CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/dev' into delta

Browse Source
This commit is contained in:
Josh Brower
2022-02-28 21:18:07 -05:00
parent 41a58b791a 73b2a36e89
commit 09f1a5025d
17 changed files with 420 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
HOTFIX
View File

@@ -1 +0,0 @@
20220202 20220203

9
salt/common/tools/sbin/so-common
View File

@@ -249,6 +249,7 @@ lookup_salt_value() {
group=$2
kind=$3
output=${4:-newline_values_only}
local=$5
if [ -z "$kind" ]; then
kind=pillar
@@ -258,7 +259,13 @@ lookup_salt_value() {
group=${group}:
fi
salt-call --no-color ${kind}.get ${group}${key} --out=${output}
if [[ "$local" == "--local" ]] || [[ "$local" == "local" ]]; then
local="--local"
else
local=""
fi
salt-call --no-color ${kind}.get ${group}${key} --out=${output} ${local}
}
lookup_pillar() {

16
salt/common/tools/sbin/soup
View File

@@ -245,7 +245,6 @@ check_sudoers() {
}
check_log_size_limit() {
local num_minion_pillars
num_minion_pillars=$(find /opt/so/saltstack/local/pillar/minions/ -type f | wc -l)
@@ -255,7 +254,7 @@ check_log_size_limit() {
fi
else
local minion_id
minion_id=$(lookup_salt_value "id" "" "grains")
minion_id=$(lookup_salt_value "id" "" "grains" "" "local")
local minion_arr
IFS='_' read -ra minion_arr <<< "$minion_id"
@@ -263,7 +262,15 @@ check_log_size_limit() {
local node_type="${minion_arr[0]}"
local current_limit
current_limit=$(lookup_pillar "log_size_limit" "elasticsearch")
# since it is possible for the salt-master service to be stopped when this is run, we need to check the pillar values locally
# we need to combine default local and default pillars before doing this so we can define --pillar-root in salt-call
local epoch_date=$(date +%s%N)
mkdir -vp /opt/so/saltstack/soup_tmp_${epoch_date}/
cp -r /opt/so/saltstack/default/pillar/ /opt/so/saltstack/soup_tmp_${epoch_date}/
# use \cp here to overwrite any pillar files from default with those in local for the tmp directory
\cp -r /opt/so/saltstack/local/pillar/ /opt/so/saltstack/soup_tmp_${epoch_date}/
current_limit=$(salt-call pillar.get elasticsearch:log_size_limit --local --pillar-root=/opt/so/saltstack/soup_tmp_${epoch_date}/pillar --out=newline_values_only)
rm -rf /opt/so/saltstack/soup_tmp_${epoch_date}/
local percent
case $node_type in
@@ -468,12 +475,15 @@ post_to_2.3.90() {
post_to_2.3.100() {
echo "Post Processing for 2.3.100"
POSTVERSION=2.3.100
}
post_to_2.3.110() {
echo "Post Processing for 2.3.110"
echo "Updating Kibana dashboards"
salt-call state.apply kibana.so_savedobjects_defaults queue=True
so-playbook-sigma-refresh >> /root/soup_playbook_sigma_refresh.log 2>&1 &
POSTVERSION=2.3.110
}
stop_salt_master() {

98
salt/elasticsearch/defaults.yaml
View File

@@ -102,6 +102,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -135,6 +136,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -184,6 +186,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -217,6 +220,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -265,6 +269,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -298,6 +303,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -346,6 +352,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -379,6 +386,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -428,6 +436,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -461,6 +470,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -536,6 +546,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -569,6 +580,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -615,6 +627,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -648,6 +661,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -694,6 +708,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -727,6 +742,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -775,6 +791,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -808,6 +825,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -855,6 +873,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -888,6 +907,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -933,6 +953,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -966,6 +987,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -1011,6 +1033,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1045,6 +1068,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -1090,6 +1114,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1124,6 +1149,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -1170,6 +1196,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1203,6 +1230,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -1248,6 +1276,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1281,6 +1310,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -1326,6 +1356,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1359,6 +1390,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -1404,6 +1436,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1438,6 +1471,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -1483,6 +1517,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1517,6 +1552,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -1562,6 +1598,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1596,6 +1633,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -1642,6 +1680,7 @@ elasticsearch:
- client-mappings
- container-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1673,6 +1712,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- url-mappings
@@ -1716,6 +1756,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1749,6 +1790,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- suricata-mappings
- threat-mappings
- tls-mappings
@@ -1795,6 +1837,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1828,6 +1871,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -1873,6 +1917,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1906,6 +1951,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -1952,6 +1998,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -1985,6 +2032,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2031,6 +2079,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2065,6 +2114,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2110,6 +2160,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2144,6 +2195,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2190,6 +2242,7 @@ elasticsearch:
- client-mappings
- container-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2221,6 +2274,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- url-mappings
@@ -2264,6 +2318,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2298,6 +2353,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2343,6 +2399,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2377,6 +2434,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2422,6 +2480,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2456,6 +2515,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2501,6 +2561,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2535,6 +2596,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2580,6 +2642,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2613,6 +2676,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2658,6 +2722,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2692,6 +2757,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2737,6 +2803,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2771,6 +2838,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2816,6 +2884,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2849,6 +2918,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2895,6 +2965,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -2928,6 +2999,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -2974,6 +3046,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3007,6 +3080,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -3052,6 +3126,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3085,6 +3160,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -3130,6 +3206,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3164,6 +3241,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -3209,6 +3287,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3242,6 +3321,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -3287,6 +3367,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3321,6 +3402,7 @@ elasticsearch:
- dtc-service-mappings
- snyk-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -3366,6 +3448,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3399,6 +3482,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -3444,6 +3528,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3478,6 +3563,7 @@ elasticsearch:
- dtc-service-mappings
- sophos-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -3523,6 +3609,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3556,6 +3643,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -3601,6 +3689,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3636,6 +3725,7 @@ elasticsearch:
- dtc-service-mappings
- so-scan-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -3681,6 +3771,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3714,6 +3805,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- syslog-mappings
- threat-mappings
- tls-mappings
@@ -3760,6 +3852,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3793,6 +3886,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -3838,6 +3932,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3871,6 +3966,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
@@ -3917,6 +4013,7 @@ elasticsearch:
- container-mappings
- data_stream-mappings
- destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
@@ -3950,6 +4047,7 @@ elasticsearch:
- service-mappings
- dtc-service-mappings
- source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings

2
salt/elasticsearch/files/ingest/zeek.dns
View File

@@ -23,7 +23,7 @@
{ "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } },
{ "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } },
{ "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } },
{ "set": { "field": "_index", "value": "so-zeek_dns", "override": true } },
{ "set": { "if": "ctx._index == 'so-zeek'", "field": "_index", "value": "so-zeek_dns", "override": true } },
{ "pipeline": { "if": "ctx.dns.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } },
{ "pipeline": { "name": "zeek.common" } }
]

18
salt/elasticsearch/init.sls
View File

@@ -379,6 +379,15 @@ append_so-elasticsearch_so-status.conf:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elasticsearch
so-elasticsearch-templates:
cmd.run:
- name: /usr/sbin/so-elasticsearch-templates-load
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
- file: es_sync_scripts
so-elasticsearch-pipelines:
cmd.run:
- name: /usr/sbin/so-elasticsearch-pipelines {{ grains.host }}
@@ -391,15 +400,6 @@ so-elasticsearch-pipelines:
- docker_container: so-elasticsearch
- file: so-elasticsearch-pipelines-script
so-elasticsearch-templates:
cmd.run:
- name: /usr/sbin/so-elasticsearch-templates-load
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
- file: es_sync_scripts
so-elasticsearch-roles-load:
cmd.run:
- name: /usr/sbin/so-elasticsearch-roles-load

19
salt/elasticsearch/templates/component/ecs/aws.json
View File

@@ -13,8 +13,7 @@
"additional_eventdata": {
"fields": {
"text": {
"norms": false,
"type": "text"
"type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -228,8 +227,7 @@
"request_parameters": {
"fields": {
"text": {
"norms": false,
"type": "text"
"type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -269,8 +267,7 @@
"response_elements": {
"fields": {
"text": {
"norms": false,
"type": "text"
"type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -279,8 +276,7 @@
"service_event_details": {
"fields": {
"text": {
"norms": false,
"type": "text"
"type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -406,7 +402,12 @@
"properties": {
"message": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},

5
salt/elasticsearch/templates/component/ecs/base.json
View File

@@ -13,7 +13,12 @@
"type": "object"
},
"message": {
"type": "match_only_text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"tags": {
"ignore_above": 1024,

7
salt/elasticsearch/templates/component/ecs/cyberark.json
View File

@@ -534,7 +534,12 @@
},
"reason": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"rfc5424": {
"type": "boolean"

12
salt/elasticsearch/templates/component/ecs/logstash.json
View File

@@ -45,8 +45,7 @@
"thread": {
"fields": {
"text": {
"norms": false,
"type": "text"
"type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -59,8 +58,7 @@
"event": {
"fields": {
"text": {
"norms": false,
"type": "text"
"type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -87,8 +85,7 @@
"plugin_params": {
"fields": {
"text": {
"norms": false,
"type": "text"
"type": "match_only_text"
}
},
"ignore_above": 1024,
@@ -109,8 +106,7 @@
"thread": {
"fields": {
"text": {
"norms": false,
"type": "text"
"type": "match_only_text"
}
},
"ignore_above": 1024,

210
salt/elasticsearch/templates/component/ecs/misp.json
View File

@@ -12,7 +12,12 @@
"properties": {
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
@@ -47,11 +52,21 @@
"properties": {
"aliases": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"first_seen": {
"type": "date"
@@ -92,7 +107,12 @@
"properties": {
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
@@ -118,11 +138,21 @@
"properties": {
"contact_information": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
@@ -175,18 +205,33 @@
"properties": {
"aliases": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"first_seen": {
"type": "date"
},
"goals": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
@@ -211,15 +256,30 @@
},
"primary_motivation": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"resource_level": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"secondary_motivations": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -227,7 +287,12 @@
"properties": {
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
@@ -280,7 +345,12 @@
},
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
@@ -346,7 +416,12 @@
"properties": {
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
@@ -377,7 +452,12 @@
},
"object_refs": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"published": {
"type": "date"
@@ -388,15 +468,30 @@
"properties": {
"aliases": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"goals": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
@@ -427,27 +522,57 @@
},
"personal_motivations": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"primary_motivation": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"resource_level": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"roles": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"secondary_motivations": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"sophistication": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
},
@@ -491,11 +616,21 @@
},
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"feed": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
@@ -602,7 +737,12 @@
"properties": {
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
@@ -615,7 +755,12 @@
},
"kill_chain_phases": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"labels": {
"ignore_above": 1024,
@@ -650,7 +795,12 @@
"properties": {
"description": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,

7
salt/elasticsearch/templates/component/ecs/o365.json
View File

@@ -165,7 +165,12 @@
},
"Comments": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"CommunicationType": {
"ignore_above": 1024,

14
salt/elasticsearch/templates/component/ecs/zeek.json
View File

@@ -1333,7 +1333,12 @@
},
"email_body_sections": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"email_delay_tokens": {
"ignore_above": 1024,
@@ -1453,7 +1458,12 @@
},
"peer_descr": {
"norms": false,
"type": "text"
"type": "text",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"peer_name": {
"ignore_above": 1024,

32
salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json Normal file
View File

@@ -0,0 +1,32 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-destination.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"destination": {
"properties": {
"ip": {
"type": "ip",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"port": {
"type": "long",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}

33
salt/elasticsearch/templates/component/so/pb-override-source-mappings.json Normal file
View File

@@ -0,0 +1,33 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-source.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"source": {
"properties": {
"ip": {
"type": "ip",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"port": {
"type": "long",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
}
}
}
}
}

2
salt/kibana/bin/so-kibana-config-load
View File

@@ -41,7 +41,7 @@ update() {
wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}"
IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))'
for i in "${LINES[@]}"; do
{{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.16.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i "
{{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/7.17.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i "
done
}

2
salt/kibana/files/config_saved_objects.ndjson
View File

@@ -1 +1 @@
{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.0","id": "7.17.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "7.17.1","id": "7.17.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}