Merge pull request #13727 from Security-Onion-Solutions/2.4/filter-tweaks

Disable by default & Airgap

salt/elasticfleet/config.sls

@@ -85,7 +85,7 @@ soresourcesrepoclone:
   git.latest:
     - name: https://github.com/Security-Onion-Solutions/securityonion-resources.git
     - target: /nsm/securityonion-resources
-    - rev: 'dev/defend_filters'
+    - rev: 'main'
     - depth: 1
 {% endif %}
 
@@ -112,8 +112,13 @@ elasticdefendcustom:
     - group: 939
     - mode: 600
 
-cronelasticdefendfilters:
-  cron.present:
+{% if ELASTICFLEETMERGED.config.defend_filters.enable_auto_configuration %}
+{%   set ap = "present" %}
+{% else %}
+{%   set ap = "absent" %}
+{% endif %}
+cron-elastic-defend-filters:
+  cron.{{ap}}:
     - name: python3 /sbin/so-elastic-defend-manage-filters.py -c /opt/so/conf/elasticsearch/curl.config -d /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml -i /nsm/securityonion-resources/event_filters/ -i /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters/ &>> /opt/so/log/elasticfleet/elastic-defend-manage-filters.log
     - identifier: elastic-defend-filters
     - user: root

salt/elasticfleet/enabled.sls

@@ -17,10 +17,12 @@ include:
   - elasticfleet.sostatus
   - ssl
 
+{% if grains.role not in ['so-fleet'] %}
 # Wait for Elasticsearch to be ready - no reason to try running Elastic Fleet server if ES is not ready
 wait_for_elasticsearch_elasticfleet:
   cmd.run:
     - name: so-elasticsearch-wait
+{% endif %}
 
 # If enabled, automatically update Fleet Logstash Outputs
 {% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %}
@@ -146,6 +148,15 @@ so-elastic-agent-grid-upgrade:
 so-elastic-fleet-integration-upgrade:
   cmd.run:
     - name: /usr/sbin/so-elastic-fleet-integration-upgrade
+
+{%   if ELASTICFLEETMERGED.config.defend_filters.enable_auto_configuration %}
+so-elastic-defend-manage-filters-file-watch:
+  cmd.run:
+    - name: python3 /sbin/so-elastic-defend-manage-filters.py -c /opt/so/conf/elasticsearch/curl.config -d /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml -i /nsm/securityonion-resources/event_filters/ -i /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters/ &>> /opt/so/log/elasticfleet/elastic-defend-manage-filters.log
+    - onchanges:
+      - file: elasticdefendcustom
+      - file: elasticdefenddisabled
+{%    endif %}
 {%  endif %}
 
 delete_so-elastic-fleet_so-status.disabled:

salt/manager/tools/sbin/soup

@@ -888,6 +888,12 @@ update_airgap_rules() {
   rsync -av $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/
   rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
   rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
+  # Checkout the stable summaries branch and copy them over for SOC
+  git -C $UPDATE_DIR/agrules/securityonion-resources/ checkout generated-summaries-stable
+  rsync -av $UPDATE_DIR/agrules/securityonion-resources/* /opt/so/conf/soc/ai_summary_repos
+  # Checkout the main branch and copy them over to nsm
+  git -C $UPDATE_DIR/agrules/securityonion-resources/ checkout main
+  rsync -av $UPDATE_DIR/agrules/securityonion-resources/* /nsm/securityonion-resources/
 }
 
 update_airgap_repo() {

setup/so-functions

@@ -42,9 +42,10 @@ logCmd() {
 ### End Logging Section ###
 
 airgap_rules() {
-	# Copy the rules for suricata if using Airgap
+	# Copy the rules for detections if using Airgap
 	mkdir -p /nsm/rules
-	cp -Rv /root/SecurityOnion/agrules/* /nsm/rules/
+	rsync -av --exclude='securityonion-resources' /root/SecurityOnion/agrules/ /nsm/rules/
+	rsync -av  /root/SecurityOnion/agrules/securityonion-resources/ /nsm/
 }
 
 add_admin_user() {