https://github.com/Security-Onion-Solutions/securityonion/issues/404

salt/elastalert/files/elastalert_config.yaml

@@ -1,5 +1,5 @@
-{% set esip = salt['pillar.get']('master:mainip', '') %}
-{% set esport = salt['pillar.get']('master:es_port', '') %}
+{% set esip = salt['pillar.get']('manager:mainip', '') %}
+{% set esport = salt['pillar.get']('manager:es_port', '') %}
 # This is the folder that contains the rule yaml files
 # Any .yaml file will be loaded as a rule
 rules_folder: /opt/elastalert/rules/

salt/elastalert/files/rules/so/suricata_thehive.yaml

@@ -1,7 +1,7 @@
-{% set es = salt['pillar.get']('static:masterip', '') %}
-{% set hivehost = salt['pillar.get']('static:masterip', '') %}
+{% set es = salt['pillar.get']('static:managerip', '') %}
+{% set hivehost = salt['pillar.get']('static:managerip', '') %}
 {% set hivekey = salt['pillar.get']('static:hivekey', '') %}
-{% set MASTER = salt['pillar.get']('master:url_base', '') %}
+{% set MANAGER = salt['pillar.get']('manager:url_base', '') %}
 
 # Elastalert rule to forward Suricata alerts from Security Onion to a specified TheHive instance.
 #
@@ -39,7 +39,7 @@ hive_alert_config:
   title: '{match[rule][name]}'
   type: 'NIDS'
   source: 'SecurityOnion'
-  description: "`SOC Hunt Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=network.community_id%3A%20%20%22{match[network][community_id]}%22%20%7C%20groupby%20source.ip%20destination.ip,event.module,%20event.dataset>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'*:so-*',key:network.community_id,negate:!f,params:(query:'{match[network][community_id]}'),type:phrase),query:(match_phrase:(network.community_id:'{match[network][community_id]}')))),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))>  \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
+  description: "`SOC Hunt Pivot:` \n\n <https://{{MANAGER}}/#/hunt?q=network.community_id%3A%20%20%22{match[network][community_id]}%22%20%7C%20groupby%20source.ip%20destination.ip,event.module,%20event.dataset>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MANAGER}}/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'*:so-*',key:network.community_id,negate:!f,params:(query:'{match[network][community_id]}'),type:phrase),query:(match_phrase:(network.community_id:'{match[network][community_id]}')))),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))>  \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
   severity: 2
   tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}']
   tlp: 3

salt/elastalert/files/rules/so/wazuh_thehive.yaml

@@ -1,7 +1,7 @@
-{% set es = salt['pillar.get']('static:masterip', '') %}
-{% set hivehost = salt['pillar.get']('static:masterip', '') %}
+{% set es = salt['pillar.get']('static:managerip', '') %}
+{% set hivehost = salt['pillar.get']('static:managerip', '') %}
 {% set hivekey = salt['pillar.get']('static:hivekey', '') %}
-{% set MASTER = salt['pillar.get']('master:url_base', '') %}
+{% set MANAGER = salt['pillar.get']('manager:url_base', '') %}
 
 # Elastalert rule to forward high level Wazuh alerts from Security Onion to a specified TheHive instance.
 #
@@ -38,7 +38,7 @@ hive_alert_config:
   title: '{match[rule][name]}'
   type: 'wazuh'
   source: 'SecurityOnion'
-  description: "`SOC Hunt Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=event.module%3A%20ossec%20AND%20rule.id%3A{match[rule][id]}%20%7C%20groupby%20host.name%20rule.name>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))>"
+  description: "`SOC Hunt Pivot:` \n\n <https://{{MANAGER}}/#/hunt?q=event.module%3A%20ossec%20AND%20rule.id%3A{match[rule][id]}%20%7C%20groupby%20host.name%20rule.name>  \n\n `Kibana Dashboard Pivot:` \n\n <https://{{MANAGER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))>"
   severity: 2
   tags: ['{match[rule][id]}','{match[host][name]}']
   tlp: 3

salt/elastalert/init.sls

@@ -13,12 +13,12 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
-{% set MASTER = salt['grains.get']('master') %}
+{% set MANAGER = salt['grains.get']('manager') %}
 
-{% if grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %}
-  {% set esalert = salt['pillar.get']('master:elastalert', '1') %}
-  {% set esip = salt['pillar.get']('master:mainip', '') %}
-  {% set esport = salt['pillar.get']('master:es_port', '') %}
+{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %}
+  {% set esalert = salt['pillar.get']('manager:elastalert', '1') %}
+  {% set esip = salt['pillar.get']('manager:mainip', '') %}
+  {% set esport = salt['pillar.get']('manager:es_port', '') %}
 {% elif grains['role'] == 'so-node' %}
   {% set esalert = salt['pillar.get']('elasticsearch:elastalert', '0') %}
 {% endif %}
@@ -101,7 +101,7 @@ elastaconf:
 
 so-elastalert:
   docker_container.running:
-    - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:{{ VERSION }}
+    - image: {{ MANAGER }}:5000/soshybridhunter/so-elastalert:{{ VERSION }}
     - hostname: elastalert
     - name: so-elastalert
     - user: elastalert