Merge pull request #8807 from Security-Onion-Solutions/2.4/dev-ocd

initial quick OCD pass

salt/elastalert/soc_elastalert.yaml

@@ -24,7 +24,7 @@ elastalert:
       global: True
       helpLink: elastalert.html
     max_query_size:
-      description: The maximum number of documents that will be downloaded from Elasticsearch in a single query.
+      description: The maximum number of documents that will be returned from Elasticsearch in a single query.
       global: True
       helpLink: elastalert.html
     alert_time_limit:
@@ -34,10 +34,10 @@ elastalert:
         helpLink: elastalert.html
     index_settings:
       shards:
-        description: The amount of shards to use for elastalert.
+        description: The number of shards for elastalert indices.
         global: True
         helpLink: elastalert.html
       replicas:
-        description: The amount of replicas for the Elastalert index.
+        description: The number of replicas for elastalert indices.
         global: True
         helpLink: elastalert.html

salt/elasticsearch/soc_elasticsearch.yaml

@@ -72,7 +72,7 @@ elasticsearch:
                   global: True
                   helpLink: elasticsearch.html
               number_of_replicas: 
-                  description: Number of replicas required for this index. Multiple replicas protects against data loss, while also increasing storage costs.
+                  description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
                   global: True
                   helpLink: elasticsearch.html
     so-azure: *indexSettings
@@ -116,4 +116,4 @@ elasticsearch:
     so-syslog: *indexSettings
     so-tomcat: *indexSettings
     so-zeek: *indexSettings
-    so-zscaler: *indexSettings
+    so-zscaler: *indexSettings

salt/firewall/soc_firewall.yaml

@@ -1,109 +1,109 @@
 firewall:
   hostgroups:
     analyst_workstations:
-      description: List of IP Addresses or CIDR blocks to allow analyst workstations.
+      description: List of IP addresses or CIDR blocks to allow analyst workstations.
       file: True
       global: True
       title: Analyst Workstations
       helpLink: firewall.html#host-groups
     analyst: 
-      description: List of IP Addresses or CIDR blocks to allow analyst connections.
+      description: List of IP addresses or CIDR blocks to allow analyst connections.
       file: True
       global: True
       title: Analyst
       helpLink: firewall.html#host-groups
     beats_endpoint:
-      description: List of IP Addresses or CIDR blocks of standard beats without encryption.
+      description: List of IP addresses or CIDR blocks of standard beats without encryption.
       file: True
       global: True
       title: Beats Endpoints
       helpLink: firewall.html#host-groups
     beats_endpoint_ssl:
-      description: List of IP Addresses or CIDR blocks of standard beats with encryption.
+      description: List of IP addresses or CIDR blocks of standard beats with encryption.
       file: True
       global: True
       title: Beats Endpoints SSL
       helplink: firewall.html#host-groups
     elastic_agent_endpoint:
-      description: List of IP Addresses or CIDR blocks for Elastic Agent connections.
+      description: List of IP addresses or CIDR blocks for Elastic Agent connections.
       file: True
       global: True
       title: Elastic Agents
       helplink: firewall.html#host-groups
     elasticsearch_rest:
-      description: List of IP Addresses or CIDR blocks to allow access directly to Elasticsearch.
+      description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch.
       file: True
       global: True
       title: Elasticsearch Rest
       advanced: True
       helplink: firewall.html#host-groups
     endgame:
-      description: List of IP Addresses or CIDR blocks to allow endgame access.
+      description: List of IP addresses or CIDR blocks to allow Endgame access.
       file: True
       global: True
       title: Endgame
       advanced: True
       helplink: firewall.html#host-groups
     strelka_frontend:
-      description: List of IP Addresses or CIDR blocks to allow access to the Strelka front end.
+      description: List of IP addresses or CIDR blocks to allow access to the Strelka front end.
       file: True
       global: True
       title: Strelka Frontend
       advanced: True
       helplink: firewall.html#host-groups
     syslog:
-      description: List of IP Addresses or CIDR blocks to allow syslog.
+      description: List of IP addresses or CIDR blocks to allow syslog.
       file: True
       global: True
       title: Syslog Endpoint Traffic
       helplink: firewall.html#host-groups
     standalone: 
-      description: List of IP Addresses or CIDR blocks to allow standalone connections.
+      description: List of IP addresses or CIDR blocks to allow standalone connections.
       file: True
       global: True
       title: Standalone
       advanced: True
       helpLink: firewall.html#host-groups
     eval: 
-      description: List of IP Addresses or CIDR blocks to allow eval connections.
+      description: List of IP addresses or CIDR blocks to allow eval connections.
       file: True
       global: True
       title: Eval
       advanced: True
       helpLink: firewall.html#host-groups
     idh: 
-      description: List of IP Addresses or CIDR blocks to allow idh connections.
+      description: List of IP addresses or CIDR blocks to allow idh connections.
       file: True
       global: True
       title: IDH Nodes
       helpLink: firewall.html#host-groups
     manager: 
-      description: List of IP Addresses or CIDR blocks to allow manager connections.
+      description: List of IP addresses or CIDR blocks to allow manager connections.
       file: True
       global: True
       title: Manager
       advanced: True
       helpLink: firewall.html#host-groups
     heavynodes: 
-      description: List of IP Addresses or CIDR blocks to allow heavynode connections.
+      description: List of IP addresses or CIDR blocks to allow heavynode connections.
       file: True
       global: True
       title: Heavy Nodes
       helpLink: firewall.html#host-groups
     searchnodes: 
-      description: List of IP Addresses or CIDR blocks to allow searchnode connections.
+      description: List of IP addresses or CIDR blocks to allow searchnode connections.
       file: True
       global: True
       title: Search Nodes
       helpLink: firewall.html#host-groups
     sensors:
-      description: List of IP Addresses or CIDR blocks to allow Sensor connections.
+      description: List of IP addresses or CIDR blocks to allow Sensor connections.
       file: True
       global: True
       title: Sensors
       helpLink: firewall.html#host-groups
     receivers: 
-      description: List of IP Addresses or CIDR blocks to allow receiver connections.
+      description: List of IP addresses or CIDR blocks to allow receiver connections.
       file: True
       global: True
       title: Receivers

salt/grafana/soc_grafana.yaml

@@ -10,20 +10,20 @@ grafana:
         global: True
         helpLink: grafana.html
       user: 
-        description: User used to authenticate SMTP.
+        description: Username for the SMTP server.
         global: True
         helpLink: grafana.html
       password: 
-        description: Password used to authenticate SMTP.
+        description: Password for the SMTP server.
         global: True
         sensitive: True
         helpLink: grafana.html
       cert_file: 
-        description: Location of cert file for SMTP.
+        description: Location of cert file for the SMTP server.
         global: True
         helpLink: grafana.html
       key_file: 
-        description: Location of key file for SMTP.
+        description: Location of key file for the SMTP server.
         global: True
         helpLink: grafana.html
       skip_verify: 
@@ -31,15 +31,15 @@ grafana:
         global: True
         helpLink: grafana.html
       from_address: 
-        description: The email address you would like in the from field.
+        description: The email address you would like in the From field.
         global: True
         helpLink: grafana.html
       from_name: 
-        description: The name displayed for the from email address.
+        description: The name displayed for the From email address.
         global: True
         helpLink: grafana.html
       ehlo_identity: 
-        description: Used with servers with SMTP service extensions.
+        description: Used for servers with SMTP service extensions.
         global: True
         helpLink: grafana.html
     enterprise:

salt/idstools/soc_idstools.yaml

@@ -3,18 +3,18 @@ idstools:
     oinkcode:
       description: Enter your registration code for paid rulesets.
       global: True
-      helpLink: managing-alerts.html
+      helpLink: managing-rules.html
     ruleset:
       description: Define the ruleset you want to run. Options are ETOPEN or ETPRO.
       global: True
-      helpLink: managing-alerts.html
+      helpLink: managing-rules.html
     urls:
       description: This is a list of additional rule download locations.
       global: True
-      helpLink: managing-alerts.html
+      helpLink: managing-rules.html
   sids:
     disabled:
-      description: List of disables SIDS.
+      description: List of SIDS that you want to disable.
       global: True
       helpLink: managing-alerts.html
     enabled:
@@ -22,7 +22,7 @@ idstools:
       global: True
       helpLink: managing-alerts.html
     modify:
-      description: List of SIDS that are modified.
+      description: List of SIDS that you want to modify.
       global: True
       helpLink: managing-alerts.html
   rules:
@@ -32,18 +32,18 @@ idstools:
       global: True
       advanced: True
       title: Local Rules
-      helpLink: managing-alerts.html
+      helpLink: local-rules.html
     filters__rules:
-      description: You can set custom filters for Suricata when using it for meta data creation.
+      description: If you are using Suricata for metadata, then you can set custom filters for that metadata here.
       file: True
       global: True
       advanced: True
       title: Filter Rules
-      helpLink: managing-alerts.html
+      helpLink: suricata.html
     extraction__rules:
-      description: This is a list of mime types for file extraction when Suricata is used for meta data creation.
+      description: If you are using Suricata for metadata, then you can set a list of MIME types for file extraction here.
       file: True
       global: True
       advanced: True
       title: Extraction Rules
-      helpLink: managing-alerts.html
+      helpLink: suricata.html

salt/kibana/soc_kibana.yaml

@@ -2,6 +2,6 @@ kibana:
   config:
     elasticsearch:
       requestTimeout:
-        description: Request timeout length.
+        description: The length of time before the request reaches timeout.
         global: True
         helpLink: kibana.html

salt/nginx/soc_nginx.yaml

@@ -1,22 +1,22 @@
 nginx:
   config:
     replace_cert:
-      description: Replace the Security Onion Certificate with your own?
+      description: Enable this if you would like to replace the Security Onion Certificate with your own.
       global: True
       advanced: True
       title: Replace Default Cert
       helpLink: nginx.html
     ssl__key:
-      description: Paste your .key file here
+      description: If you enabled the replace_cert option, paste your .key file here.
       file: True
       title: SSL Key File
       advanced: True
       global: True
       helpLink: nginx.html
     ssl__crt:
-      description: Paste your .crt file here
+      description: If you enabled the replace_cert option, paste your .crt file here.
       file: True
       title: SSL Cert File
       advanced: True
       global: True
-      helpLink: nginx.html
+      helpLink: nginx.html

salt/pcap/soc_pcap.yaml

@@ -1,20 +1,20 @@
 pcap:
   enabled: 
-    description: Enable or Disable Stenographer on all sensors or a single sensor
+    description: You can enable or disable Stenographer on all sensors or a single sensor.
     helpLink: pcap.html
   config:
     maxdirectoryfiles:
-      description: The maximum number of packet/index files to create before deleting old files. The default is about 8 days regardless of free space. 
+      description: The maximum number of packet/index files to create before deleting old files.
       helpLink: pcap.html
     diskfreepercentage:
-      description: The disk space percent to always keep free for pcap
+      description: The disk space percent to always keep free for PCAP
       helpLink: pcap.html
     blocks:
       description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. 
       advanced: True
       helpLink: pcap.html
     preallocate_file_mb:
-      description: File size to pre-allocate for individual pcap files. You shouldn't need to change this. 
+      description: File size to pre-allocate for individual PCAP files. You shouldn't need to change this. 
       advanced: True
       helpLink: pcap.html
     aiops:
@@ -26,7 +26,7 @@ pcap:
       advanced: True
       helpLink: pcap.html
     cpus_to_pin_to:
-      description: CPU to pin PCAP to. Currently only a single CPU is supported
+      description: CPU to pin PCAP to. Currently only a single CPU is supported.
       advanced: True
       helpLink: pcap.html
     disks:

salt/soc/soc_soc.yaml

@@ -7,25 +7,25 @@ soc:
         file: True
         global: True
         syntax: md
-        helpLink: soc.html
+        helpLink: soc-customization.html
       motd__md:
         title: Overview Page
-        description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the users' browser.
+        description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser.
         file: True
         global: True
         syntax: md
-        helpLink: soc.html
+        helpLink: soc-customization.html
       custom__js:
         title: Custom Javascript
         description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades.
         file: True
         global: True
         advanced: True
-        helpLink: soc.html
+        helpLink: soc-customization.html
       custom_roles:
         title: Custom Roles
-        description: Customize role and permission mappings. Changes to this setting requires a complete understanding of the SOC RBAC system.
+        description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system.
         file: True
         global: True
         advanced: True
-        helpLink: soc.html
+        helpLink: soc-customization.html

salt/suricata/soc_suricata.yaml

@@ -10,80 +10,80 @@ suricata:
     vars:
       address-groups:
         HOME_NET:
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         EXTERNAL_NET: 
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         HTTP_SERVERS: 
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         SMTP_SERVERS: 
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         SQL_SERVERS: 
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         DNS_SERVERS: 
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         TELNET_SERVERS:
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         AIM_SERVERS: 
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         DC_SERVERS:
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         DNP3_SERVER:
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         DNP3_CLIENT: 
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         MODBUS_CLIENT: 
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         MODBUS_SERVER:
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         ENIP_CLIENT:
-          description: List of hosts or netowrks.
+          description: List of hosts or networks.
           helpLink: suricata.html
         ENIP_SERVER:
-          description: List of hosts or netowrks. 
+          description: List of hosts or networks. 
           helpLink: suricata.html
       port-groups:
         HTTP_PORTS:
-          description: List of HTTP ports to look for HTTP traffic on.
+          description: List of ports to look for HTTP traffic on.
           helpLink: suricata.html
         SHELLCODE_PORTS:
-          description: List of SHELLCODE ports to look for SHELLCODE traffic on.
+          description: List of ports to look for SHELLCODE traffic on.
           helpLink: suricata.html
         ORACLE_PORTS: 
-          description: List of ORACLE ports to look for ORACLE traffic on.
+          description: List of ports to look for ORACLE traffic on.
           helpLink: suricata.html
         SSH_PORTS:
-          description: List of SSH ports to look for SSH traffic on.
+          description: List of ports to look for SSH traffic on.
           helpLink: suricata.html
         DNP3_PORTS:
-          description: List of DNP3 ports to look for DNP3 traffic on.
+          description: List of ports to look for DNP3 traffic on.
           helpLink: suricata.html
         MODBUS_PORTS:
-          description: List of MODBUS ports to look for MODBUS traffic on.
+          description: List of ports to look for MODBUS traffic on.
           helpLink: suricata.html
         FILE_DATA_PORTS: 
-          description: List of FILE_DATA ports to look for FILE_DATA traffic on.
+          description: List of ports to look for FILE_DATA traffic on.
           helpLink: suricata.html
         FTP_PORTS:
-          description: List of FTP ports to look for FTP traffic on.
+          description: List of ports to look for FTP traffic on.
           helpLink: suricata.html
         VXLAN_PORTS:
-          description: List of VXLAN ports to look for VXLAN traffic on.
+          description: List of ports to look for VXLAN traffic on.
           helpLink: suricata.html
         TEREDO_PORTS:
-          description: List of TEREDO ports to look for TEREDO traffic on.
+          description: List of ports to look for TEREDO traffic on.
           helpLink: suricata.html
     outputs:
       eve-log:
@@ -180,4 +180,4 @@ suricata:
           helpLink: suricata.html
         ports: 
           description: Ports to listen for. This should be a variable.    
-          helpLink: suricata.html
+          helpLink: suricata.html

salt/zeek/soc_zeek.yaml

@@ -1,36 +1,44 @@
 zeek:
   logging:
     enabled:
-      description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor.
+      description: This is a list of Zeek logs that will be shipped through the pipeline. If you remove a log from this list, it will still persist on the sensor.
+      helpLink: zeek.html
   config:
     local:
       '@load':
         description: List of Zeek policies to load
+        helpLink: zeek.html
       '@load-sigs':
         description: List of Zeek signatures to load
+        helpLink: zeek.html
     node:
       lb_procs:
-        description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins.
+        description: This is the number of CPUs to use for Zeek. This setting is ignored if you are using pins.
+        helpLink: zeek.html
         node: True
       pins_enabled:
-        description: Enabled CPU pinning
+        description: Enabling this setting allows you to pin Zeek to specific CPUs.
+        helpLink: zeek.html
         node: True
         advanced: True
       pins:
-        description: List of CPUs you want to pin to
+        description: This is a list of CPUs you want to pin Zeek to.
+        helpLink: zeek.html
         node: True
         advanced: True
     zeekctl:
       CompressLogs:
-        description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU.
+        description: This setting enables compression of Zeek logs. If you are seeing packet loss at the top of the hour in Zeek or PCAP you might need to disable this by seting it to 0. This will use more disk space but save IO and CPU.
+        helpLink: zeek.html
   policy:
     custom:
       filters: 
         conn:
           description: Conn Filter for Zeek. This is an advanced setting and will take further action to enable.
+          helpLink: zeek.html
           file: True
           global: True
           advanced: True
   file_extraction:
-    description: This is a list of mime types Zeek will extract from the network streams.
+    description: This is a list of MIME types that Zeek will extract from the network streams.
-  
+    helpLink: zeek.html