Merge pull request #14991 from Security-Onion-Solutions/cogburn/wip-module

Cogburn/wip module
2025-12-06 09:12:45 +01:00 · 2025-09-09 10:32:06 -06:00
parent 624ec3c93e aa43177d8c
commit 2f68cd7483
8 changed files with 305 additions and 13 deletions
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -284,6 +284,86 @@ elasticsearch:
          hot:
            actions: {}
            min_age: 0ms
+    so-assistant-chat:
+      index_sorting: false
+      index_template:
+        composed_of:
+        - assistant-chat-mappings
+        - assistant-chat-settings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
+        ignore_missing_component_templates: []
+        index_patterns:
+        - so-assistant-chat-*
+        priority: 501
+        template:
+          mappings:
+            date_detection: false
+            dynamic_templates:
+            - strings_as_keyword:
+                mapping:
+                  ignore_above: 1024
+                  type: keyword
+                match_mapping_type: string
+          settings:
+            index:
+              lifecycle:
+                name: so-assistant-chat-logs
+              mapping:
+                total_fields:
+                  limit: 1500
+              number_of_replicas: 0
+              number_of_shards: 1
+              refresh_interval: 1s
+              sort:
+                field: '@timestamp'
+                order: desc
+      policy:
+        phases:
+          hot:
+            actions: {}
+            min_age: 0ms
+    so-assistant-session:
+      index_sorting: false
+      index_template:
+        composed_of:
+        - assistant-session-mappings
+        - assistant-session-settings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
+        ignore_missing_component_templates: []
+        index_patterns:
+        - so-assistant-session-*
+        priority: 501
+        template:
+          mappings:
+            date_detection: false
+            dynamic_templates:
+            - strings_as_keyword:
+                mapping:
+                  ignore_above: 1024
+                  type: keyword
+                match_mapping_type: string
+          settings:
+            index:
+              lifecycle:
+                name: so-assistant-session-logs
+              mapping:
+                total_fields:
+                  limit: 1500
+              number_of_replicas: 0
+              number_of_shards: 1
+              refresh_interval: 1s
+              sort:
+                field: '@timestamp'
+                order: desc
+      policy:
+        phases:
+          hot:
+            actions: {}
+            min_age: 0ms
    so-endgame:
      index_sorting: false
      index_template:
--- a/salt/elasticsearch/templates/component/so/assistant-chat-mappings.json
+++ b/salt/elasticsearch/templates/component/so/assistant-chat-mappings.json
@@ -0,0 +1,104 @@
+{
+	"template": {
+		"mappings": {
+			"properties": {
+				"@timestamp": {
+					"type": "date"
+				},
+				"so_kind": {
+					"ignore_above": 1024,
+					"type": "keyword"
+				},
+				"so_operation": {
+					"ignore_above": 1024,
+					"type": "keyword"
+				},
+				"so_chat": {
+					"properties": {
+						"role": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						},
+						"content": {
+							"type": "object",
+							"enabled": false
+						},
+						"sessionId": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						},
+						"createTime": {
+							"type": "date"
+						},
+						"deletedAt": {
+							"type": "date"
+						},
+						"tags": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						},
+						"tool_use_id": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						},
+						"userId": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						},
+						"message": {
+							"properties": {
+								"id": {
+									"ignore_above": 1024,
+									"type": "keyword"
+								},
+								"type": {
+									"ignore_above": 1024,
+									"type": "keyword"
+								},
+								"role": {
+									"ignore_above": 1024,
+									"type": "keyword"
+								},
+								"model": {
+									"ignore_above": 1024,
+									"type": "keyword"
+								},
+								"contentStr": {
+									"type": "text"
+								},
+								"contentBlocks": {
+									"type": "nested",
+									"enabled": false
+								},
+								"stopReason": {
+									"ignore_above": 1024,
+									"type": "keyword"
+								},
+								"stopSequence": {
+									"ignore_above": 1024,
+									"type": "keyword"
+								},
+								"usage": {
+									"properties": {
+										"input_tokens": {
+											"type": "long"
+										},
+										"output_tokens": {
+											"type": "long"
+										},
+										"credits": {
+											"type": "long"
+										}
+									}
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+	},
+	"_meta": {
+		"ecs_version": "1.12.2"
+	}
+}
--- a/salt/elasticsearch/templates/component/so/assistant-chat-settings.json
+++ b/salt/elasticsearch/templates/component/so/assistant-chat-settings.json
@@ -0,0 +1,7 @@
+{
+	"template": {},
+	"version": 1,
+	"_meta": {
+		"description": "default settings for common Security Onion Assistant indices"
+	}
+}
--- a/salt/elasticsearch/templates/component/so/assistant-session-mappings.json
+++ b/salt/elasticsearch/templates/component/so/assistant-session-mappings.json
@@ -0,0 +1,44 @@
+{
+	"template": {
+		"mappings": {
+			"properties": {
+				"@timestamp": {
+					"type": "date"
+				},
+				"so_kind": {
+					"ignore_above": 1024,
+					"type": "keyword"
+				},
+				"so_session": {
+					"properties": {
+						"title": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						},
+						"sessionId": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						},
+						"createTime": {
+							"type": "date"
+						},
+						"deleteTime": {
+							"type": "date"
+						},
+						"tags": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						},
+						"userId": {
+							"ignore_above": 1024,
+							"type": "keyword"
+						}
+					}
+				}
+			}
+		}
+	},
+	"_meta": {
+		"ecs_version": "1.12.2"
+	}
+}
--- a/salt/elasticsearch/templates/component/so/assistant-session-settings.json
+++ b/salt/elasticsearch/templates/component/so/assistant-session-settings.json
@@ -0,0 +1,7 @@
+{
+	"template": {},
+	"version": 1,
+	"_meta": {
+		"description": "default settings for common Security Onion Assistant indices"
+	}
+}
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -209,6 +209,10 @@ http {
 			proxy_set_header        Upgrade $http_upgrade;
 			proxy_set_header        Connection "Upgrade";
 			proxy_set_header        X-Forwarded-Proto $scheme;
+
+			proxy_buffering         off;
+			proxy_cache             off;
+			proxy_request_buffering off;
 		}

 		location ~ ^/auth/.*?(login|oidc/callback) {
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1491,6 +1491,8 @@ soc:
              - repo: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks
                branch: main
                folder: securityonion-normalized
+        assistant:
+          apiUrl: https://onionai.securityonion.net
        salt:
          queueDir: /opt/sensoroni/queue
          timeoutMs: 45000
@@ -2541,3 +2543,12 @@ soc:
                          - ' -priv'
                  condition: all of selection_*
              level: 'high'  # info | low | medium | high | critical
+        assistant:
+          enabled: false
+          investigationPrompt: Investigate Alert ID {socid}
+          contextLimitSmall: 200000
+          contextLimitLarge: 1000000
+          thresholdColorRatioLow: 0.5
+          thresholdColorRatioMed: 0.75
+          thresholdColorRatioMax: 1
+          lowBalanceColorAlert: 500000
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -580,7 +580,42 @@ soc:
              - field: folder
                label: Folder
            airgap: *pbRepos
+        assistant:
+          apiUrl:
+            description: The URL of the AI gateway.
+            advanced: True
+            global: True
      client:
+        assistant:
+          enabled:
+            description: Set to true to enable the Onion AI assistant in SOC.
+            global: True
+          investigationPrompt: 
+            description: Prompt given to Onion AI when beginning an investigation.
+            global: True
+          contextLimitSmall:
+            description: Smaller context limit for Onion AI.
+            global: True
+            advanced: True
+          contextLimitLarge:
+            description: Larger context limit for Onion AI.
+            global: True
+            advanced: True
+          thresholdColorRatioLow:
+            description: Lower visual context color change threshold.
+            global: True
+            advanced: True
+          thresholdColorRatioMed:
+            description: Middle visual context color change threshold.
+            global: True
+            advanced: True
+          thresholdColorRatioMax:
+            description: Max visual context color change threshold.
+            global: True
+            advanced: True 
+          lowBalanceColorAlert:
+            description: Onion AI credit amount at which balance turns red.
+            advanced: True
        apiTimeoutMs:
          description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
          global: True