Merge remote-tracking branch 'remotes/origin/dev' into issue/3264

2025-12-18 15:02:50 +01:00 · 2021-03-11 10:55:19 -05:00
parent 3b74d987c1 adb25d63d2
commit 465253a769
5 changed files with 8 additions and 5 deletions
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -261,6 +261,7 @@ output.{{ type }}:
 output.elasticsearch:
  enabled: true
  hosts: ["https://{{ MANAGER }}:9200"]
  ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
  pipelines:
    - pipeline: "%{[module]}.%{[dataset]}"
  indices:
--- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja
@@ -34,10 +34,8 @@ output {
      template_name => "so-osquery"
      template => "/templates/so-osquery-template.json"
      template_overwrite => true
      {%- if grains['role'] in ['so-node','so-heavynode'] %}
      ssl => true
      ssl_certificate_verification => false
      {%- endif %}
    }
  }
 }
--- a/salt/soc/files/soc/hunt.queries.json
+++ b/salt/soc/files/soc/hunt.queries.json
@@ -17,7 +17,7 @@
          { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.dataset:conn | groupby destination.geo.country_name"},
          { "name": "Connections", "description": "Connections grouped by source country", "query": "event.dataset:conn | groupby source.geo.country_name"},
          { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation"},
-          { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname host.domain"},
+          { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"},
          { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"},
          { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"},
          { "name": "DNS", "description": "DNS queries grouped by port", "query": "event.dataset:dns | groupby dns.query.name destination.port"},
--- a/setup/automation/distributed-iso-sensor
+++ b/setup/automation/distributed-iso-sensor
@@ -50,7 +50,7 @@ MNIC=eth0
 # MSEARCH=
 MSRV=distributed-manager
 MSRVIP=10.66.166.42
-# MTU=
+MTU=1500
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=
 # NODE_LS_HEAP_SIZE=
@@ -71,8 +71,10 @@ PATCHSCHEDULENAME=auto
 SOREMOTEPASS1=onionuser
 SOREMOTEPASS2=onionuser
 # STRELKA=1
 SURIPINS=(2 3)
 # THEHIVE=1
 # WAZUH=1
 # WEBUSER=onionuser@somewhere.invalid
 # WEBPASSWD1=0n10nus3r
 # WEBPASSWD2=0n10nus3r
 ZEEKPINS=(0 1)
--- a/setup/automation/distributed-net-ubuntu-suricata-sensor
+++ b/setup/automation/distributed-net-ubuntu-suricata-sensor
@@ -50,7 +50,7 @@ MNIC=ens18
 # MSEARCH=
 MSRV=distributed-manager
 MSRVIP=10.66.166.66
-# MTU=
+MTU=1500
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=
 # NODE_LS_HEAP_SIZE=
@@ -71,8 +71,10 @@ PATCHSCHEDULENAME=auto
 SOREMOTEPASS1=onionuser
 SOREMOTEPASS2=onionuser
 # STRELKA=1
 SURIPINS=(2 3)
 # THEHIVE=1
 # WAZUH=1
 # WEBUSER=onionuser@somewhere.invalid
 # WEBPASSWD1=0n10nus3r
 # WEBPASSWD2=0n10nus3r
 ZEEKPINS=(0 1)