Merge branch '2.4/dev' into kilo

2025-12-06 17:22:49 +01:00 · 2023-03-06 15:59:21 -05:00
parent 1945659369 3eb839bd21
commit 1998c66073
7 changed files with 42 additions and 30 deletions
--- a/salt/common/tools/sbin/so-elastic-fleet-setup
+++ b/salt/common/tools/sbin/so-elastic-fleet-setup
@@ -24,7 +24,7 @@ mkdir -p /opt/so/conf/elastic-fleet/certs
 cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs
 cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs

-{% if grains.role in ['so-import', 'so-standalone', 'so-eval'] %}
+{% if grains.role in ['so-import', 'so-standalone', 'so-eval', 'so-manager', 'so-managersearch'] %}
 # Add SO-Manager Elasticsearch Ouput
 ESCACRT=$(openssl x509 -in  /opt/so/conf/elastic-fleet/certs/intca.crt)
 JSON_STRING=$( jq -n \
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -8,6 +8,7 @@
    { "rename":	{ "field": "message2.src_port",		"target_field": "source.port",		"ignore_failure": true  } },
    { "rename":	{ "field": "message2.dest_ip",		"target_field": "destination.ip",	"ignore_failure": true  } },
    { "rename":	{ "field": "message2.dest_port",	"target_field": "destination.port",	"ignore_failure": true  } },
+    { "rename":	{ "field": "message2.vlan",		"target_field": "network.vlan.id",	"ignore_failure": true  } },
    { "rename":	{ "field": "message2.community_id",	"target_field": "network.community_id",	"ignore_missing": true  } },
    { "set":	{ "field": "event.dataset",		"value": "{{ message2.event_type }}"  				} },
    { "set":	{ "field": "observer.name",		"value": "{{agent.name}}"  					} },
--- a/salt/elasticsearch/files/ingest/zeek.conn
+++ b/salt/elasticsearch/files/ingest/zeek.conn
@@ -23,6 +23,7 @@
    { "rename": 	{ "field": "message2.orig_cc", 		"target_field": "client.country_code",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.resp_cc", 		"target_field": "server.country_code",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.sensorname", 	"target_field": "observer.name",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.vlan", 		"target_field": "network.vlan.id",		"ignore_missing": true 	} },
    { "script":         { "lang": "painless", "source": "ctx.network.bytes = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } },
    { "set": { "if": "ctx.connection?.state == 'S0'",    "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
    { "set": { "if": "ctx.connection?.state == 'S1'",    "field": "connection.state_description", "value": "Connection established, not terminated" } },
--- a/salt/kibana/files/live_query_fixup.sh
+++ b/salt/kibana/files/live_query_fixup.sh
@@ -13,10 +13,10 @@ docker exec so-kibana grep -q "https://{{ GLOBALS.url_base }}" /usr/share/kibana
 if [ $? -eq 0 ]
 then
  #Do Nothing, pattern has been found
-  echo "Pattern found, exiting..."
+  echo "SO Hunt link found, exiting without changes..."
 else
-  echo "Pattern not found..."
-  docker exec so-kibana sed -i 's|href:h|href:"https://{{ GLOBALS.url_base }}/#/hunt?q=action_id%3A%20"+e+"%20%7C%20groupby%20action_id%20action_data.query%20%7C%20groupby%20host.hostname%20%22metadata.input.beats.host.ip%22"|g' /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js
+  echo "SO Hunt link not found, adding link and restarting Kibana container..."
+  docker exec so-kibana sed -i 's|href:g|href:"https://{{ GLOBALS.url_base }}/#/hunt?q=action_id%3A%20"+e+"%20%7C%20groupby%20action_id%20action_data.query%20%7C%20groupby%20host.hostname%20%22metadata.input.beats.host.ip%22"|g' /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js
  docker exec so-kibana sed -i 's|View in Discover|View in SO - Hunt|g' /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js
  docker exec so-kibana rm /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js.br
  docker exec so-kibana gzip -kf /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -108,6 +108,12 @@ append_so-kibana_so-status.conf:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-kibana

+osquery_hunt_link:
+  cmd.script:
+    - source: salt://kibana/files/live_query_fixup.sh
+    - cwd: /root
+    - template: jinja
+
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1555,6 +1555,9 @@ soc:
          - name: Firewall
            description: Firewall logs
            query: 'event.dataset:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
+          - name: VLAN
+            description: VLAN (Virtual Local Area Network) tagged logs
+            query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name'
      job:
      alerts:
        advanced: false
--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -37,6 +37,7 @@ zeek:
        - protocols/ftp/detect
        - protocols/conn/known-hosts
        - protocols/conn/known-services
+        - protocols/conn/vlan-logging
        - protocols/ssl/known-certs
        - protocols/ssl/validate-certs
        - protocols/ssl/log-hostcerts-only