Merge remote-tracking branch 'origin/2.4/dev' into 2.4/templaterepos

salt/elasticsearch/defaults.yaml

@@ -599,6 +599,35 @@ elasticsearch:
               set_priority:
                 priority: 50
             min_age: 30d
+    so-ip-mappings:
+      index_sorting: false
+      index_template:
+        composed_of:
+        - so-ip-mappings
+        ignore_missing_component_templates: []
+        index_patterns:
+        - so-ip*
+        priority: 500
+        template:
+          mappings:
+            date_detection: false
+            dynamic_templates:
+            - strings_as_keyword:
+                mapping:
+                  ignore_above: 1024
+                  type: keyword
+                match_mapping_type: string
+          settings:
+            index:
+              mapping:
+                total_fields:
+                  limit: 1500
+              number_of_replicas: 0
+              number_of_shards: 1
+              refresh_interval: 30s
+              sort:
+                field: '@timestamp'
+                order: desc
     so-items:
       index_sorting: false
       index_template:

salt/elasticsearch/templates/component/so/so-ip-mappings.json

@@ -0,0 +1,25 @@
+{
+  "_meta": {
+    "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
+    "ecs_version": "1.12.2"
+  },
+  "template": {
+    "mappings": {
+      "properties": {
+        "@timestamp": {
+          "type": "date"
+        },
+        "so": {
+          "properties": {
+            "ip_address": {
+              "type": "ip"
+            },
+            "description": {
+              "type": "text"
+            }
+          }
+        }
+      }
+    }
+  }
+}

salt/manager/tools/sbin/soup

@@ -719,6 +719,9 @@ up_to_2.4.120() {
   mkdir /opt/so/saltstack/local/pillar/versionlock
   touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls
 
+  # New Grid Integration added this release
+  rm -f /opt/so/state/eaintegrations.txt
+
   INSTALLEDVERSION=2.4.120
 }
 

salt/soc/defaults.yaml

@@ -1447,6 +1447,8 @@ soc:
           rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
           stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state
           integrityCheckFrequencySeconds: 1200
+          ignoredSidRanges:
+            - '1100000-1101000'
       client:
         enableReverseLookup: false
         docsUrl: /docs/

salt/soc/soc_soc.yaml

@@ -390,6 +390,12 @@ soc:
             advanced: True
             forcedType: "[]{}"
             helpLink: suricata.html
+          ignoredSidRanges:
+            description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.'
+            global: True
+            advanced: True
+            forcedType: "[]string"
+            helpLink: detections.html#rule-engine-status
       client:
         enableReverseLookup:
           description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.