diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index b6aa218ef..c680d61c1 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -261,6 +261,7 @@ output.{{ type }}: output.elasticsearch: enabled: true hosts: ["https://{{ MANAGER }}:9200"] + ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] pipelines: - pipeline: "%{[module]}.%{[dataset]}" indices: diff --git a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja index 51e691176..6d7b71415 100644 --- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja @@ -34,10 +34,8 @@ output { template_name => "so-osquery" template => "/templates/so-osquery-template.json" template_overwrite => true - {%- if grains['role'] in ['so-node','so-heavynode'] %} ssl => true ssl_certificate_verification => false - {%- endif %} } } } diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json index 5f3a359b5..840b4b373 100644 --- a/salt/soc/files/soc/hunt.queries.json +++ b/salt/soc/files/soc/hunt.queries.json @@ -17,7 +17,7 @@ { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.dataset:conn | groupby destination.geo.country_name"}, { "name": "Connections", "description": "Connections grouped by source country", "query": "event.dataset:conn | groupby source.geo.country_name"}, { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation"}, - { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname host.domain"}, + { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"}, { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"}, { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"}, { "name": "DNS", "description": "DNS queries grouped by port", "query": "event.dataset:dns | groupby dns.query.name destination.port"}, diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor index 5df368336..955019bd8 100644 --- a/setup/automation/distributed-iso-sensor +++ b/setup/automation/distributed-iso-sensor @@ -50,7 +50,7 @@ MNIC=eth0 # MSEARCH= MSRV=distributed-manager MSRVIP=10.66.166.42 -# MTU= +MTU=1500 # NIDS=Suricata # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= @@ -71,8 +71,10 @@ PATCHSCHEDULENAME=auto SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser # STRELKA=1 +SURIPINS=(2 3) # THEHIVE=1 # WAZUH=1 # WEBUSER=onionuser@somewhere.invalid # WEBPASSWD1=0n10nus3r # WEBPASSWD2=0n10nus3r +ZEEKPINS=(0 1) diff --git a/setup/automation/distributed-net-ubuntu-suricata-sensor b/setup/automation/distributed-net-ubuntu-suricata-sensor index 6aa32c03d..5540e4211 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-sensor +++ b/setup/automation/distributed-net-ubuntu-suricata-sensor @@ -50,7 +50,7 @@ MNIC=ens18 # MSEARCH= MSRV=distributed-manager MSRVIP=10.66.166.66 -# MTU= +MTU=1500 # NIDS=Suricata # NODE_ES_HEAP_SIZE= # NODE_LS_HEAP_SIZE= @@ -71,8 +71,10 @@ PATCHSCHEDULENAME=auto SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser # STRELKA=1 +SURIPINS=(2 3) # THEHIVE=1 # WAZUH=1 # WEBUSER=onionuser@somewhere.invalid # WEBPASSWD1=0n10nus3r # WEBPASSWD2=0n10nus3r +ZEEKPINS=(0 1)