From 2e01330e1bf2ccd16edd3f4d8544ed35715f43d7 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Tue, 9 Mar 2021 13:15:04 -0500
Subject: [PATCH 1/7] Update 9101_output_osquery_livequery.conf.jinja

---
 .../config/so/9101_output_osquery_livequery.conf.jinja          | 2 --
 1 file changed, 2 deletions(-)

diff --git a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja
index 51e691176..6d7b71415 100644
--- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja
@@ -34,10 +34,8 @@ output {
       template_name => "so-osquery"
       template => "/templates/so-osquery-template.json"
       template_overwrite => true
-      {%- if grains['role'] in ['so-node','so-heavynode'] %}
       ssl => true
       ssl_certificate_verification => false
-      {%- endif %}
     }
   }
 }

From a496b03de70b21267b9d77cf069d4e9d45456609 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 9 Mar 2021 20:52:34 -0500
Subject: [PATCH 2/7] Add missing MTU var for automation of advanced sensor

---
 setup/automation/distributed-iso-sensor | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor
index 5df368336..9752e0f24 100644
--- a/setup/automation/distributed-iso-sensor
+++ b/setup/automation/distributed-iso-sensor
@@ -50,7 +50,7 @@ MNIC=eth0
 # MSEARCH=
 MSRV=distributed-manager
 MSRVIP=10.66.166.42
-# MTU=
+MTU=1500
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=
 # NODE_LS_HEAP_SIZE=

From 46af6a5c84f016e6c3026f440e5aace8cc9209d1 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 10 Mar 2021 08:14:25 -0500
Subject: [PATCH 3/7] Ensure MTU is defined for advanced sensor automation

---
 setup/automation/distributed-net-ubuntu-suricata-sensor | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/automation/distributed-net-ubuntu-suricata-sensor b/setup/automation/distributed-net-ubuntu-suricata-sensor
index 6aa32c03d..6feadd6a4 100644
--- a/setup/automation/distributed-net-ubuntu-suricata-sensor
+++ b/setup/automation/distributed-net-ubuntu-suricata-sensor
@@ -50,7 +50,7 @@ MNIC=ens18
 # MSEARCH=
 MSRV=distributed-manager
 MSRVIP=10.66.166.66
-# MTU=
+MTU=1500
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=
 # NODE_LS_HEAP_SIZE=

From 18203513abf657cff09427665dcab09688b5e8fb Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Wed, 10 Mar 2021 09:14:14 -0500
Subject: [PATCH 4/7] Update cert location for eval.import

---
 salt/filebeat/etc/filebeat.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index b6aa218ef..c680d61c1 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -261,6 +261,7 @@ output.{{ type }}:
 output.elasticsearch:
   enabled: true
   hosts: ["https://{{ MANAGER }}:9200"]
+  ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
   pipelines:
     - pipeline: "%{[module]}.%{[dataset]}"
   indices:

From 180bba782e954e88bbc4d0c2672b7215165e0cef Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 10 Mar 2021 09:26:11 -0500
Subject: [PATCH 5/7] Expose zeek and suri pins for automation

---
 setup/automation/distributed-iso-sensor                 | 2 ++
 setup/automation/distributed-net-ubuntu-suricata-sensor | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor
index 9752e0f24..955019bd8 100644
--- a/setup/automation/distributed-iso-sensor
+++ b/setup/automation/distributed-iso-sensor
@@ -71,8 +71,10 @@ PATCHSCHEDULENAME=auto
 SOREMOTEPASS1=onionuser
 SOREMOTEPASS2=onionuser
 # STRELKA=1
+SURIPINS=(2 3)
 # THEHIVE=1
 # WAZUH=1
 # WEBUSER=onionuser@somewhere.invalid
 # WEBPASSWD1=0n10nus3r
 # WEBPASSWD2=0n10nus3r
+ZEEKPINS=(0 1)
diff --git a/setup/automation/distributed-net-ubuntu-suricata-sensor b/setup/automation/distributed-net-ubuntu-suricata-sensor
index 6feadd6a4..9489fb0f4 100644
--- a/setup/automation/distributed-net-ubuntu-suricata-sensor
+++ b/setup/automation/distributed-net-ubuntu-suricata-sensor
@@ -71,8 +71,10 @@ PATCHSCHEDULENAME=auto
 SOREMOTEPASS1=onionuser
 SOREMOTEPASS2=onionuser
 # STRELKA=1
+SURIPINS=(2 3)
 # THEHIVE=1
 # WAZUH=1
 # WEBUSER=onionuser@somewhere.invalid
 # WEBPASSWD1=0n10nus3r
 # WEBPASSWD2=0n10nus3r
+ZEEKPINS=(0 1)
\ No newline at end of file

From 3eb4a37c7600a0869a426b0c27e948389f16626f Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 10 Mar 2021 09:26:46 -0500
Subject: [PATCH 6/7] Expose zeek and suri pins for automation

---
 setup/automation/distributed-net-ubuntu-suricata-sensor | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/automation/distributed-net-ubuntu-suricata-sensor b/setup/automation/distributed-net-ubuntu-suricata-sensor
index 9489fb0f4..5540e4211 100644
--- a/setup/automation/distributed-net-ubuntu-suricata-sensor
+++ b/setup/automation/distributed-net-ubuntu-suricata-sensor
@@ -77,4 +77,4 @@ SURIPINS=(2 3)
 # WEBUSER=onionuser@somewhere.invalid
 # WEBPASSWD1=0n10nus3r
 # WEBPASSWD2=0n10nus3r
-ZEEKPINS=(0 1)
\ No newline at end of file
+ZEEKPINS=(0 1)

From 85aaa710063e4b1bc414f794437fd935c888a3bf Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@gmail.com>
Date: Thu, 11 Mar 2021 08:01:27 -0500
Subject: [PATCH 7/7] FIX: Improve DHCP leases query in Hunt #3395

---
 salt/soc/files/soc/hunt.queries.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json
index 5f3a359b5..840b4b373 100644
--- a/salt/soc/files/soc/hunt.queries.json
+++ b/salt/soc/files/soc/hunt.queries.json
@@ -17,7 +17,7 @@
           { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.dataset:conn | groupby destination.geo.country_name"},
           { "name": "Connections", "description": "Connections grouped by source country", "query": "event.dataset:conn | groupby source.geo.country_name"},
           { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation"},
-          { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname host.domain"},
+          { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"},
           { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"},
           { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"},
           { "name": "DNS", "description": "DNS queries grouped by port", "query": "event.dataset:dns | groupby dns.query.name destination.port"},