your Manager and populate the file with IP addresses and descriptions as follows: IP, Description. Elasticsearch will then ingest the CSV during the next high state." global: True - helpLink: soc-customization.html#reverse-dns + helpLink: security-onion-console-customization#reverse-dns modules: elastalertengine: aiRepoUrl: @@ -205,7 +205,7 @@ soc: title: "Notifications: Sev 0/Default Alerters" description: "Specify default alerters to enable for outbound notifications. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." global: True - helpLink: notifications.html + helpLink: notifications forcedType: "[]string" multiline: True additionalSev0AlertersParams: @@ -214,14 +214,14 @@ soc: global: True multiline: True syntax: yaml - helpLink: notifications.html + helpLink: notifications forcedType: string jinjaEscaped: True additionalSev1Alerters: title: "Notifications: Sev 1/Informational Alerters" description: "Specify specific alerters to use when alerting at the info severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." global: True - helpLink: notifications.html + helpLink: notifications forcedType: "[]string" multiline: True additionalSev1AlertersParams: @@ -230,14 +230,14 @@ soc: global: True multiline: True syntax: yaml - helpLink: notifications.html + helpLink: notifications forcedType: string jinjaEscaped: True additionalSev2Alerters: title: "Notifications: Sev 2/Low Alerters" description: "Specify specific alerters to use when alerting at the low severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." global: True - helpLink: notifications.html + helpLink: notifications forcedType: "[]string" multiline: True additionalSev2AlertersParams: @@ -246,14 +246,14 @@ soc: global: True multiline: True syntax: yaml - helpLink: notifications.html + helpLink: notifications forcedType: string jinjaEscaped: True additionalSev3Alerters: title: "Notifications: Sev 3/Medium Alerters" description: "Specify specific alerters to use when alerting at the medium severity level or higher. These alerters will be used unless overridden by higher severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." global: True - helpLink: notifications.html + helpLink: notifications forcedType: "[]string" multiline: True additionalSev3AlertersParams: @@ -262,14 +262,14 @@ soc: global: True multiline: True syntax: yaml - helpLink: notifications.html + helpLink: notifications forcedType: string jinjaEscaped: True additionalSev4Alerters: title: "Notifications: Sev 4/High Alerters" description: "Specify specific alerters to use when alerting at the high severity level or critical severity level. These alerters will be used unless overridden by critical severity alerter settings. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." global: True - helpLink: notifications.html + helpLink: notifications forcedType: "[]string" multiline: True additionalSev4AlertersParams: @@ -278,14 +278,14 @@ soc: global: True multiline: True syntax: yaml - helpLink: notifications.html + helpLink: notifications forcedType: string jinjaEscaped: True additionalSev5Alerters: title: "Notifications: Sev 5/Critical Alerters" description: "Specify specific alerters to use when alerting at the critical severity level. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." global: True - helpLink: notifications.html + helpLink: notifications forcedType: "[]string" multiline: True additionalSev5AlertersParams: @@ -294,14 +294,14 @@ soc: global: True multiline: True syntax: yaml - helpLink: notifications.html + helpLink: notifications forcedType: string jinjaEscaped: True additionalUserDefinedNotifications: customAlerters: description: "Specify custom notification alerters to use when the Sigma rule contains the following tag: so.alerters.customAlerters. This setting can be duplicated to create new custom alerter configurations. Specify one alerter name (Ex: 'email') per line. Alerters refers to ElastAlert 2 alerters, as documented at https://elastalert2.readthedocs.io. A full update of the ElastAlert rule engine, via the Detections screen, is required in order to apply these changes. Requires a valid Security Onion license key." global: True - helpLink: notifications.html + helpLink: notifications forcedType: "[]string" duplicates: True multiline: True @@ -310,7 +310,7 @@ soc: global: True multiline: True syntax: yaml - helpLink: notifications.html + helpLink: notifications duplicates: True forcedType: string jinjaEscaped: True @@ -318,7 +318,7 @@ soc: default: &enabledSigmaRules description: 'Sigma rules to automatically enable on initial import. The format is a YAML list, with the ability to filter for ruleset, level, product, category and service. Refer to the documentation for further details. These will be applied based on role if defined and default if not.' global: True - helpLink: sigma.html + helpLink: sigma multiline: True syntax: yaml forcedType: string @@ -330,7 +330,7 @@ soc: description: 'DEPRECATED: Will be removed in a future release - use enabledSigmaRules instead.' global: True advanced: True - helpLink: sigma.html + helpLink: sigma so-eval: *autoEnabledSigmaRules so-import: *autoEnabledSigmaRules autoUpdateEnabled: @@ -341,7 +341,7 @@ soc: description: 'How often to check for new Sigma rules (in seconds). This applies to both Community Rule Packages and any configured Git repos.' global: True advanced: True - helpLink: sigma.html + helpLink: sigma integrityCheckFrequencySeconds: description: 'How often the ElastAlert integrity checker runs (in seconds). This verifies the integrity of deployed rules.' global: True @@ -352,7 +352,7 @@ soc: global: True advanced: True forcedType: "[]{}" - helpLink: sigma.html + helpLink: sigma syntax: json uiElements: - field: rulesetName @@ -375,7 +375,7 @@ soc: description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, the new settings will be applied within 15 minutes. At that point, you will need to wait for the scheduled rule update to take place (by default, every 24 hours), or you can force the update by nagivating to Detections --> Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing non-overlapping Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.' global: True advanced: False - helpLink: sigma.html + helpLink: sigma elastic: index: description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records. @@ -484,12 +484,12 @@ soc: description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara' global: True advanced: True - helpLink: sigma.html + helpLink: sigma communityRulesImportFrequencySeconds: description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.' global: True advanced: True - helpLink: yara.html + helpLink: yara integrityCheckFrequencySeconds: description: 'How often the Strelka integrity checker runs (in seconds). This verifies the integrity of deployed rules.' global: True @@ -500,7 +500,7 @@ soc: global: True advanced: True forcedType: "[]{}" - helpLink: yara.html + helpLink: yara syntax: json uiElements: - field: rulesetName @@ -543,7 +543,7 @@ soc: description: 'How often to check for new Suricata rules (in seconds).' global: True advanced: True - helpLink: suricata.html + helpLink: suricata disableRegex: description: A list of regular expressions used to automatically disable rules that match any of them. Each regular expression is tested against the rule's content. global: True @@ -562,20 +562,20 @@ soc: advanced: True forcedType: "[]{}" readonly: True - helpLink: suricata.html + helpLink: suricata ignoredSidRanges: description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.' global: True advanced: True forcedType: "[]string" - helpLink: detections.html#rule-engine-status + helpLink: detections#rule-engine-status rulesetSources: default: &serulesetSources description: "Ruleset sources for Suricata rules. Supports URL downloads and local directories. Refer to the linked documentation for details on how to configure this setting." global: True advanced: False forcedType: "[]{}" - helpLink: suricata.html + helpLink: suricata syntax: json uiElements: - field: name @@ -631,11 +631,11 @@ soc: intervalMinutes: description: How often to generate the Navigator Layers. (minutes) global: True - helpLink: attack-navigator.html + helpLink: attack-navigator lookbackDays: description: How far back to search for ATT&CK-tagged alerts. (days) global: True - helpLink: attack-navigator.html + helpLink: attack-navigator playbook: playbookRepos: default: &pbRepos @@ -670,7 +670,7 @@ soc: global: True advanced: True forcedType: "[]{}" - helpLink: assistant.html + helpLink: onion-ai syntax: json uiElements: - field: name @@ -735,7 +735,7 @@ soc: global: True advanced: True forcedType: "[]{}" - helpLink: assistant.html + helpLink: onion-ai syntax: json uiElements: - field: id diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml index 1a5db261b..001e28cb9 100644 --- a/salt/strelka/soc_strelka.yaml +++ b/salt/strelka/soc_strelka.yaml @@ -2,73 +2,73 @@ strelka: backend: enabled: description: Enables or disables the Strelka file analysis process. - helpLink: strelka.html + helpLink: strelka config: backend: logging_cfg: description: Path to the Python logging configuration. readonly: True global: False - helpLink: strelka.html + helpLink: strelka advanced: True limits: max_files: description: Number of files the backend will process before shutting down. readonly: False global: False - helpLink: strelka.html + helpLink: strelka time_to_live: description: Amount of time (in seconds) that the backend will run before shutting down (0 to disable). readonly: False global: False - helpLink: strelka.html + helpLink: strelka max_depth: description: Maximum depth that extracted files will be processed by the backend. readonly: False global: False - helpLink: strelka.html + helpLink: strelka distribution: description: Amount of time (in seconds) that a single file can be distributed to all scanners. readonly: False global: False - helpLink: strelka.html + helpLink: strelka scanner: description: Amount of time (in seconds) that a scanner can spend scanning a file (can be overridden per scanner). readonly: False global: False - helpLink: strelka.html + helpLink: strelka coordinator: addr: description: Network address of the coordinator. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True db: description: Redis database of the coordinator. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True tasting: mime_db: description: Location of the MIME database used to taste files. readonly: True global: False - helpLink: strelka.html + helpLink: strelka advanced: True yara_rules: description: Location of the directory of YARA files that contains rules used to taste files. readonly: True global: False - helpLink: strelka.html + helpLink: strelka advanced: True scanners: 'ScanBase64PE': &scannerOptions description: Configuration options for this scanner. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True forcedType: "[]{}" syntax: json @@ -139,7 +139,7 @@ strelka: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True formatters: simple: @@ -147,13 +147,13 @@ strelka: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True datefmt: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True handlers: console: @@ -161,32 +161,32 @@ strelka: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True formatter: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True stream: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True root: level: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True handlers: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True loggers: OpenSSL: @@ -194,425 +194,425 @@ strelka: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True bs4: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True bz2: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True chardet: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True docx: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True elftools: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True email: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True entropy: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True esprima: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True gzip: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True hashlib: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True json: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True libarchive: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True lxml: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True lzma: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True macholibre: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True olefile: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True oletools: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True pdfminer: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True pefile: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True pgpdump: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True pygments: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True pylzma: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True rarfile: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True requests: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True rpmfile: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True ssdeep: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True tarfile: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True tnefparse: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True yara: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True zipfile: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True zlib: propagate: description: This is an advanced option for Strelka logging. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True passwords: description: Passwords that will be stored in the password_file used in scanner options. readonly: False global: False - helpLink: strelka.html + helpLink: strelka multiline: True filestream: enabled: description: You can enable or disable Strelka filestream. - helpLink: strelka.html + helpLink: strelka config: conn: server: description: Network address of the frontend server. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True cert: description: Local path to the frontend SSL server certificate. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True timeout: dial: description: Amount of time to wait for the client to dial the server. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True file: description: Amount of time to wait for an individual file to complete a scan. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True throughput: concurrency: description: Number of concurrent requests to make. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True chunk: description: Size of file chunks that will be sent to the frontend server. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True delay: description: Artificial sleep between the submission of each chunk. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True files: patterns: description: List of glob patterns that determine which files will be sent for scanning. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True delete: description: Boolean that determines if files should be deleted after being sent for scanning. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True gatekeeper: description: Boolean that determines if events should be pulled from the temporary event cache. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True processed: description: Directory where files will be moved after being submitted for scanning. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True response: report: description: Frequency at which the frontend reports the number of files processed. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True delta: description: Time value that determines how much time must pass since a file was last modified before it is sent for scanning. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True staging: description: Directory where files are staged before being sent to the cluster. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True frontend: enabled: description: You can enable or disable Strelka frontend. - helpLink: strelka.html + helpLink: strelka config: server: description: Network address of the frontend server. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True coordinator: addr: description: Network address of the coordinator. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True db: description: Redis database of the coordinator. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True gatekeeper: addr: description: Network address of the gatekeeper. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True db: description: Redis database of the gatekeeper. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True ttl: description: Time-to-live for events added to the gatekeeper. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True response: log: description: Location where worker scan results are logged to. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True manager: enabled: description: You can enable or disable Strelka manager. - helpLink: strelka.html + helpLink: strelka config: coordinator: addr: description: Network address of the coordinator. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True db: description: Redis database of the coordinator. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True coordinator: enabled: description: You can enable or disable Strelka coordinator. - helpLink: strelka.html + helpLink: strelka gatekeeper: enabled: description: You can enable or disable Strelka gatekeeper. - helpLink: strelka.html + helpLink: strelka rules: enabled: description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: False filecheck: historypath: description: The path for previously scanned files. readonly: True global: False - helpLink: strelka.html + helpLink: strelka advanced: True strelkapath: description: The path for unprocessed files. readonly: True global: False - helpLink: strelka.html + helpLink: strelka advanced: True logfile: description: The path for the filecheck log. readonly: False global: False - helpLink: strelka.html + helpLink: strelka advanced: True diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml index 16518f6b2..d754e2ede 100644 --- a/salt/suricata/soc_suricata.yaml +++ b/salt/suricata/soc_suricata.yaml @@ -1,7 +1,7 @@ suricata: enabled: description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture. - helpLink: suricata.html + helpLink: suricata thresholding: sids__yaml: description: Threshold SIDS List. This setting is readonly; Use the Detections screen to modify rules. @@ -10,7 +10,7 @@ suricata: global: True multiline: True title: SIDS - helpLink: suricata.html + helpLink: suricata readonlyUi: True advanced: True classification: @@ -20,64 +20,64 @@ suricata: global: True multiline: True title: Classifications - helpLink: suricata.html + helpLink: suricata pcap: enabled: description: Enables or disables the Suricata packet recording process. forcedType: bool - helpLink: suricata.html + helpLink: suricata filesize: description: Maximum file size for individual PCAP files written by Suricata. Increasing this number could improve write performance at the expense of pcap retrieval time. advanced: True - helpLink: suricata.html + helpLink: suricata maxsize: description: Maximum size in GB for total disk usage of all PCAP files written by Suricata. - helpLink: suricata.html + helpLink: suricata compression: description: Enable compression of Suricata PCAP files. advanced: True - helpLink: suricata.html + helpLink: suricata lz4-checksum: description: Enable PCAP lz4 checksum. advanced: True - helpLink: suricata.html + helpLink: suricata lz4-level: description: lz4 compression level of PCAP files. Set to 0 for no compression. Set to 16 for maximum compression. advanced: True - helpLink: suricata.html + helpLink: suricata filename: description: Filename output for Suricata PCAP files. advanced: True readonly: True - helpLink: suricata.html + helpLink: suricata mode: description: Suricata PCAP mode. Currently only multi is supported. advanced: True readonly: True - helpLink: suricata.html + helpLink: suricata use-stream-depth: description: Set to "no" to ignore the stream depth and capture the entire flow. Set to "yes" to truncate the flow based on the stream depth. advanced: True regex: ^(yes|no)$ regexFailureMessage: You must enter either yes or no. - helpLink: suricata.html + helpLink: suricata conditional: description: Set to "all" to record PCAP for all flows. Set to "alerts" to only record PCAP for Suricata alerts. Set to "tag" to only record PCAP for tagged rules. regex: ^(all|alerts|tag)$ regexFailureMessage: You must enter either all, alert or tag. - helpLink: suricata.html + helpLink: suricata dir: description: Parent directory to store PCAP. advanced: True readonly: True - helpLink: suricata.html + helpLink: suricata config: af-packet: interface: description: The network interface that Suricata will monitor. This is set under sensor > interface. advanced: True readonly: True - helpLink: suricata.html + helpLink: suricata cluster-id: advanced: True cluster-type: @@ -93,10 +93,10 @@ suricata: description: Prevent swapping by locking the memory map. advanced: True regex: ^(yes|no)$ - helpLink: suricata.html + helpLink: suricata threads: description: The amount of worker threads. - helpLink: suricata.html + helpLink: suricata forcedType: int tpacket-v3: advanced: True @@ -104,54 +104,54 @@ suricata: ring-size: description: Buffer size for packets per thread. forcedType: int - helpLink: suricata.html + helpLink: suricata block-size: description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size. advanced: True forcedType: int - helpLink: suricata.html + helpLink: suricata block-timeout: description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace. advanced: True forcedType: int - helpLink: suricata.html + helpLink: suricata use-emergency-flush: description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected. advanced: True regex: ^(yes|no)$ - helpLink: suricata.html + helpLink: suricata buffer-size: description: Increasing the value of the receive buffer may improve performance. advanced: True forcedType: int - helpLink: suricata.html + helpLink: suricata disable-promisc: description: Promiscuous mode can be disabled by setting this to "yes". advanced: True regex: ^(yes|no)$ - helpLink: suricata.html + helpLink: suricata checksum-checks: description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading." advanced: True regex: ^(kernel|yes|no|auto)$ - helpLink: suricata.html + helpLink: suricata threading: set-cpu-affinity: description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores. regex: ^(yes|no)$ regexFailureMessage: You must enter either yes or no. - helpLink: suricata.html + helpLink: suricata cpu-affinity: management-cpu-set: cpu: description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. forcedType: "[]string" - helpLink: suricata.html + helpLink: suricata worker-cpu-set: cpu: description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used. forcedType: "[]string" - helpLink: suricata.html + helpLink: suricata vars: address-groups: HOME_NET: @@ -160,12 +160,12 @@ suricata: regexFailureMessage: You must enter a valid IP address or CIDR. forcedType: "[]string" duplicates: True - helpLink: suricata.html + helpLink: suricata EXTERNAL_NET: &suriaddressgroup description: Assign a list of hosts, or networks, or other customization, to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. forcedType: "[]string" duplicates: True - helpLink: suricata.html + helpLink: suricata HTTP_SERVERS: *suriaddressgroup SMTP_SERVERS: *suriaddressgroup SQL_SERVERS: *suriaddressgroup @@ -184,7 +184,7 @@ suricata: description: Assign a list of network port numbers to this Suricata variable. The variable can then be re-used within Suricata rules. This allows for a single adjustment to the variable that will then affect all rules referencing the variable. forcedType: "[]string" duplicates: True - helpLink: suricata.html + helpLink: suricata SHELLCODE_PORTS: *suriportgroup ORACLE_PORTS: *suriportgroup SSH_PORTS: *suriportgroup @@ -203,104 +203,104 @@ suricata: xff: enabled: description: Enable X-Forward-For support. - helpLink: suricata.html + helpLink: suricata mode: description: Operation mode. This should always be extra-data if you use PCAP. - helpLink: suricata.html + helpLink: suricata deployment: description: forward would use the first IP address and reverse would use the last. - helpLink: suricata.html + helpLink: suricata header: description: Header name where the actual IP address will be reported. - helpLink: suricata.html + helpLink: suricata asn1-max-frames: description: Maximum nuber of asn1 frames to decode. - helpLink: suricata.html + helpLink: suricata max-pending-packets: description: Number of packets preallocated per thread. - helpLink: suricata.html + helpLink: suricata default-packet-size: description: Preallocated size for each packet. - helpLink: suricata.html + helpLink: suricata pcre: match-limit: description: Match limit for PCRE. - helpLink: suricata.html + helpLink: suricata match-limit-recursion: description: Recursion limit for PCRE. - helpLink: suricata.html + helpLink: suricata defrag: memcap: description: Max memory to use for defrag. You should only change this if you know what you are doing. - helpLink: suricata.html + helpLink: suricata hash-size: description: Hash size - helpLink: suricata.html + helpLink: suricata trackers: description: Number of defragmented flows to follow. - helpLink: suricata.html + helpLink: suricata max-frags: description: Max number of fragments to keep - helpLink: suricata.html + helpLink: suricata prealloc: description: Preallocate memory. - helpLink: suricata.html + helpLink: suricata timeout: description: Timeout value. - helpLink: suricata.html + helpLink: suricata flow: memcap: description: Reserverd memory for flows. - helpLink: suricata.html + helpLink: suricata hash-size: description: Determines the size of the hash used to identify flows inside the engine. - helpLink: suricata.html + helpLink: suricata prealloc: description: Number of preallocated flows. - helpLink: suricata.html + helpLink: suricata stream: memcap: description: Can be specified in kb,mb,gb. - helpLink: suricata.html + helpLink: suricata checksum-validation: description: Validate checksum of packets. - helpLink: suricata.html + helpLink: suricata reassembly: memcap: description: Can be specified in kb,mb,gb. - helpLink: suricata.html + helpLink: suricata depth: description: Controls how far into a stream that reassembly is done. - helpLink: suricata.html + helpLink: suricata host: hash-size: description: Hash size in bytes. - helpLink: suricata.html + helpLink: suricata prealloc: description: How many streams to preallocate. - helpLink: suricata.html + helpLink: suricata memcap: description: Memory settings for host. - helpLink: suricata.html + helpLink: suricata decoder: teredo: enabled: description: Enable TEREDO capabilities - helpLink: suricata.html + helpLink: suricata ports: description: Ports to listen for. This should be a variable. - helpLink: suricata.html + helpLink: suricata vxlan: enabled: description: Enable VXLAN capabilities. - helpLink: suricata.html + helpLink: suricata ports: description: Ports to listen for. This should be a variable. - helpLink: suricata.html + helpLink: suricata geneve: enabled: description: Enable VXLAN capabilities. - helpLink: suricata.html + helpLink: suricata ports: description: Ports to listen for. This should be a variable. - helpLink: suricata.html + helpLink: suricata diff --git a/salt/telegraf/soc_telegraf.yaml b/salt/telegraf/soc_telegraf.yaml index b54913da7..19151f535 100644 --- a/salt/telegraf/soc_telegraf.yaml +++ b/salt/telegraf/soc_telegraf.yaml @@ -2,54 +2,54 @@ telegraf: enabled: description: Enables the grid metrics collection process. WARNING - Security Onion grid health monitoring requires this process to remain enabled. Disabling it will cause unexpected and unsupported results. advanced: True - helpLink: influxdb.html + helpLink: influxdb config: interval: description: Data collection interval. global: True - helpLink: influxdb.html + helpLink: influxdb metric_batch_size: description: Data collection batch size. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb metric_buffer_limit: description: Data collection buffer size. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb collection_jitter: description: Jitter of the flush interval. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb flush_interval: description: Flush interval for all outputs. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb flush_jitter: description: Jitter the flush interval. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb debug: description: Data collection interval. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb quiet: description: Data collection interval. global: True advanced: True - helpLink: influxdb.html + helpLink: influxdb scripts: eval: &telegrafscripts description: List of input.exec scripts to run for this node type. The script must be present in salt/telegraf/scripts. forcedType: "[]string" multiline: True advanced: True - helpLink: influxdb.html + helpLink: influxdb standalone: *telegrafscripts manager: *telegrafscripts managersearch: *telegrafscripts diff --git a/salt/versionlock/soc_versionlock.yaml b/salt/versionlock/soc_versionlock.yaml index 92fd69875..5249d972a 100644 --- a/salt/versionlock/soc_versionlock.yaml +++ b/salt/versionlock/soc_versionlock.yaml @@ -4,4 +4,4 @@ versionlock: global: True forcedType: "[]string" multiline: True - helpLink: versionlock.html + helpLink: soup#holding-os-updates diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 36da3ea9c..787185469 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -1,32 +1,32 @@ zeek: enabled: description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled. - helpLink: zeek.html + helpLink: zeek ja4plus_enabled: description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license (https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)." forcedType: bool - helpLink: zeek.html + helpLink: zeek config: local: load: description: Contains a list of policies and scripts loaded by Zeek. Values in the Current Grid Value dialog box apply to every instance of Zeek. Values in a dialog box for a specific node will only apply to that node. forcedType: "[]string" - helpLink: zeek.html + helpLink: zeek load-sigs: description: Contains a list of signatures loaded by Zeek. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node. forcedType: "[]string" - helpLink: zeek.html + helpLink: zeek redef: description: List of Zeek variables to redefine. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node. forcedType: "[]string" advanced: True - helpLink: zeek.html + helpLink: zeek networks: HOME_NET: description: List of IP or CIDR blocks to define as the HOME_NET. forcedType: "[]string" advanced: False - helpLink: zeek.html + helpLink: zeek multiline: True regex: ^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$|^((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?))|:))|(([0-9A-Fa-f]{1,4}:){5}((:[0-9A-Fa-f]{1,4}){1,2}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){4}((:[0-9A-Fa-f]{1,4}){1,3}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){3}((:[0-9A-Fa-f]{1,4}){1,4}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){2}((:[0-9A-Fa-f]{1,4}){1,5}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(([0-9A-Fa-f]{1,4}:){1}((:[0-9A-Fa-f]{1,4}){1,6}|:((25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)\.){3}(25[0-5]|(2[0-4]|1[0-9])[0-9]|0?[0-9][0-9]?)|:))|(:((:[0-9A-Fa-f]{1,4}){1,7}|:)))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$ regexFailureMessage: You must enter a valid IP address or CIDR. @@ -34,13 +34,13 @@ zeek: lb_procs: description: Contains the number of CPU cores or workers used by Zeek. This setting should only be applied to individual nodes and will be ignored if CPU affinity is enabled. title: workers - helpLink: zeek.html + helpLink: zeek node: True pins_enabled: description: Enabling this setting allows you to pin Zeek to specific CPUs. title: cpu affinity enabled forcedType: bool - helpLink: zeek.html + helpLink: zeek node: True advanced: True pins: @@ -48,61 +48,61 @@ zeek: title: cpu affinity multiline: True forcedType: "[]string" - helpLink: zeek.html + helpLink: zeek node: True advanced: True zeekctl: CompressLogs: description: This setting enables compression of Zeek logs. If you are seeing packet loss at the top of the hour in Zeek or PCAP you might need to disable this by seting it to 0. This will use more disk space but save IO and CPU. - helpLink: zeek.html + helpLink: zeek policy: custom: filters: conn: description: Conn Filter for Zeek. This is an advanced setting and will take further action to enable. - helpLink: zeek.html + helpLink: zeek file: True global: True advanced: True duplicates: True dns: description: DNS Filter for Zeek. This is an advanced setting and will take further action to enable. - helpLink: zeek.html + helpLink: zeek file: True global: True advanced: True duplicates: True files: description: Files Filter for Zeek. This is an advanced setting and will take further action to enable. - helpLink: zeek.html + helpLink: zeek file: True global: True advanced: True duplicates: True httphost: description: HTTP Hosts Filter for Zeek. This is an advanced setting and will take further action to enable. - helpLink: zeek.html + helpLink: zeek file: True global: True advanced: True duplicates: True httpuri: description: HTTP URI Filter for Zeek. This is an advanced setting and will take further action to enable. - helpLink: zeek.html + helpLink: zeek file: True global: True advanced: True duplicates: True ssl: description: SSL Filter for Zeek. This is an advanced setting and will take further action to enable. - helpLink: zeek.html + helpLink: zeek file: True global: True advanced: True duplicates: True tunnel: description: Tunnel Filter for Zeek. This is an advanced setting and will take further action to enable. - helpLink: zeek.html + helpLink: zeek file: True global: True advanced: True @@ -110,4 +110,4 @@ zeek: file_extraction: description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENSION"} forcedType: "[]{}" - helpLink: zeek.html + helpLink: zeek