diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index 229e9f612..e1c95b652 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -33,6 +33,8 @@ body: - 2.4.180 - 2.4.190 - 2.4.200 + - 2.4.201 + - 2.4.210 - Other (please provide detail below) validations: required: true @@ -94,7 +96,7 @@ body: attributes: label: Hardware Specs description: > - Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://docs.securityonion.net/en/2.4/hardware.html? + Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://securityonion.net/docs/hardware? options: - - Meets minimum requirements diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 30da22f2f..8ca95288f 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.201-20260114 ISO image released on 2026/1/15 +### 2.4.210-20260302 ISO image released on 2026/03/02 ### Download and Verify -2.4.201-20260114 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.201-20260114.iso +2.4.210-20260302 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.210-20260302.iso -MD5: 20E926E433203798512EF46E590C89B9 -SHA1: 779E4084A3E1A209B494493B8F5658508B6014FA -SHA256: 3D10E7C885AEC5C5D4F4E50F9644FF9728E8C0A2E36EBB8C96B32569685A7C40 +MD5: 575F316981891EBED2EE4E1F42A1F016 +SHA1: 600945E8823221CBC5F1C056084A71355308227E +SHA256: A6AA6471125F07FA6E2796430E94BEAFDEF728E833E9728FDFA7106351EBC47E Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.201-20260114.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.210-20260302.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.201-20260114.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.210-20260302.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.201-20260114.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.210-20260302.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.201-20260114.iso.sig securityonion-2.4.201-20260114.iso +gpg --verify securityonion-2.4.210-20260302.iso.sig securityonion-2.4.210-20260302.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Wed 14 Jan 2026 05:23:39 PM EST using RSA key ID FE507013 +gpg: Signature made Mon 02 Mar 2026 11:55:24 AM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. @@ -50,4 +50,4 @@ Primary key fingerprint: C804 A93D 36BE 0C73 3EA1 9644 7C10 60B7 FE50 7013 If it fails to verify, try downloading again. If it still fails to verify, try downloading from another computer or another network. Once you've verified the ISO image, you're ready to proceed to our Installation guide: -https://docs.securityonion.net/en/2.4/installation.html +https://securityonion.net/docs/installation diff --git a/README.md b/README.md index 530a21813..3e4402381 100644 --- a/README.md +++ b/README.md @@ -27,24 +27,24 @@ Config ### Release Notes -https://docs.securityonion.net/en/2.4/release-notes.html +https://securityonion.net/docs/release-notes ### Requirements -https://docs.securityonion.net/en/2.4/hardware.html +https://securityonion.net/docs/hardware ### Download -https://docs.securityonion.net/en/2.4/download.html +https://securityonion.net/docs/download ### Installation -https://docs.securityonion.net/en/2.4/installation.html +https://securityonion.net/docs/installation ### FAQ -https://docs.securityonion.net/en/2.4/faq.html +https://securityonion.net/docs/faq ### Feedback -https://docs.securityonion.net/en/2.4/community-support.html +https://securityonion.net/docs/community-support diff --git a/VERSION b/VERSION index a16ed1915..4a36342fc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -UNRELEASED +3.0.0 diff --git a/pillar/ca/init.sls b/pillar/ca/init.sls new file mode 100644 index 000000000..7d1ea9702 --- /dev/null +++ b/pillar/ca/init.sls @@ -0,0 +1,2 @@ +ca: + server: diff --git a/pillar/top.sls b/pillar/top.sls index d25aeecfa..ec4748469 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -1,5 +1,6 @@ base: '*': + - ca - global.soc_global - global.adv_global - docker.soc_docker diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 2393f92d7..959902241 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -15,11 +15,7 @@ 'salt.minion-check', 'sensoroni', 'salt.lasthighstate', - 'salt.minion' -] %} - -{% set ssl_states = [ - 'ssl', + 'salt.minion', 'telegraf', 'firewall', 'schedule', @@ -28,7 +24,7 @@ {% set manager_states = [ 'salt.master', - 'ca', + 'ca.server', 'registry', 'manager', 'nginx', @@ -75,28 +71,24 @@ {# Map role-specific states #} {% set role_states = { 'so-eval': ( - ssl_states + manager_states + sensor_states + - elastic_stack_states | reject('equalto', 'logstash') | list + elastic_stack_states | reject('equalto', 'logstash') | list + + ['logstash.ssl'] ), 'so-heavynode': ( - ssl_states + sensor_states + ['elasticagent', 'elasticsearch', 'logstash', 'redis', 'nginx'] ), 'so-idh': ( - ssl_states + ['idh'] ), 'so-import': ( - ssl_states + manager_states + sensor_states | reject('equalto', 'strelka') | reject('equalto', 'healthcheck') | list + - ['elasticsearch', 'elasticsearch.auth', 'kibana', 'kibana.secrets', 'strelka.manager'] + ['elasticsearch', 'elasticsearch.auth', 'kibana', 'kibana.secrets', 'logstash.ssl', 'strelka.manager'] ), 'so-manager': ( - ssl_states + manager_states + ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] + stig_states + @@ -104,7 +96,6 @@ elastic_stack_states ), 'so-managerhype': ( - ssl_states + manager_states + ['salt.cloud', 'strelka.manager', 'hypervisor', 'libvirt'] + stig_states + @@ -112,7 +103,6 @@ elastic_stack_states ), 'so-managersearch': ( - ssl_states + manager_states + ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users', 'strelka.manager'] + stig_states + @@ -120,12 +110,10 @@ elastic_stack_states ), 'so-searchnode': ( - ssl_states + ['kafka.ca', 'kafka.ssl', 'elasticsearch', 'logstash', 'nginx'] + stig_states ), 'so-standalone': ( - ssl_states + manager_states + ['salt.cloud', 'libvirt.packages', 'libvirt.ssh.users'] + sensor_states + @@ -134,29 +122,24 @@ elastic_stack_states ), 'so-sensor': ( - ssl_states + sensor_states + ['nginx'] + stig_states ), 'so-fleet': ( - ssl_states + stig_states + ['logstash', 'nginx', 'healthcheck', 'elasticfleet'] ), 'so-receiver': ( - ssl_states + kafka_states + stig_states + ['logstash', 'redis'] ), 'so-hypervisor': ( - ssl_states + stig_states + ['hypervisor', 'libvirt'] ), 'so-desktop': ( - ['ssl', 'docker_clean', 'telegraf'] + stig_states ) } %} diff --git a/salt/bpf/macros.jinja b/salt/bpf/macros.jinja index 38cb8ed0d..1fcb1af7c 100644 --- a/salt/bpf/macros.jinja +++ b/salt/bpf/macros.jinja @@ -1,10 +1,12 @@ {% macro remove_comments(bpfmerged, app) %} {# remove comments from the bpf #} +{% set app_list = [] %} {% for bpf in bpfmerged[app] %} -{% if bpf.strip().startswith('#') %} -{% do bpfmerged[app].pop(loop.index0) %} +{% if not bpf.strip().startswith('#') %} +{% do app_list.append(bpf) %} {% endif %} {% endfor %} +{% do bpfmerged.update({app: app_list}) %} {% endmacro %} diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja index 953b01a08..31e4bcaf4 100644 --- a/salt/bpf/pcap.map.jinja +++ b/salt/bpf/pcap.map.jinja @@ -13,7 +13,7 @@ {% endif %} {% if PCAPBPF %} - {% set PCAP_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ PCAPBPF|join(" "), cwd='/root') %} + {% set PCAP_BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %} {% if PCAP_BPF_CALC['retcode'] == 0 %} {% set PCAP_BPF_STATUS = 1 %} {% set STENO_BPF_COMPILED = ",\\\"--filter=" + PCAP_BPF_CALC['stdout'] + "\\\"" %} diff --git a/salt/bpf/suricata.map.jinja b/salt/bpf/suricata.map.jinja index 5ee1e5a92..0fdefd280 100644 --- a/salt/bpf/suricata.map.jinja +++ b/salt/bpf/suricata.map.jinja @@ -9,7 +9,7 @@ {% set SURICATABPF = BPFMERGED.suricata %} {% if SURICATABPF %} - {% set SURICATA_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ SURICATABPF|join(" "), cwd='/root') %} + {% set SURICATA_BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %} {% if SURICATA_BPF_CALC['retcode'] == 0 %} {% set SURICATA_BPF_STATUS = 1 %} {% endif %} diff --git a/salt/bpf/zeek.map.jinja b/salt/bpf/zeek.map.jinja index 789648bdb..ac067bbe8 100644 --- a/salt/bpf/zeek.map.jinja +++ b/salt/bpf/zeek.map.jinja @@ -9,7 +9,7 @@ {% set ZEEKBPF = BPFMERGED.zeek %} {% if ZEEKBPF %} - {% set ZEEK_BPF_CALC = salt['cmd.run_all']('/usr/sbin/so-bpf-compile ' ~ GLOBALS.sensor.interface ~ ' ' ~ ZEEKBPF|join(" "), cwd='/root') %} + {% set ZEEK_BPF_CALC = salt['cmd.script']('salt://common/tools/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %} {% if ZEEK_BPF_CALC['retcode'] == 0 %} {% set ZEEK_BPF_STATUS = 1 %} {% endif %} diff --git a/salt/ca/dirs.sls b/salt/ca/dirs.sls deleted file mode 100644 index 36f37b760..000000000 --- a/salt/ca/dirs.sls +++ /dev/null @@ -1,4 +0,0 @@ -pki_issued_certs: - file.directory: - - name: /etc/pki/issued_certs - - makedirs: True diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 895e8235a..3a0fdf91c 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -3,70 +3,10 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} - include: - - ca.dirs - -/etc/salt/minion.d/signing_policies.conf: - file.managed: - - source: salt://ca/files/signing_policies.conf - -pki_private_key: - x509.private_key_managed: - - name: /etc/pki/ca.key - - keysize: 4096 - - passphrase: - - backup: True - {% if salt['file.file_exists']('/etc/pki/ca.key') -%} - - prereq: - - x509: /etc/pki/ca.crt - {%- endif %} - -pki_public_ca_crt: - x509.certificate_managed: - - name: /etc/pki/ca.crt - - signing_private_key: /etc/pki/ca.key - - CN: {{ GLOBALS.manager }} - - C: US - - ST: Utah - - L: Salt Lake City - - basicConstraints: "critical CA:true" - - keyUsage: "critical cRLSign, keyCertSign" - - extendedkeyUsage: "serverAuth, clientAuth" - - subjectKeyIdentifier: hash - - authorityKeyIdentifier: keyid:always, issuer - - days_valid: 3650 - - days_remaining: 0 - - backup: True - - replace: False - - require: - - sls: ca.dirs - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -mine_update_ca_crt: - module.run: - - mine.update: [] - - onchanges: - - x509: pki_public_ca_crt - -cakeyperms: - file.managed: - - replace: False - - name: /etc/pki/ca.key - - mode: 640 - - group: 939 - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - +{% if GLOBALS.is_manager %} + - ca.server {% endif %} + - ca.trustca diff --git a/salt/ca/map.jinja b/salt/ca/map.jinja new file mode 100644 index 000000000..87641198d --- /dev/null +++ b/salt/ca/map.jinja @@ -0,0 +1,3 @@ +{% set CA = { + 'server': pillar.ca.server +}%} diff --git a/salt/ca/remove.sls b/salt/ca/remove.sls index 3af355951..181702b01 100644 --- a/salt/ca/remove.sls +++ b/salt/ca/remove.sls @@ -1,7 +1,35 @@ -pki_private_key: +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% set setup_running = salt['cmd.retcode']('pgrep -x so-setup') == 0 %} + +{% if setup_running%} + +include: + - ssl.remove + +remove_pki_private_key: file.absent: - name: /etc/pki/ca.key -pki_public_ca_crt: +remove_pki_public_ca_crt: file.absent: - name: /etc/pki/ca.crt + +remove_trusttheca: + file.absent: + - name: /etc/pki/tls/certs/intca.crt + +remove_pki_public_ca_crt_symlink: + file.absent: + - name: /opt/so/saltstack/local/salt/ca/files/ca.crt + +{% else %} + +so-setup_not_running: + test.show_notification: + - text: "This state is reserved for usage during so-setup." + +{% endif %} diff --git a/salt/ca/server.sls b/salt/ca/server.sls new file mode 100644 index 000000000..474e7c9fd --- /dev/null +++ b/salt/ca/server.sls @@ -0,0 +1,63 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +pki_private_key: + x509.private_key_managed: + - name: /etc/pki/ca.key + - keysize: 4096 + - passphrase: + - backup: True + {% if salt['file.file_exists']('/etc/pki/ca.key') -%} + - prereq: + - x509: /etc/pki/ca.crt + {%- endif %} + +pki_public_ca_crt: + x509.certificate_managed: + - name: /etc/pki/ca.crt + - signing_private_key: /etc/pki/ca.key + - CN: {{ GLOBALS.manager }} + - C: US + - ST: Utah + - L: Salt Lake City + - basicConstraints: "critical CA:true" + - keyUsage: "critical cRLSign, keyCertSign" + - extendedkeyUsage: "serverAuth, clientAuth" + - subjectKeyIdentifier: hash + - authorityKeyIdentifier: keyid:always, issuer + - days_valid: 3650 + - days_remaining: 7 + - backup: True + - replace: False + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +pki_public_ca_crt_symlink: + file.symlink: + - name: /opt/so/saltstack/local/salt/ca/files/ca.crt + - target: /etc/pki/ca.crt + - require: + - x509: pki_public_ca_crt + +cakeyperms: + file.managed: + - replace: False + - name: /etc/pki/ca.key + - mode: 640 + - group: 939 + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/ca/signing_policy.sls b/salt/ca/signing_policy.sls new file mode 100644 index 000000000..5deea929a --- /dev/null +++ b/salt/ca/signing_policy.sls @@ -0,0 +1,15 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +# when the salt-minion signs the cert, a copy is stored here +issued_certs_copypath: + file.directory: + - name: /etc/pki/issued_certs + - makedirs: True + +signing_policy: + file.managed: + - name: /etc/salt/minion.d/signing_policies.conf + - source: salt://ca/files/signing_policies.conf diff --git a/salt/ca/trustca.sls b/salt/ca/trustca.sls new file mode 100644 index 000000000..1ec5347e3 --- /dev/null +++ b/salt/ca/trustca.sls @@ -0,0 +1,26 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - docker + +# Trust the CA +trusttheca: + file.managed: + - name: /etc/pki/tls/certs/intca.crt + - source: salt://ca/files/ca.crt + - watch_in: + - service: docker_running + - show_changes: False + - makedirs: True + +{% if GLOBALS.os_family == 'Debian' %} +symlinkca: + file.symlink: + - target: /etc/pki/tls/certs/intca.crt + - name: /etc/ssl/certs/intca.crt +{% endif %} diff --git a/salt/common/init.sls b/salt/common/init.sls index eba18f651..14cf3d4e8 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -177,7 +177,7 @@ so-status_script: - source: salt://common/tools/sbin/so-status - mode: 755 -{% if GLOBALS.role in GLOBALS.sensor_roles %} +{% if GLOBALS.is_sensor %} # Add sensor cleanup so-sensor-clean: cron.present: diff --git a/salt/common/tools/sbin/so-checkin b/salt/common/tools/sbin/so-checkin index 13ea9acd9..7b122b391 100755 --- a/salt/common/tools/sbin/so-checkin +++ b/salt/common/tools/sbin/so-checkin @@ -10,7 +10,7 @@ cat << EOF so-checkin will run a full salt highstate to apply all salt states. If a highstate is already running, this request will be queued and so it may pause for a few minutes before you see any more output. For more information about so-checkin and salt, please see: -https://docs.securityonion.net/en/2.4/salt.html +https://securityonion.net/docs/salt EOF diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 51d7bb038..290a21c2a 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -10,7 +10,7 @@ # and since this same logic is required during installation, it's included in this file. DEFAULT_SALT_DIR=/opt/so/saltstack/default -DOC_BASE_URL="https://docs.securityonion.net/en/2.4" +DOC_BASE_URL="https://securityonion.net/docs" if [ -z $NOROOT ]; then # Check for prerequisites @@ -404,6 +404,25 @@ is_single_node_grid() { grep "role: so-" /etc/salt/grains | grep -E "eval|standalone|import" &> /dev/null } +initialize_elasticsearch_indices() { + local index_names=$1 + local default_entry=${2:-'{"@timestamp":"0"}'} + + for idx in $index_names; do + if ! so-elasticsearch-query "$idx" --fail --retry 3 --retry-delay 30 >/dev/null 2>&1; then + echo "Index does not already exist. Initializing $idx index." + + if retry 3 10 "so-elasticsearch-query "$idx/_doc" -d '$default_entry' -XPOST --fail 2>/dev/null" '"successful":1'; then + echo "Successfully initialized $idx index." + else + echo "Failed to initialize $idx index after 3 attempts." + fi + else + echo "Index $idx already exists. No action needed." + fi + done +} + lookup_bond_interfaces() { cat /proc/net/bonding/bond0 | grep "Slave Interface:" | sed -e "s/Slave Interface: //g" } @@ -554,21 +573,39 @@ run_check_net_err() { } wait_for_salt_minion() { - local minion="$1" - local timeout="${2:-5}" - local logfile="${3:-'/dev/stdout'}" - retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$logfile" 2>&1 || fail - local attempt=0 - # each attempts would take about 15 seconds - local maxAttempts=20 - until check_salt_minion_status "$minion" "$timeout" "$logfile"; do - attempt=$((attempt+1)) - if [[ $attempt -eq $maxAttempts ]]; then - return 1 - fi - sleep 10 - done - return 0 + local minion="$1" + local max_wait="${2:-30}" + local interval="${3:-2}" + local logfile="${4:-'/dev/stdout'}" + local elapsed=0 + + echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Waiting for salt-minion '$minion' to be ready..." + + while [ $elapsed -lt $max_wait ]; do + # Check if service is running + echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Check if salt-minion service is running" + if ! systemctl is-active --quiet salt-minion; then + echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - salt-minion service not running (elapsed: ${elapsed}s)" + sleep $interval + elapsed=$((elapsed + interval)) + continue + fi + echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - salt-minion service is running" + + # Check if minion responds to ping + echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Check if $minion responds to ping" + if salt "$minion" test.ping --timeout=3 --out=json 2>> "$logfile" | grep -q "true"; then + echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - salt-minion '$minion' is connected and ready!" + return 0 + fi + + echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - Waiting... (${elapsed}s / ${max_wait}s)" + sleep $interval + elapsed=$((elapsed + interval)) + done + + echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - ERROR: salt-minion '$minion' not ready after $max_wait seconds" + return 1 } salt_minion_count() { diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check index 5960a7946..07d5d2d5b 100755 --- a/salt/common/tools/sbin/so-log-check +++ b/salt/common/tools/sbin/so-log-check @@ -129,6 +129,8 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|responded with status-code 503" # telegraf getting 503 from ES during startup EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process_cluster_event_timeout_exception" # logstash waiting for elasticsearch to start EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not configured for GeoIP" # SO does not bundle the maxminddb with Zeek + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found" # Salt loops until Kratos returns 200, during startup Kratos may not be ready + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart fi if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then @@ -159,7 +161,9 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding ingest pipeline" # false positive (elasticsearch ingest pipeline names contain 'error') EXCLUDED_ERRORS="$EXCLUDED_ERRORS|updating index template" # false positive (elasticsearch index or template names contain 'error') EXCLUDED_ERRORS="$EXCLUDED_ERRORS|updating component template" # false positive (elasticsearch index or template names contain 'error') + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|upgrading component template" # false positive (elasticsearch index or template names contain 'error') EXCLUDED_ERRORS="$EXCLUDED_ERRORS|upgrading composable template" # false positive (elasticsearch composable template names contain 'error') + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Error while parsing document for index \[.ds-logs-kratos-so-.*object mapping for \[file\]" # false positive (mapping error occuring BEFORE kratos index has rolled over in 2.4.210) fi if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then @@ -223,6 +227,8 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|from NIC checksum offloading" # zeek reporter.log EXCLUDED_ERRORS="$EXCLUDED_ERRORS|marked for removal" # docker container getting recycled EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tcp 127.0.0.1:6791: bind: address already in use" # so-elastic-fleet agent restarting. Seen starting w/ 8.18.8 https://github.com/elastic/kibana/issues/201459 + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|TransformTask\] \[logs-(tychon|aws_billing|microsoft_defender_endpoint).*user so_kibana lacks the required permissions \[logs-\1" # Known issue with 3 integrations using kibana_system role vs creating unique api creds with proper permissions. + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|manifest unknown" # appears in so-dockerregistry log for so-tcpreplay following docker upgrade to 29.2.1-1 fi RESULT=0 diff --git a/salt/common/tools/sbin_jinja/so-desktop-install b/salt/common/tools/sbin_jinja/so-desktop-install index 6275bb3b6..774a8a118 100755 --- a/salt/common/tools/sbin_jinja/so-desktop-install +++ b/salt/common/tools/sbin_jinja/so-desktop-install @@ -6,7 +6,7 @@ # Elastic License 2.0. source /usr/sbin/so-common -doc_desktop_url="$DOC_BASE_URL/desktop.html" +doc_desktop_url="$DOC_BASE_URL/desktop" {# we only want the script to install the desktop if it is OEL -#} {% if grains.os == 'OEL' -%} diff --git a/salt/desktop/trusted-ca.sls b/salt/desktop/trusted-ca.sls index 87fc70ef9..5117de1cd 100644 --- a/salt/desktop/trusted-ca.sls +++ b/salt/desktop/trusted-ca.sls @@ -3,29 +3,16 @@ {# we only want this state to run it is CentOS #} {% if GLOBALS.os == 'OEL' %} - {% set global_ca_text = [] %} - {% set global_ca_server = [] %} - {% set manager = GLOBALS.manager %} - {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %} - {% for host in x509dict %} - {% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import', 'eval'] %} - {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} - {% do global_ca_server.append(host) %} - {% endif %} - {% endfor %} - {% set trusttheca_text = global_ca_text[0] %} - {% set ca_server = global_ca_server[0] %} - trusted_ca: - x509.pem_managed: + file.managed: - name: /etc/pki/ca-trust/source/anchors/ca.crt - - text: {{ trusttheca_text }} + - source: salt://ca/files/ca.crt update_ca_certs: cmd.run: - name: update-ca-trust - onchanges: - - x509: trusted_ca + - file: trusted_ca {% else %} diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 5a0d1f61a..fa8f98567 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -6,9 +6,9 @@ {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} -# include ssl since docker service requires the intca +# docker service requires the ca.crt include: - - ssl + - ca dockergroup: group.present: @@ -20,20 +20,20 @@ dockergroup: dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.7.21-1 - - docker-ce: 5:27.2.0-1~debian.12~bookworm - - docker-ce-cli: 5:27.2.0-1~debian.12~bookworm - - docker-ce-rootless-extras: 5:27.2.0-1~debian.12~bookworm + - containerd.io: 2.2.1-1~debian.12~bookworm + - docker-ce: 5:29.2.1-1~debian.12~bookworm + - docker-ce-cli: 5:29.2.1-1~debian.12~bookworm + - docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm - hold: True - update_holds: True {% elif grains.oscodename == 'jammy' %} dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.7.21-1 - - docker-ce: 5:27.2.0-1~ubuntu.22.04~jammy - - docker-ce-cli: 5:27.2.0-1~ubuntu.22.04~jammy - - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.22.04~jammy + - containerd.io: 2.2.1-1~ubuntu.22.04~jammy + - docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy + - docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy + - docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy - hold: True - update_holds: True {% else %} @@ -51,10 +51,10 @@ dockerheldpackages: dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.7.21-3.1.el9 - - docker-ce: 3:27.2.0-1.el9 - - docker-ce-cli: 1:27.2.0-1.el9 - - docker-ce-rootless-extras: 27.2.0-1.el9 + - containerd.io: 2.2.1-1.el9 + - docker-ce: 3:29.2.1-1.el9 + - docker-ce-cli: 1:29.2.1-1.el9 + - docker-ce-rootless-extras: 29.2.1-1.el9 - hold: True - update_holds: True {% endif %} @@ -89,10 +89,9 @@ docker_running: - enable: True - watch: - file: docker_daemon - - x509: trusttheca - require: - file: docker_daemon - - x509: trusttheca + - file: trusttheca # Reserve OS ports for Docker proxy in case boot settings are not already applied/present @@ -118,4 +117,4 @@ sos_docker_net: com.docker.network.bridge.enable_ip_masquerade: 'true' com.docker.network.bridge.enable_icc: 'true' com.docker.network.bridge.host_binding_ipv4: '0.0.0.0' - - unless: 'docker network ls | grep sobridge' + - unless: ip l | grep sobridge diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index 6a1ff1440..e28a55958 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -60,7 +60,7 @@ so-elastalert: - watch: - file: elastaconf - onlyif: - - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 8" {# only run this state if elasticsearch is version 8 #} + - "so-elasticsearch-query / | jq -r '.version.number[0:1]' | grep -q 9" {# only run this state if elasticsearch is version 9 #} delete_so-elastalert_so-status.disabled: file.uncomment: diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 3c20c916f..f59eae1fe 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -9,6 +9,7 @@ {% from 'docker/docker.map.jinja' import DOCKER %} include: + - ca - elasticagent.config - elasticagent.sostatus @@ -55,8 +56,10 @@ so-elastic-agent: {% endif %} - require: - file: create-elastic-agent-config + - file: trusttheca - watch: - file: create-elastic-agent-config + - file: trusttheca delete_so-elastic-agent_so-status.disabled: file.uncomment: diff --git a/salt/elasticagent/files/elastic-agent.yml.jinja b/salt/elasticagent/files/elastic-agent.yml.jinja index 7d0b93344..283bf9508 100644 --- a/salt/elasticagent/files/elastic-agent.yml.jinja +++ b/salt/elasticagent/files/elastic-agent.yml.jinja @@ -3,7 +3,7 @@ {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} id: aea1ba80-1065-11ee-a369-97538913b6a9 -revision: 1 +revision: 4 outputs: default: type: elasticsearch @@ -22,242 +22,133 @@ agent: metrics: false features: {} inputs: - - id: logfile-logs-fefef78c-422f-4cfa-8abf-4cd1b9428f62 - name: import-evtx-logs - revision: 2 - type: logfile - use_output: default - meta: - package: - name: log - version: - data_stream: - namespace: so - package_policy_id: fefef78c-422f-4cfa-8abf-4cd1b9428f62 - streams: - - id: logfile-log.log-fefef78c-422f-4cfa-8abf-4cd1b9428f62 - data_stream: - dataset: import - paths: - - /nsm/import/*/evtx/*.json - processors: - - dissect: - field: log.file.path - tokenizer: '/nsm/import/%{import.id}/evtx/%{import.file}' - target_prefix: '' - - decode_json_fields: - fields: - - message - target: '' - - drop_fields: - ignore_missing: true - fields: - - host - - add_fields: - fields: - dataset: system.security - type: logs - namespace: default - target: data_stream - - add_fields: - fields: - dataset: system.security - module: system - imported: true - target: event - - then: - - add_fields: - fields: - dataset: windows.sysmon_operational - target: data_stream - - add_fields: - fields: - dataset: windows.sysmon_operational - module: windows - imported: true - target: event - if: - equals: - winlog.channel: Microsoft-Windows-Sysmon/Operational - - then: - - add_fields: - fields: - dataset: system.application - target: data_stream - - add_fields: - fields: - dataset: system.application - target: event - if: - equals: - winlog.channel: Application - - then: - - add_fields: - fields: - dataset: system.system - target: data_stream - - add_fields: - fields: - dataset: system.system - target: event - if: - equals: - winlog.channel: System - - then: - - add_fields: - fields: - dataset: windows.powershell_operational - target: data_stream - - add_fields: - fields: - dataset: windows.powershell_operational - module: windows - target: event - if: - equals: - winlog.channel: Microsoft-Windows-PowerShell/Operational - tags: - - import - - id: logfile-redis-fc98c947-7d17-4861-a318-7ad075f6d1b0 - name: redis-logs - revision: 2 - type: logfile - use_output: default - meta: - package: - name: redis - version: - data_stream: - namespace: default - package_policy_id: fc98c947-7d17-4861-a318-7ad075f6d1b0 - streams: - - id: logfile-redis.log-fc98c947-7d17-4861-a318-7ad075f6d1b0 - data_stream: - dataset: redis.log - type: logs - exclude_files: - - .gz$ - paths: - - /opt/so/log/redis/redis.log - tags: - - redis-log - exclude_lines: - - '^\s+[\-`(''.|_]' - - id: logfile-logs-3b56803d-5ade-4c93-b25e-9b37182f66b8 + - id: filestream-filestream-85820eb0-25ef-11f0-a18d-1b26f69b8310 name: import-suricata-logs - revision: 2 - type: logfile + revision: 3 + type: filestream use_output: default meta: package: - name: log + name: filestream version: data_stream: namespace: so - package_policy_id: 3b56803d-5ade-4c93-b25e-9b37182f66b8 + package_policy_id: 85820eb0-25ef-11f0-a18d-1b26f69b8310 streams: - - id: logfile-log.log-3b56803d-5ade-4c93-b25e-9b37182f66b8 + - id: filestream-filestream.generic-85820eb0-25ef-11f0-a18d-1b26f69b8310 data_stream: dataset: import - pipeline: suricata.common paths: - /nsm/import/*/suricata/eve*.json + pipeline: suricata.common + prospector.scanner.recursive_glob: true + prospector.scanner.exclude_files: + - \.gz$ + ignore_older: 72h + clean_inactive: -1 + parsers: null processors: - add_fields: + target: event fields: + category: network module: suricata imported: true - category: network - target: event - dissect: + tokenizer: /nsm/import/%{import.id}/suricata/%{import.file} field: log.file.path - tokenizer: '/nsm/import/%{import.id}/suricata/%{import.file}' target_prefix: '' - - id: logfile-logs-c327e1a3-1ebe-449c-a8eb-f6f35032e69d - name: soc-server-logs - revision: 2 - type: logfile + file_identity.native: null + prospector.scanner.fingerprint.enabled: false + - id: filestream-filestream-86b4e960-25ef-11f0-a18d-1b26f69b8310 + name: import-zeek-logs + revision: 3 + type: filestream use_output: default meta: package: - name: log + name: filestream version: data_stream: namespace: so - package_policy_id: c327e1a3-1ebe-449c-a8eb-f6f35032e69d + package_policy_id: 86b4e960-25ef-11f0-a18d-1b26f69b8310 streams: - - id: logfile-log.log-c327e1a3-1ebe-449c-a8eb-f6f35032e69d + - id: filestream-filestream.generic-86b4e960-25ef-11f0-a18d-1b26f69b8310 data_stream: - dataset: soc - pipeline: common + dataset: import paths: - - /opt/so/log/soc/sensoroni-server.log + - /nsm/import/*/zeek/logs/*.log + prospector.scanner.recursive_glob: true + prospector.scanner.exclude_files: + - >- + (broker|capture_loss|cluster|conn-summary|console|ecat_arp_info|known_certs|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout).log$ + clean_inactive: -1 + parsers: null processors: - - decode_json_fields: - add_error_key: true - process_array: true - max_depth: 2 - fields: - - message - target: soc + - dissect: + tokenizer: /nsm/import/%{import.id}/zeek/logs/%{import.file} + field: log.file.path + target_prefix: '' + - script: + lang: javascript + source: | + function process(event) { + var pl = event.Get("import.file").slice(0,-4); + event.Put("@metadata.pipeline", "zeek." + pl); + } - add_fields: - fields: - module: soc - dataset_temp: server - category: host target: event - - rename: - ignore_missing: true fields: - - from: soc.fields.sourceIp - to: source.ip - - from: soc.fields.status - to: http.response.status_code - - from: soc.fields.method - to: http.request.method - - from: soc.fields.path - to: url.path - - from: soc.message - to: event.action - - from: soc.level - to: log.level - tags: - - so-soc - - id: logfile-logs-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073 + category: network + module: zeek + imported: true + - add_tags: + tags: ics + when: + regexp: + import.file: >- + ^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm* + file_identity.native: null + prospector.scanner.fingerprint.enabled: false + - id: filestream-filestream-91741240-25ef-11f0-a18d-1b26f69b8310 name: soc-sensoroni-logs - revision: 2 - type: logfile + revision: 3 + type: filestream use_output: default meta: package: - name: log + name: filestream version: data_stream: namespace: so - package_policy_id: 906e0d4c-9ec3-4c6a-bef6-e347ec9fd073 + package_policy_id: 91741240-25ef-11f0-a18d-1b26f69b8310 streams: - - id: logfile-log.log-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073 + - id: filestream-filestream.generic-91741240-25ef-11f0-a18d-1b26f69b8310 data_stream: dataset: soc - pipeline: common paths: - /opt/so/log/sensoroni/sensoroni.log + pipeline: common + prospector.scanner.recursive_glob: true + prospector.scanner.exclude_files: + - \.gz$ + clean_inactive: -1 + parsers: null processors: - decode_json_fields: - add_error_key: true - process_array: true - max_depth: 2 fields: - message target: sensoroni + process_array: true + max_depth: 2 + add_error_key: true - add_fields: + target: event fields: + category: host module: soc dataset_temp: sensoroni - category: host - target: event - rename: - ignore_missing: true fields: - from: sensoroni.fields.sourceIp to: source.ip @@ -271,141 +162,100 @@ inputs: to: event.action - from: sensoroni.level to: log.level - - id: logfile-logs-df0d7f2c-221f-433b-b18b-d1cf83250515 - name: soc-salt-relay-logs - revision: 2 - type: logfile - use_output: default - meta: - package: - name: log - version: - data_stream: - namespace: so - package_policy_id: df0d7f2c-221f-433b-b18b-d1cf83250515 - streams: - - id: logfile-log.log-df0d7f2c-221f-433b-b18b-d1cf83250515 - data_stream: - dataset: soc - pipeline: common - paths: - - /opt/so/log/soc/salt-relay.log - processors: - - dissect: - field: message - tokenizer: '%{soc.ts} | %{event.action}' - target_prefix: '' - - add_fields: - fields: - module: soc - dataset_temp: salt_relay - category: host - target: event - tags: - - so-soc - - id: logfile-logs-74bd2366-fe52-493c-bddc-843a017fc4d0 - name: soc-auth-sync-logs - revision: 2 - type: logfile - use_output: default - meta: - package: - name: log - version: - data_stream: - namespace: so - package_policy_id: 74bd2366-fe52-493c-bddc-843a017fc4d0 - streams: - - id: logfile-log.log-74bd2366-fe52-493c-bddc-843a017fc4d0 - data_stream: - dataset: soc - pipeline: common - paths: - - /opt/so/log/soc/sync.log - processors: - - dissect: - field: message - tokenizer: '%{event.action}' - target_prefix: '' - - add_fields: - fields: - module: soc - dataset_temp: auth_sync - category: host - target: event - tags: - - so-soc - - id: logfile-logs-d151d9bf-ff2a-4529-9520-c99244bc0253 + ignore_missing: true + file_identity.native: null + prospector.scanner.fingerprint.enabled: false + - id: filestream-filestream-976e3900-25ef-11f0-a18d-1b26f69b8310 name: suricata-logs - revision: 2 - type: logfile + revision: 3 + type: filestream use_output: default meta: package: - name: log + name: filestream version: data_stream: namespace: so - package_policy_id: d151d9bf-ff2a-4529-9520-c99244bc0253 + package_policy_id: 976e3900-25ef-11f0-a18d-1b26f69b8310 streams: - - id: logfile-log.log-d151d9bf-ff2a-4529-9520-c99244bc0253 + - id: filestream-filestream.generic-976e3900-25ef-11f0-a18d-1b26f69b8310 data_stream: dataset: suricata - pipeline: suricata.common paths: - /nsm/suricata/eve*.json + pipeline: suricata.common + prospector.scanner.recursive_glob: true + prospector.scanner.exclude_files: + - \.gz$ + clean_inactive: -1 + parsers: null processors: - add_fields: - fields: - module: suricata - category: network target: event - - id: logfile-logs-31f94d05-ae75-40ee-b9c5-0e0356eff327 + fields: + category: network + module: suricata + file_identity.native: null + prospector.scanner.fingerprint.enabled: false + - id: filestream-filestream-95091fe0-25ef-11f0-a18d-1b26f69b8310 name: strelka-logs - revision: 2 - type: logfile + revision: 3 + type: filestream use_output: default meta: package: - name: log + name: filestream version: data_stream: namespace: so - package_policy_id: 31f94d05-ae75-40ee-b9c5-0e0356eff327 + package_policy_id: 95091fe0-25ef-11f0-a18d-1b26f69b8310 streams: - - id: logfile-log.log-31f94d05-ae75-40ee-b9c5-0e0356eff327 + - id: filestream-filestream.generic-95091fe0-25ef-11f0-a18d-1b26f69b8310 data_stream: dataset: strelka - pipeline: strelka.file paths: - /nsm/strelka/log/strelka.log + pipeline: strelka.file + prospector.scanner.recursive_glob: true + prospector.scanner.exclude_files: + - \.gz$ + clean_inactive: -1 + parsers: null processors: - add_fields: - fields: - module: strelka - category: file target: event - - id: logfile-logs-6197fe84-9b58-4d9b-8464-3d517f28808d + fields: + category: file + module: strelka + file_identity.native: null + prospector.scanner.fingerprint.enabled: false + - id: filestream-filestream-9f309ca0-25ef-11f0-a18d-1b26f69b8310 name: zeek-logs - revision: 1 - type: logfile + revision: 2 + type: filestream use_output: default meta: package: - name: log - version: + name: filestream + version: data_stream: namespace: so - package_policy_id: 6197fe84-9b58-4d9b-8464-3d517f28808d + package_policy_id: 9f309ca0-25ef-11f0-a18d-1b26f69b8310 streams: - - id: logfile-log.log-6197fe84-9b58-4d9b-8464-3d517f28808d + - id: filestream-filestream.generic-9f309ca0-25ef-11f0-a18d-1b26f69b8310 data_stream: dataset: zeek paths: - /nsm/zeek/logs/current/*.log + prospector.scanner.recursive_glob: true + prospector.scanner.exclude_files: + - >- + (broker|capture_loss|cluster|conn-summary|console|ecat_arp_info|known_certs|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout).log$ + clean_inactive: -1 + parsers: null processors: - dissect: - tokenizer: '/nsm/zeek/logs/current/%{pipeline}.log' + tokenizer: /nsm/zeek/logs/current/%{pipeline}.log field: log.file.path trim_chars: .log target_prefix: '' @@ -427,18 +277,17 @@ inputs: regexp: pipeline: >- ^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm* - exclude_files: - - >- - broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$ + file_identity.native: null + prospector.scanner.fingerprint.enabled: false - id: udp-udp-35051de0-46a5-11ee-8d5d-9f98c8182f60 name: syslog-udp-514 - revision: 3 + revision: 4 type: udp use_output: default meta: package: name: udp - version: 1.10.0 + version: data_stream: namespace: so package_policy_id: 35051de0-46a5-11ee-8d5d-9f98c8182f60 @@ -458,13 +307,13 @@ inputs: - syslog - id: tcp-tcp-33d37bb0-46a5-11ee-8d5d-9f98c8182f60 name: syslog-tcp-514 - revision: 3 + revision: 4 type: tcp use_output: default meta: package: name: tcp - version: 1.10.0 + version: data_stream: namespace: so package_policy_id: 33d37bb0-46a5-11ee-8d5d-9f98c8182f60 diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 3bdd495c1..9c79dfab6 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -11,6 +11,7 @@ include: - elasticfleet.artifact_registry + - elasticfleet.ssl # Add EA Group elasticfleetgroup: @@ -95,6 +96,9 @@ soresourcesrepoclone: - rev: 'main' - depth: 1 - force_reset: True + - retry: + attempts: 3 + interval: 10 {% endif %} elasticdefendconfdir: diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index db10a7182..040d15fca 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -13,9 +13,10 @@ {% set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %} include: + - ca + - logstash.ssl - elasticfleet.config - elasticfleet.sostatus - - ssl {% if grains.role not in ['so-fleet'] %} # Wait for Elasticsearch to be ready - no reason to try running Elastic Fleet server if ES is not ready @@ -133,6 +134,11 @@ so-elastic-fleet: {% endfor %} {% endif %} - watch: + - file: trusttheca + - x509: etc_elasticfleet_key + - x509: etc_elasticfleet_crt + - require: + - file: trusttheca - x509: etc_elasticfleet_key - x509: etc_elasticfleet_crt {% endif %} diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json index 492db03dc..ac03f3c1d 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json @@ -2,7 +2,7 @@ {%- raw -%} { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "import-zeek-logs", @@ -10,19 +10,31 @@ "description": "Zeek Import logs", "policy_id": "so-grid-nodes_general", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/nsm/import/*/zeek/logs/*.log" ], "data_stream.dataset": "import", - "tags": [], + "pipeline": "", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": ["({%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%})(\\..+)?\\.log$"], + "include_files": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", - "custom": "exclude_files: [\"{%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}.log$\"]\n" + "tags": [], + "recursive_glob": true, + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/kratos-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/kratos-logs.json index f6b01cdff..545588521 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/kratos-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/kratos-logs.json @@ -11,36 +11,51 @@ {%- endif -%} { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "kratos-logs", - "namespace": "so", "description": "Kratos logs", "policy_id": "so-grid-nodes_general", + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", - "tags": ["so-kratos"], + "pipeline": "kratos", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], {%- if valid_identities -%} "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos\n- if:\n has_fields:\n - identity_id\n then:{% for id, email in identities %}\n - if:\n equals:\n identity_id: \"{{ id }}\"\n then:\n - add_fields:\n target: ''\n fields:\n user.name: \"{{ email }}\"{% endfor %}", {%- else -%} "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos", {%- endif -%} - "custom": "pipeline: kratos" + "tags": [ + "so-kratos" + ], + "recursive_glob": true, + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } } }, "force": true -} - +} \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json index 5462dc861..4af2b2921 100644 --- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json +++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json @@ -2,28 +2,38 @@ {%- raw -%} { "package": { - "name": "log", + "name": "filestream", "version": "" }, - "id": "zeek-logs", "name": "zeek-logs", "namespace": "so", "description": "Zeek logs", "policy_id": "so-grid-nodes_general", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/nsm/zeek/logs/current/*.log" ], "data_stream.dataset": "zeek", - "tags": [], + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": ["({%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%})(\\..+)?\\.log$"], + "include_files": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", - "custom": "exclude_files: [\"{%- endraw -%}{{ ELASTICFLEETMERGED.logging.zeek.excluded | join('|') }}{%- raw -%}.log$\"]\n" + "tags": [], + "recursive_glob": true, + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } @@ -31,4 +41,4 @@ }, "force": true } -{%- endraw -%} +{%- endraw -%} \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json index fb9069e83..debfc73a3 100644 --- a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json +++ b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json @@ -5,7 +5,7 @@ "package": { "name": "endpoint", "title": "Elastic Defend", - "version": "8.18.1", + "version": "9.0.2", "requires_root": true }, "enabled": true, diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/hydra-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/hydra-logs.json index f1b1dace9..a4f944ba5 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/hydra-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/hydra-logs.json @@ -1,26 +1,43 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "hydra-logs", - "namespace": "so", "description": "Hydra logs", "policy_id": "so-grid-nodes_general", + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/opt/so/log/hydra/hydra.log" ], "data_stream.dataset": "hydra", - "tags": ["so-hydra"], - "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: hydra", - "custom": "pipeline: hydra" + "pipeline": "hydra", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], + "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- add_fields:\n target: event\n fields:\n category: iam\n module: hydra", + "tags": [ + "so-hydra" + ], + "recursive_glob": true, + "ignore_older": "72h", + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } @@ -28,3 +45,5 @@ }, "force": true } + + diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json index 9f66c1937..fef9c57fb 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json @@ -1,30 +1,44 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "idh-logs", - "namespace": "so", "description": "IDH integration", "policy_id": "so-grid-nodes_general", + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/nsm/idh/opencanary.log" ], "data_stream.dataset": "idh", - "tags": [], + "pipeline": "common", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], "processors": "\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- convert:\n fields:\n - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n- drop_fields:\n when:\n equals:\n event.code: \"1001\"\n fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n ignore_missing: true\n- rename:\n fields:\n - from: \"src_host\"\n to: \"source.ip\"\n - from: \"src_port\"\n to: \"source.port\"\n - from: \"dst_host\"\n to: \"destination.host\"\n - from: \"dst_port\"\n to: \"destination.port\"\n ignore_missing: true\n- drop_fields:\n fields: '[\"prospector\", \"input\", \"offset\", \"beat\"]'\n- add_fields:\n target: event\n fields:\n category: host\n module: opencanary", - "custom": "pipeline: common" + "tags": [], + "recursive_glob": true, + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } } }, "force": true -} +} \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index dd95e6337..50ffd5dc7 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -1,33 +1,46 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "import-evtx-logs", - "namespace": "so", "description": "Import Windows EVTX logs", "policy_id": "so-grid-nodes_general", - "vars": {}, + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/nsm/import/*/evtx/*.json" ], "data_stream.dataset": "import", - "custom": "", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-2.6.1\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-3.1.2\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-2.6.1\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-2.6.1\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-3.1.2\n- add_fields:\n target: data_stream\n fields:\n dataset: import", "tags": [ "import" - ] + ], + "recursive_glob": true, + "ignore_older": "72h", + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } } }, "force": true -} +} \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json index c9b036e36..b8f3b0b29 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json @@ -1,30 +1,45 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "import-suricata-logs", - "namespace": "so", "description": "Import Suricata logs", "policy_id": "so-grid-nodes_general", + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/nsm/import/*/suricata/eve*.json" ], "data_stream.dataset": "import", + "pipeline": "suricata.common", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], + "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata\n imported: true\n- dissect:\n tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n", "tags": [], - "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata\n imported: true\n- dissect:\n tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"", - "custom": "pipeline: suricata.common" + "recursive_glob": true, + "ignore_older": "72h", + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } } }, "force": true -} +} \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/redis-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/redis-logs.json index b822421eb..2d16039bb 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/redis-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/redis-logs.json @@ -15,7 +15,7 @@ "enabled": true, "vars": { "paths": [ - "/opt/so/log/redis/redis.log" + "/opt/so/log/redis/redis-server.log" ], "tags": [ "redis-log" diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json index a97faaa5f..70259c3cf 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/rita-logs.json @@ -1,18 +1,17 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "rita-logs", - "namespace": "so", "description": "RITA Logs", "policy_id": "so-grid-nodes_general", - "vars": {}, + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ @@ -20,15 +19,28 @@ "/nsm/rita/exploded-dns.csv", "/nsm/rita/long-connections.csv" ], - "exclude_files": [], - "ignore_older": "72h", "data_stream.dataset": "rita", - "tags": [], + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], "processors": "- dissect:\n tokenizer: \"/nsm/rita/%{pipeline}.csv\"\n field: \"log.file.path\"\n trim_chars: \".csv\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\").split(\"-\");\n if (pl.length > 1) {\n pl = pl[1];\n }\n else {\n pl = pl[0];\n }\n event.Put(\"@metadata.pipeline\", \"rita.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: rita", - "custom": "exclude_lines: ['^Score', '^Source', '^Domain', '^No results']" + "tags": [], + "recursive_glob": true, + "ignore_older": "72h", + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } } - } + }, + "force": true } diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json b/salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json index fdcd36815..a14e63559 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json @@ -1,29 +1,41 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "so-ip-mappings", - "namespace": "so", "description": "IP Description mappings", "policy_id": "so-grid-nodes_general", - "vars": {}, + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/nsm/custom-mappings/ip-descriptions.csv" ], "data_stream.dataset": "hostnamemappings", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], + "processors": "- decode_csv_fields:\n fields:\n message: decoded.csv\n separator: \",\"\n ignore_missing: false\n overwrite_keys: true\n trim_leading_space: true\n fail_on_error: true\n\n- extract_array:\n field: decoded.csv\n mappings:\n so.ip_address: '0'\n so.description: '1'\n\n- script:\n lang: javascript\n source: >\n function process(event) {\n var ip = event.Get('so.ip_address');\n var validIpRegex = /^((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)$/\n if (!validIpRegex.test(ip)) {\n event.Cancel();\n }\n }\n- fingerprint:\n fields: [\"so.ip_address\"]\n target_field: \"@metadata._id\"\n", "tags": [ "so-ip-mappings" ], - "processors": "- decode_csv_fields:\n fields:\n message: decoded.csv\n separator: \",\"\n ignore_missing: false\n overwrite_keys: true\n trim_leading_space: true\n fail_on_error: true\n\n- extract_array:\n field: decoded.csv\n mappings:\n so.ip_address: '0'\n so.description: '1'\n\n- script:\n lang: javascript\n source: >\n function process(event) {\n var ip = event.Get('so.ip_address');\n var validIpRegex = /^((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)$/\n if (!validIpRegex.test(ip)) {\n event.Cancel();\n }\n }\n- fingerprint:\n fields: [\"so.ip_address\"]\n target_field: \"@metadata._id\"\n", - "custom": "" + "recursive_glob": true, + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } @@ -31,5 +43,3 @@ }, "force": true } - - diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json index aa39c177b..f4fd38e9d 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json @@ -1,30 +1,44 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "soc-auth-sync-logs", - "namespace": "so", "description": "Security Onion - Elastic Auth Sync - Logs", "policy_id": "so-grid-nodes_general", + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/opt/so/log/soc/sync.log" ], "data_stream.dataset": "soc", - "tags": ["so-soc"], + "pipeline": "common", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], "processors": "- dissect:\n tokenizer: \"%{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: auth_sync", - "custom": "pipeline: common" + "tags": [], + "recursive_glob": true, + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } } }, "force": true -} +} \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-detections-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-detections-logs.json index 5649b481d..f1bdbc922 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-detections-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-detections-logs.json @@ -1,35 +1,48 @@ { - "policy_id": "so-grid-nodes_general", "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "soc-detections-logs", "description": "Security Onion Console - Detections Logs", + "policy_id": "so-grid-nodes_general", "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/opt/so/log/soc/detections_runtime-status_sigma.log", "/opt/so/log/soc/detections_runtime-status_yara.log" ], - "exclude_files": [], - "ignore_older": "72h", "data_stream.dataset": "soc", + "pipeline": "common", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], + "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"soc\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: detections\n- rename:\n fields:\n - from: \"soc.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"soc.fields.status\"\n to: \"http.response.status_code\"\n - from: \"soc.fields.method\"\n to: \"http.request.method\"\n - from: \"soc.fields.path\"\n to: \"url.path\"\n - from: \"soc.message\"\n to: \"event.action\"\n - from: \"soc.level\"\n to: \"log.level\"\n ignore_missing: true", "tags": [ "so-soc" ], - "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"soc\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: detections\n- rename:\n fields:\n - from: \"soc.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"soc.fields.status\"\n to: \"http.response.status_code\"\n - from: \"soc.fields.method\"\n to: \"http.request.method\"\n - from: \"soc.fields.path\"\n to: \"url.path\"\n - from: \"soc.message\"\n to: \"event.action\"\n - from: \"soc.level\"\n to: \"log.level\"\n ignore_missing: true", - "custom": "pipeline: common" + "recursive_glob": true, + "ignore_older": "72h", + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } } }, "force": true -} +} \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json index cc92092e9..cb08d5b12 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json @@ -1,30 +1,46 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "soc-salt-relay-logs", - "namespace": "so", "description": "Security Onion - Salt Relay - Logs", "policy_id": "so-grid-nodes_general", + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/opt/so/log/soc/salt-relay.log" ], "data_stream.dataset": "soc", - "tags": ["so-soc"], + "pipeline": "common", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], "processors": "- dissect:\n tokenizer: \"%{soc.ts} | %{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: salt_relay", - "custom": "pipeline: common" + "tags": [ + "so-soc" + ], + "recursive_glob": true, + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } } }, "force": true -} +} \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json index 61ad057f4..11e686c3d 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json @@ -1,30 +1,44 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "soc-sensoroni-logs", - "namespace": "so", "description": "Security Onion - Sensoroni - Logs", "policy_id": "so-grid-nodes_general", + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/opt/so/log/sensoroni/sensoroni.log" ], "data_stream.dataset": "soc", - "tags": [], + "pipeline": "common", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"sensoroni\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: sensoroni\n- rename:\n fields:\n - from: \"sensoroni.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"sensoroni.fields.status\"\n to: \"http.response.status_code\"\n - from: \"sensoroni.fields.method\"\n to: \"http.request.method\"\n - from: \"sensoroni.fields.path\"\n to: \"url.path\"\n - from: \"sensoroni.message\"\n to: \"event.action\"\n - from: \"sensoroni.level\"\n to: \"log.level\"\n ignore_missing: true", - "custom": "pipeline: common" + "tags": [], + "recursive_glob": true, + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } } }, - "force": true -} +"force": true +} \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json index a875e4bfc..decb6b22a 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json @@ -1,30 +1,46 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "soc-server-logs", - "namespace": "so", "description": "Security Onion Console Logs", "policy_id": "so-grid-nodes_general", + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/opt/so/log/soc/sensoroni-server.log" ], "data_stream.dataset": "soc", - "tags": ["so-soc"], + "pipeline": "common", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], "processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"soc\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: server\n- rename:\n fields:\n - from: \"soc.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"soc.fields.status\"\n to: \"http.response.status_code\"\n - from: \"soc.fields.method\"\n to: \"http.request.method\"\n - from: \"soc.fields.path\"\n to: \"url.path\"\n - from: \"soc.message\"\n to: \"event.action\"\n - from: \"soc.level\"\n to: \"log.level\"\n ignore_missing: true", - "custom": "pipeline: common" + "tags": [ + "so-soc" + ], + "recursive_glob": true, + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } } }, "force": true -} +} \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json index 89e9bbe8e..1f0203a91 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json @@ -1,30 +1,44 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "strelka-logs", - "namespace": "so", - "description": "Strelka logs", + "description": "Strelka Logs", "policy_id": "so-grid-nodes_general", + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "strelka", - "tags": [], + "pipeline": "strelka.file", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], "processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", - "custom": "pipeline: strelka.file" + "tags": [], + "recursive_glob": true, + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } } }, "force": true -} +} \ No newline at end of file diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json index c3b04fd86..26dae5225 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json @@ -1,26 +1,40 @@ { "package": { - "name": "log", + "name": "filestream", "version": "" }, "name": "suricata-logs", - "namespace": "so", "description": "Suricata integration", "policy_id": "so-grid-nodes_general", + "namespace": "so", "inputs": { - "logs-logfile": { + "filestream-filestream": { "enabled": true, "streams": { - "log.logs": { + "filestream.generic": { "enabled": true, "vars": { "paths": [ "/nsm/suricata/eve*.json" ], "data_stream.dataset": "suricata", - "tags": [], + "pipeline": "suricata.common", + "parsers": "#- ndjson:\n# target: \"\"\n# message_key: msg\n#- multiline:\n# type: count\n# count_lines: 3\n", + "exclude_files": [ + "\\.gz$" + ], + "include_files": [], "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata", - "custom": "pipeline: suricata.common" + "tags": [], + "recursive_glob": true, + "clean_inactive": -1, + "harvester_limit": 0, + "fingerprint": false, + "fingerprint_offset": 0, + "fingerprint_length": "64", + "file_identity_native": true, + "exclude_lines": [], + "include_lines": [] } } } diff --git a/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-grid-nodes.json new file mode 100644 index 000000000..43c0c92b2 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-grid-nodes.json @@ -0,0 +1,107 @@ +{ + "package": { + "name": "elasticsearch", + "version": "" + }, + "name": "elasticsearch-grid-nodes_heavy", + "namespace": "default", + "description": "Elasticsearch Logs", + "policy_id": "so-grid-nodes_heavy", + "inputs": { + "elasticsearch-logfile": { + "enabled": true, + "streams": { + "elasticsearch.audit": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/*_audit.json" + ] + } + }, + "elasticsearch.deprecation": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/*_deprecation.json" + ] + } + }, + "elasticsearch.gc": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/gc.log.[0-9]*", + "/var/log/elasticsearch/gc.log" + ] + } + }, + "elasticsearch.server": { + "enabled": true, + "vars": { + "paths": [ + "/opt/so/log/elasticsearch/*.json" + ] + } + }, + "elasticsearch.slowlog": { + "enabled": false, + "vars": { + "paths": [ + "/var/log/elasticsearch/*_index_search_slowlog.json", + "/var/log/elasticsearch/*_index_indexing_slowlog.json" + ] + } + } + } + }, + "elasticsearch-elasticsearch/metrics": { + "enabled": false, + "vars": { + "hosts": [ + "http://localhost:9200" + ], + "scope": "node" + }, + "streams": { + "elasticsearch.stack_monitoring.ccr": { + "enabled": false + }, + "elasticsearch.stack_monitoring.cluster_stats": { + "enabled": false + }, + "elasticsearch.stack_monitoring.enrich": { + "enabled": false + }, + "elasticsearch.stack_monitoring.index": { + "enabled": false + }, + "elasticsearch.stack_monitoring.index_recovery": { + "enabled": false, + "vars": { + "active.only": true + } + }, + "elasticsearch.stack_monitoring.index_summary": { + "enabled": false + }, + "elasticsearch.stack_monitoring.ml_job": { + "enabled": false + }, + "elasticsearch.stack_monitoring.node": { + "enabled": false + }, + "elasticsearch.stack_monitoring.node_stats": { + "enabled": false + }, + "elasticsearch.stack_monitoring.pending_tasks": { + "enabled": false + }, + "elasticsearch.stack_monitoring.shard": { + "enabled": false + } + } + } + }, + "force": true +} diff --git a/salt/elasticfleet/install_agent_grid.sls b/salt/elasticfleet/install_agent_grid.sls index 4a185e0bb..482af2e1e 100644 --- a/salt/elasticfleet/install_agent_grid.sls +++ b/salt/elasticfleet/install_agent_grid.sls @@ -8,7 +8,9 @@ {% endif %} {% set AGENT_STATUS = salt['service.available']('elastic-agent') %} -{% if not AGENT_STATUS %} +{% set AGENT_EXISTS = salt['file.file_exists']('/opt/Elastic/Agent/elastic-agent') %} + +{% if not AGENT_STATUS or not AGENT_EXISTS %} pull_agent_installer: file.managed: @@ -19,7 +21,7 @@ pull_agent_installer: run_installer: cmd.run: - - name: ./so-elastic-agent_linux_amd64 -token={{ GRIDNODETOKEN }} + - name: ./so-elastic-agent_linux_amd64 -token={{ GRIDNODETOKEN }} -force - cwd: /opt/so - retry: attempts: 3 diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 69ce7f3af..f85a95ec9 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -21,6 +21,7 @@ 'azure_application_insights.app_state': 'azure.app_state', 'azure_billing.billing': 'azure.billing', 'azure_functions.metrics': 'azure.function', + 'azure_ai_foundry.metrics': 'azure.ai_foundry', 'azure_metrics.compute_vm_scaleset': 'azure.compute_vm_scaleset', 'azure_metrics.compute_vm': 'azure.compute_vm', 'azure_metrics.container_instance': 'azure.container_instance', diff --git a/salt/elasticfleet/ssl.sls b/salt/elasticfleet/ssl.sls new file mode 100644 index 000000000..8d19ea68c --- /dev/null +++ b/salt/elasticfleet/ssl.sls @@ -0,0 +1,186 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} +{% from 'ca/map.jinja' import CA %} + +{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %} + +{% if grains['role'] not in [ 'so-heavynode', 'so-receiver'] %} +# Start -- Elastic Fleet Host Cert +etc_elasticfleet_key: + x509.private_key_managed: + - name: /etc/pki/elasticfleet-server.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/elasticfleet-server.key') -%} + - prereq: + - x509: etc_elasticfleet_crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +etc_elasticfleet_crt: + x509.certificate_managed: + - name: /etc/pki/elasticfleet-server.crt + - ca_server: {{ CA.server }} + - signing_policy: elasticfleet + - private_key: /etc/pki/elasticfleet-server.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +efperms: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-server.key + - mode: 640 + - group: 939 + +chownelasticfleetcrt: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-server.crt + - mode: 640 + - user: 947 + - group: 939 + +chownelasticfleetkey: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-server.key + - mode: 640 + - user: 947 + - group: 939 +# End -- Elastic Fleet Host Cert +{% endif %} # endif is for not including HeavyNodes & Receivers + + +# Start -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output) +etc_elasticfleet_agent_key: + x509.private_key_managed: + - name: /etc/pki/elasticfleet-agent.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%} + - prereq: + - x509: etc_elasticfleet_agent_crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +etc_elasticfleet_agent_crt: + x509.certificate_managed: + - name: /etc/pki/elasticfleet-agent.crt + - ca_server: {{ CA.server }} + - signing_policy: elasticfleet + - private_key: /etc/pki/elasticfleet-agent.key + - CN: {{ GLOBALS.hostname }} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + cmd.run: + - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt" + - onchanges: + - x509: etc_elasticfleet_agent_key + +efagentperms: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-agent.key + - mode: 640 + - group: 939 + +chownelasticfleetagentcrt: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-agent.crt + - mode: 640 + - user: 947 + - group: 939 + +chownelasticfleetagentkey: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-agent.key + - mode: 640 + - user: 947 + - group: 939 +# End -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output) + +{% endif %} + +{% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone'] %} +elasticfleet_kafka_key: + x509.private_key_managed: + - name: /etc/pki/elasticfleet-kafka.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/elasticfleet-kafka.key') -%} + - prereq: + - x509: elasticfleet_kafka_crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +elasticfleet_kafka_crt: + x509.certificate_managed: + - name: /etc/pki/elasticfleet-kafka.crt + - ca_server: {{ CA.server }} + - signing_policy: kafka + - private_key: /etc/pki/elasticfleet-kafka.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +elasticfleet_kafka_cert_perms: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-kafka.crt + - mode: 640 + - user: 947 + - group: 939 + +elasticfleet_kafka_key_perms: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-kafka.key + - mode: 640 + - user: 947 + - group: 939 +{% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load index ca260891f..e548c7f86 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load @@ -17,9 +17,9 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then # Third, configure Elastic Defend Integration seperately /usr/sbin/so-elastic-fleet-integration-policy-elastic-defend + # Initial Endpoints - for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json - do + for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json; do printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n" elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION" if [ -n "$INTEGRATION_ID" ]; then @@ -40,8 +40,7 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then done # Grid Nodes - General - for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/grid-nodes_general/*.json - do + for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/grid-nodes_general/*.json; do printf "\n\nGrid Nodes Policy_General - Loading $INTEGRATION\n" elastic_fleet_integration_check "so-grid-nodes_general" "$INTEGRATION" if [ -n "$INTEGRATION_ID" ]; then @@ -60,13 +59,9 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then fi fi done - if [[ "$RETURN_CODE" != "1" ]]; then - touch /opt/so/state/eaintegrations.txt - fi # Grid Nodes - Heavy - for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/grid-nodes_heavy/*.json - do + for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/grid-nodes_heavy/*.json; do printf "\n\nGrid Nodes Policy_Heavy - Loading $INTEGRATION\n" elastic_fleet_integration_check "so-grid-nodes_heavy" "$INTEGRATION" if [ -n "$INTEGRATION_ID" ]; then @@ -78,22 +73,16 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then fi else printf "\n\nIntegration does not exist - Creating integration\n" - if [ "$NAME" != "elasticsearch-logs" ]; then - if ! elastic_fleet_integration_create "@$INTEGRATION"; then - echo -e "\nFailed to create integration for ${INTEGRATION##*/}" - RETURN_CODE=1 - continue - fi + if ! elastic_fleet_integration_create "@$INTEGRATION"; then + echo -e "\nFailed to create integration for ${INTEGRATION##*/}" + RETURN_CODE=1 + continue fi fi done - if [[ "$RETURN_CODE" != "1" ]]; then - touch /opt/so/state/eaintegrations.txt - fi # Fleet Server - Optional integrations - for INTEGRATION in /opt/so/conf/elastic-fleet/integrations-optional/FleetServer*/*.json - do + for INTEGRATION in /opt/so/conf/elastic-fleet/integrations-optional/FleetServer*/*.json; do if ! [ "$INTEGRATION" == "/opt/so/conf/elastic-fleet/integrations-optional/FleetServer*/*.json" ]; then FLEET_POLICY=`echo "$INTEGRATION"| cut -d'/' -f7` printf "\n\nFleet Server Policy - Loading $INTEGRATION\n" @@ -117,6 +106,8 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then fi fi done + + # Only create the state file if all policies were created/updated successfully if [[ "$RETURN_CODE" != "1" ]]; then touch /opt/so/state/eaintegrations.txt fi diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade index 449d26c99..0729531d3 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade @@ -14,7 +14,7 @@ if ! is_manager_node; then fi # Get current list of Grid Node Agents that need to be upgraded -RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=NOT%20agent.version%20:%20%22{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}%22%20and%20policy_id%20:%20%22so-grid-nodes_general%22&showInactive=false&getStatusSummary=true") +RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=NOT%20agent.version%3A%20{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}%20AND%20policy_id%3A%20so-grid-nodes_%2A&showInactive=false&getStatusSummary=true" --retry 3 --retry-delay 30 --fail 2>/dev/null) # Check to make sure that the server responded with good data - else, bail from script CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON") diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update index 3da6b3e78..17086bf1a 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update @@ -26,7 +26,7 @@ function update_es_urls() { } # Get current list of Fleet Elasticsearch URLs -RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_elasticsearch') +RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_elasticsearch' --retry 3 --retry-delay 30 --fail 2>/dev/null) # Check to make sure that the server responded with good data - else, bail from script CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON") diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load index 01777e5da..8c0f627ef 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load @@ -86,7 +86,7 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then latest_package_list=$(/usr/sbin/so-elastic-fleet-package-list) echo '{ "packages" : []}' > $BULK_INSTALL_PACKAGE_LIST rm -f $INSTALLED_PACKAGE_LIST - echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .savedObject.attributes.install_version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST + echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .installationInfo.version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST while read -r package; do # get package details diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update index 58baadca5..f045bf753 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update @@ -142,7 +142,7 @@ function update_kafka_outputs() { {% if GLOBALS.pipeline == "KAFKA" %} # Get current list of Kafka Outputs - RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_kafka') + RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_kafka' --retry 3 --retry-delay 30 --fail 2>/dev/null) # Check to make sure that the server responded with good data - else, bail from script CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON") @@ -168,7 +168,7 @@ function update_kafka_outputs() { {# If global pipeline isn't set to KAFKA then assume default of REDIS / logstash #} {% else %} # Get current list of Logstash Outputs - RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_logstash') + RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_logstash' --retry 3 --retry-delay 30 --fail 2>/dev/null) # Check to make sure that the server responded with good data - else, bail from script CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON") diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index 446fc6c9a..5e0dc0c69 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -241,9 +241,11 @@ printf '%s\n'\ "" >> "$global_pillar_file" # Call Elastic-Fleet Salt State +printf "\nApplying elasticfleet state" salt-call state.apply elasticfleet queue=True # Generate installers & install Elastic Agent on the node so-elastic-agent-gen-installers +printf "\nApplying elasticfleet.install_agent_grid state" salt-call state.apply elasticfleet.install_agent_grid queue=True exit 0 diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update index 5f7637cd3..d841b39e4 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update @@ -23,7 +23,7 @@ function update_fleet_urls() { } # Get current list of Fleet Server URLs -RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default') +RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' --retry 3 --retry-delay 30 --fail 2>/dev/null) # Check to make sure that the server responded with good data - else, bail from script CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON") diff --git a/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy b/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy index d44a5cb6c..2e44a4a36 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy +++ b/salt/elasticfleet/tools/sbin_jinja/so-kafka-fleet-output-policy @@ -34,6 +34,11 @@ if [[ "$RETURN_CODE" != "0" ]]; then exit 1 fi +if [[ ! -f /etc/pki/elasticfleet-kafka.crt || ! -f /etc/pki/elasticfleet-kafka.key ]]; then + echo -e "\nKafka certificates not found, can't setup Elastic Fleet output policy for Kafka...\n" + exit 1 +fi + KAFKACRT=$(openssl x509 -in /etc/pki/elasticfleet-kafka.crt) KAFKAKEY=$(openssl rsa -in /etc/pki/elasticfleet-kafka.key) KAFKACA=$(openssl x509 -in /etc/pki/tls/certs/intca.crt) @@ -47,7 +52,7 @@ if ! kafka_output=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L "http://l --arg KAFKACA "$KAFKACA" \ --arg MANAGER_IP "{{ GLOBALS.manager_ip }}:9092" \ --arg KAFKA_OUTPUT_VERSION "$KAFKA_OUTPUT_VERSION" \ - '{"name":"grid-kafka", "id":"so-manager_kafka","type":"kafka","hosts":[ $MANAGER_IP ],"is_default":false,"is_default_monitoring":false,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topics":[{"topic":"default-securityonion"}],"headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}' + '{"name":"grid-kafka", "id":"so-manager_kafka","type":"kafka","hosts":[ $MANAGER_IP ],"is_default":false,"is_default_monitoring":false,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topic":"default-securityonion","headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}' ) if ! response=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" --fail 2>/dev/null); then echo -e "\nFailed to setup Elastic Fleet output policy for Kafka...\n" @@ -67,7 +72,7 @@ elif kafka_output=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L "http://l --arg ENABLED_DISABLED "$ENABLED_DISABLED"\ --arg KAFKA_OUTPUT_VERSION "$KAFKA_OUTPUT_VERSION" \ --argjson HOSTS "$HOSTS" \ - '{"name":"grid-kafka","type":"kafka","hosts":$HOSTS,"is_default":$ENABLED_DISABLED,"is_default_monitoring":$ENABLED_DISABLED,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topics":[{"topic":"default-securityonion"}],"headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}' + '{"name":"grid-kafka","type":"kafka","hosts":$HOSTS,"is_default":$ENABLED_DISABLED,"is_default_monitoring":$ENABLED_DISABLED,"config_yaml":"","ssl":{"certificate_authorities":[ $KAFKACA ],"certificate": $KAFKACRT ,"key":"","verification_mode":"full"},"proxy_id":null,"client_id":"Elastic","version": $KAFKA_OUTPUT_VERSION ,"compression":"none","auth_type":"ssl","partition":"round_robin","round_robin":{"group_events":10},"topic":"default-securityonion","headers":[{"key":"","value":""}],"timeout":30,"broker_timeout":30,"required_acks":1,"secrets":{"ssl":{"key": $KAFKAKEY }}}' ) if ! response=$(curl -sK /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_kafka" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" --fail 2>/dev/null); then echo -e "\nFailed to force update to Elastic Fleet output policy for Kafka...\n" diff --git a/salt/elasticsearch/ca.sls b/salt/elasticsearch/ca.sls index 188450311..39d33919c 100644 --- a/salt/elasticsearch/ca.sls +++ b/salt/elasticsearch/ca.sls @@ -26,14 +26,14 @@ catrustscript: GLOBALS: {{ GLOBALS }} {% endif %} -cacertz: +elasticsearch_cacerts: file.managed: - name: /opt/so/conf/ca/cacerts - source: salt://elasticsearch/cacerts - user: 939 - group: 939 -capemz: +elasticsearch_capems: file.managed: - name: /opt/so/conf/ca/tls-ca-bundle.pem - source: salt://elasticsearch/tls-ca-bundle.pem diff --git a/salt/elasticsearch/config.sls b/salt/elasticsearch/config.sls index 147975bb1..38cd73ffc 100644 --- a/salt/elasticsearch/config.sls +++ b/salt/elasticsearch/config.sls @@ -5,11 +5,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} - -include: - - ssl - - elasticsearch.ca - {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %} diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c9f77aa7d..c9f771a91 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,11 +1,13 @@ elasticsearch: enabled: false - version: 8.18.8 + version: 9.0.8 index_clean: true config: action: destructive_requires_name: true cluster: + logsdb: + enabled: false routing: allocation: disk: @@ -691,7 +693,6 @@ elasticsearch: match_mapping_type: string settings: index: - final_pipeline: .fleet_final_pipeline-1 lifecycle: name: so-import-logs mapping: @@ -857,53 +858,13 @@ elasticsearch: composed_of: - agent-mappings - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - container-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - event-mappings - - dtc-event-mappings - file-mappings - - dtc-file-mappings - - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - - log-mappings - metadata-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - common-settings - common-dynamic-mappings data_stream: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 49f34314b..0eb9194fb 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -14,6 +14,9 @@ {% from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS %} include: + - ca + - elasticsearch.ca + - elasticsearch.ssl - elasticsearch.config - elasticsearch.sostatus @@ -61,11 +64,7 @@ so-elasticsearch: - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro - {% if GLOBALS.is_manager %} - - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro - {% else %} - /etc/pki/tls/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro - {% endif %} - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro @@ -82,22 +81,21 @@ so-elasticsearch: {% endfor %} {% endif %} - watch: - - file: cacertz + - file: trusttheca + - x509: elasticsearch_crt + - x509: elasticsearch_key + - file: elasticsearch_cacerts - file: esyml - require: + - file: trusttheca + - x509: elasticsearch_crt + - x509: elasticsearch_key + - file: elasticsearch_cacerts - file: esyml - file: eslog4jfile - file: nsmesdir - file: eslogdir - - file: cacertz - - x509: /etc/pki/elasticsearch.crt - - x509: /etc/pki/elasticsearch.key - file: elasticp12perms - {% if GLOBALS.is_manager %} - - x509: pki_public_ca_crt - {% else %} - - x509: trusttheca - {% endif %} - cmd: auth_users_roles_inode - cmd: auth_users_inode diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index 8e48eb0b9..bafb783a4 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -1,31 +1,212 @@ { - "version": 3, - "_meta": { - "managed_by": "securityonion", - "managed": true - }, - "description": "Custom pipeline for processing all incoming Fleet Agent documents. \n", - "processors": [ - { "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } }, - { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, - { "split": { "if": "ctx.data_stream?.dataset != null && ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, - { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, - { "set": { "if": "ctx.datastream_dataset_temp != null && ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } }, - { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } }, - { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false } }, - { "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } }, - { "set": { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } }, - { "set": { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } }, - { "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } }, - { "set": { "if": "ctx.tags != null && ctx.tags.contains('import')", "override": true, "field": "data_stream.dataset", "value": "import" } }, - { "set": { "if": "ctx.tags != null && ctx.tags.contains('import')", "override": true, "field": "data_stream.namespace", "value": "so" } }, - { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, - { "set": { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } }, - { "rename": { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } }, - { "set": { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } }, - { "set": { "if": "ctx.event?.dataset != null && ctx.event?.dataset == 'elasticsearch.server'", "field": "event.module", "value":"elasticsearch" }}, - {"append": {"field":"related.ip","value":["{{source.ip}}","{{destination.ip}}"],"allow_duplicates":false,"if":"ctx?.event?.dataset == 'endpoint.events.network' && ctx?.source?.ip != null","ignore_failure":true}}, - {"foreach": {"field":"host.ip","processor":{"append":{"field":"related.ip","value":"{{_ingest._value}}","allow_duplicates":false}},"if":"ctx?.event?.module == 'endpoint' && ctx?.host?.ip != null","ignore_missing":true, "description":"Extract IPs from Elastic Agent events (host.ip) and adds them to related.ip"}}, - { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } - ] -} + "version": 3, + "_meta": { + "managed_by": "securityonion", + "managed": true + }, + "description": "Custom pipeline for processing all incoming Fleet Agent documents. \n", + "processors": [ + { + "set": { + "ignore_failure": true, + "field": "event.module", + "value": "elastic_agent" + } + }, + { + "split": { + "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", + "field": "event.dataset", + "separator": "\\.", + "target_field": "module_temp" + } + }, + { + "split": { + "if": "ctx.data_stream?.dataset != null && ctx.data_stream?.dataset.contains('.')", + "field": "data_stream.dataset", + "separator": "\\.", + "target_field": "datastream_dataset_temp", + "ignore_missing": true + } + }, + { + "set": { + "if": "ctx.module_temp != null", + "override": true, + "field": "event.module", + "value": "{{module_temp.0}}" + } + }, + { + "set": { + "if": "ctx.datastream_dataset_temp != null && ctx.datastream_dataset_temp[0] == 'network_traffic'", + "field": "event.module", + "value": "{{ datastream_dataset_temp.0 }}", + "ignore_failure": true, + "ignore_empty_value": true, + "description": "Fix EA network packet capture" + } + }, + { + "gsub": { + "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", + "field": "event.dataset", + "pattern": "^[^.]*.", + "replacement": "", + "target_field": "dataset_tag_temp" + } + }, + { + "append": { + "if": "ctx.dataset_tag_temp != null", + "field": "tags", + "value": "{{dataset_tag_temp}}", + "allow_duplicates": false + } + }, + { + "set": { + "if": "ctx.network?.direction == 'egress'", + "override": true, + "field": "network.initiated", + "value": "true" + } + }, + { + "set": { + "if": "ctx.network?.direction == 'ingress'", + "override": true, + "field": "network.initiated", + "value": "false" + } + }, + { + "set": { + "if": "ctx.network?.type == 'ipv4'", + "override": true, + "field": "destination.ipv6", + "value": "false" + } + }, + { + "set": { + "if": "ctx.network?.type == 'ipv6'", + "override": true, + "field": "destination.ipv6", + "value": "true" + } + }, + { + "set": { + "if": "ctx.tags != null && ctx.tags.contains('import')", + "override": true, + "field": "data_stream.dataset", + "value": "import" + } + }, + { + "set": { + "if": "ctx.tags != null && ctx.tags.contains('import')", + "override": true, + "field": "data_stream.namespace", + "value": "so" + } + }, + { + "community_id": { + "if": "ctx.event?.dataset == 'endpoint.events.network'", + "ignore_failure": true + } + }, + { + "set": { + "if": "ctx.event?.module == 'fim'", + "override": true, + "field": "event.module", + "value": "file_integrity" + } + }, + { + "rename": { + "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", + "ignore_missing": true, + "field": "winlog.event_data.Threat Name", + "target_field": "winlog.event_data.threat_name" + } + }, + { + "set": { + "if": "ctx?.metadata?.kafka != null", + "field": "kafka.id", + "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", + "ignore_failure": true + } + }, + { + "set": { + "if": "ctx.event?.dataset != null && ctx.event?.dataset == 'elasticsearch.server'", + "field": "event.module", + "value": "elasticsearch" + } + }, + { + "append": { + "field": "related.ip", + "value": [ + "{{source.ip}}", + "{{destination.ip}}" + ], + "allow_duplicates": false, + "if": "ctx?.event?.dataset == 'endpoint.events.network' && ctx?.source?.ip != null", + "ignore_failure": true + } + }, + { + "foreach": { + "field": "host.ip", + "processor": { + "append": { + "field": "related.ip", + "value": "{{_ingest._value}}", + "allow_duplicates": false + } + }, + "if": "ctx?.event?.module == 'endpoint' && ctx?.host?.ip != null", + "ignore_missing": true, + "description": "Extract IPs from Elastic Agent events (host.ip) and adds them to related.ip" + } + }, + { + "pipeline": { + "name": ".fleet_final_pipeline-1", + "ignore_missing_pipeline": true + } + }, + { + "remove": { + "field": "event.agent_id_status", + "ignore_missing": true, + "if": "ctx?.event?.agent_id_status == 'auth_metadata_missing'" + } + }, + { + "remove": { + "field": [ + "message2", + "type", + "fields", + "category", + "module", + "dataset", + "event.dataset_temp", + "dataset_tag_temp", + "module_temp", + "datastream_dataset_temp" + ], + "ignore_missing": true, + "ignore_failure": true + } + } + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/kratos b/salt/elasticsearch/files/ingest/kratos index 9551dad24..b3410d9fd 100644 --- a/salt/elasticsearch/files/ingest/kratos +++ b/salt/elasticsearch/files/ingest/kratos @@ -1,9 +1,98 @@ { - "description" : "kratos", - "processors" : [ - {"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}}, - {"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"kratos.{{{audience}}}","media_type":"text/plain"}}, - {"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg" }}, - { "pipeline": { "name": "common" } } - ] + "description": "kratos", + "processors": [ + { + "set": { + "field": "audience", + "value": "access", + "override": false, + "ignore_failure": true + } + }, + { + "set": { + "field": "event.dataset", + "ignore_empty_value": true, + "ignore_failure": true, + "value": "kratos.{{{audience}}}", + "media_type": "text/plain" + } + }, + { + "set": { + "field": "event.action", + "ignore_failure": true, + "copy_from": "msg" + } + }, + { + "rename": { + "field": "http_request", + "target_field": "http.request", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http_response", + "target_field": "http.response", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.path", + "target_field": "http.uri", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.method", + "target_field": "http.method", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.method", + "target_field": "http.method", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.query", + "target_field": "http.query", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.headers.user-agent", + "target_field": "http.useragent", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "file", + "target_field": "file.path", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "pipeline": { + "name": "common" + } + } + ] } \ No newline at end of file diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 7fd4f8329..674c7a569 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -27,6 +27,13 @@ elasticsearch: readonly: True global: True helpLink: elasticsearch.html + logsdb: + enabled: + description: Enables or disables the Elasticsearch logsdb index mode. When enabled, most logs-* datastreams will convert to logsdb from standard after rolling over. + forcedType: bool + global: True + advanced: True + helpLink: elasticsearch.html routing: allocation: disk: @@ -77,13 +84,6 @@ elasticsearch: custom008: *pipelines custom009: *pipelines custom010: *pipelines - managed_integrations: - description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass - forcedType: "[]string" - multiline: True - global: True - advanced: True - helpLink: elasticsearch.html index_settings: global_overrides: index_template: diff --git a/salt/elasticsearch/ssl.sls b/salt/elasticsearch/ssl.sls new file mode 100644 index 000000000..a2d327830 --- /dev/null +++ b/salt/elasticsearch/ssl.sls @@ -0,0 +1,66 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'ca/map.jinja' import CA %} + +# Create a cert for elasticsearch +elasticsearch_key: + x509.private_key_managed: + - name: /etc/pki/elasticsearch.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%} + - prereq: + - x509: /etc/pki/elasticsearch.crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +elasticsearch_crt: + x509.certificate_managed: + - name: /etc/pki/elasticsearch.crt + - ca_server: {{ CA.server }} + - signing_policy: registry + - private_key: /etc/pki/elasticsearch.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + cmd.run: + - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:" + - onchanges: + - x509: /etc/pki/elasticsearch.key + +elastickeyperms: + file.managed: + - replace: False + - name: /etc/pki/elasticsearch.key + - mode: 640 + - group: 930 + +elasticp12perms: + file.managed: + - replace: False + - name: /etc/pki/elasticsearch.p12 + - mode: 640 + - group: 930 + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/elasticsearch/templates/component/ecs/dns.json b/salt/elasticsearch/templates/component/ecs/dns.json index 321a061f5..9cafac072 100644 --- a/salt/elasticsearch/templates/component/ecs/dns.json +++ b/salt/elasticsearch/templates/component/ecs/dns.json @@ -1,91 +1,103 @@ { - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-dns.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "query": { + "properties" :{ + "type":{ + "ignore_above": 1024, + "type": "keyword" + }, + "type_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } } - }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } - } } - } } - } } \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/ecs/file.json b/salt/elasticsearch/templates/component/ecs/file.json index 3da5ee86a..dfd96c2b5 100644 --- a/salt/elasticsearch/templates/component/ecs/file.json +++ b/salt/elasticsearch/templates/component/ecs/file.json @@ -15,6 +15,13 @@ "ignore_above": 1024, "type": "keyword" }, + "bytes": { + "properties": { + "missing": { + "type": "long" + } + } + }, "code_signature": { "properties": { "digest_algorithm": { diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json index 99b3aa871..46e16bb44 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json @@ -2,7 +2,7 @@ "template": { "settings": { "index": { - "final_pipeline": ".fleet_final_pipeline-1" + "final_pipeline": "global@custom" } }, "mappings": { diff --git a/salt/elasticsearch/tools/sbin_jinja/so-catrust b/salt/elasticsearch/tools/sbin_jinja/so-catrust index 16fd3ffdb..14f9e5ca1 100644 --- a/salt/elasticsearch/tools/sbin_jinja/so-catrust +++ b/salt/elasticsearch/tools/sbin_jinja/so-catrust @@ -14,8 +14,9 @@ set -e # Check to see if we have extracted the ca cert. if [ ! -f /opt/so/saltstack/local/salt/elasticsearch/cacerts ]; then docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:$ELASTIC_AGENT_TARBALL_VERSION -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt - docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts - docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem + # Make sure symbolic links are followed when copying from container + docker cp -L so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/elasticsearch/cacerts + docker cp -L so-elasticsearchca:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem docker rm so-elasticsearchca echo "" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem echo "sosca" >> /opt/so/saltstack/local/salt/elasticsearch/tls-ca-bundle.pem diff --git a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load index 4ac1b4d5f..ad3fe1344 100755 --- a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load @@ -121,7 +121,7 @@ if [ ! -f $STATE_FILE_SUCCESS ]; then echo "Loading Security Onion index templates..." shopt -s extglob {% if GLOBALS.role == 'so-heavynode' %} - pattern="!(*1password*|*aws*|*azure*|*cloudflare*|*elastic_agent*|*fim*|*github*|*google*|*osquery*|*system*|*windows*)" + pattern="!(*1password*|*aws*|*azure*|*cloudflare*|*elastic_agent*|*fim*|*github*|*google*|*osquery*|*system*|*windows*|*endpoint*|*elasticsearch*|*generic*|*fleet_server*|*soc*)" {% else %} pattern="*" {% endif %} diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml index 047bb525b..a378a7023 100644 --- a/salt/global/soc_global.yaml +++ b/salt/global/soc_global.yaml @@ -32,7 +32,7 @@ global: readonly: True advanced: True url_base: - description: Used for handling of authentication cookies. + description: The base URL for the Security Onion Console. Must be accessible by all nodes in the grid, as well as all analysts. Also used for handling of authentication cookies. Can be an IP address or a hostname/FQDN. Do not include protocol (http/https) or port number. global: True airgap: description: Airgapped systems do not have network connectivity to the internet. This setting represents how this grid was configured during initial setup. While it is technically possible to manually switch systems between airgap and non-airgap, there are some nuances and additional steps involved. For that reason this setting is marked read-only. Contact your support representative for guidance if there is a need to change this setting. diff --git a/salt/influxdb/config.sls b/salt/influxdb/config.sls index 0f315666a..bf8b67b78 100644 --- a/salt/influxdb/config.sls +++ b/salt/influxdb/config.sls @@ -9,7 +9,6 @@ include: - salt.minion - - ssl # Influx DB influxconfdir: diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 293a917cb..65ba4fafe 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -11,6 +11,7 @@ {% set TOKEN = salt['pillar.get']('influxdb:token') %} include: + - influxdb.ssl - influxdb.config - influxdb.sostatus @@ -59,6 +60,8 @@ so-influxdb: {% endif %} - watch: - file: influxdbconf + - x509: influxdb_key + - x509: influxdb_crt - require: - file: influxdbconf - x509: influxdb_key diff --git a/salt/influxdb/ssl.sls b/salt/influxdb/ssl.sls new file mode 100644 index 000000000..930879c75 --- /dev/null +++ b/salt/influxdb/ssl.sls @@ -0,0 +1,55 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'ca/map.jinja' import CA %} + +influxdb_key: + x509.private_key_managed: + - name: /etc/pki/influxdb.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%} + - prereq: + - x509: /etc/pki/influxdb.crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +# Create a cert for the talking to influxdb +influxdb_crt: + x509.certificate_managed: + - name: /etc/pki/influxdb.crt + - ca_server: {{ CA.server }} + - signing_policy: influxdb + - private_key: /etc/pki/influxdb.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +influxkeyperms: + file.managed: + - replace: False + - name: /etc/pki/influxdb.key + - mode: 640 + - group: 939 + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/kafka/enabled.sls b/salt/kafka/enabled.sls index 8448bd5aa..88847f30b 100644 --- a/salt/kafka/enabled.sls +++ b/salt/kafka/enabled.sls @@ -68,6 +68,8 @@ so-kafka: - file: kafka_server_jaas_properties {% endif %} - file: kafkacertz + - x509: kafka_crt + - file: kafka_pkcs12_perms - require: - file: kafkacertz @@ -95,4 +97,4 @@ include: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/kafka/ssl.sls b/salt/kafka/ssl.sls index 04b6b4ba7..2ee19f731 100644 --- a/salt/kafka/ssl.sls +++ b/salt/kafka/ssl.sls @@ -6,22 +6,13 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states or sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'ca/map.jinja' import CA %} {% set kafka_password = salt['pillar.get']('kafka:config:password') %} include: - - ca.dirs - {% set global_ca_server = [] %} - {% set x509dict = salt['mine.get'](GLOBALS.manager | lower~'*', 'x509.get_pem_entries') %} - {% for host in x509dict %} - {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %} - {% do global_ca_server.append(host) %} - {% endif %} - {% endfor %} - {% set ca_server = global_ca_server[0] %} + - ca -{% if GLOBALS.pipeline == "KAFKA" %} - -{% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone'] %} +{% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone'] %} kafka_client_key: x509.private_key_managed: - name: /etc/pki/kafka-client.key @@ -39,12 +30,12 @@ kafka_client_key: kafka_client_crt: x509.certificate_managed: - name: /etc/pki/kafka-client.crt - - ca_server: {{ ca_server }} + - ca_server: {{ CA.server }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - signing_policy: kafka - private_key: /etc/pki/kafka-client.key - CN: {{ GLOBALS.hostname }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -67,9 +58,9 @@ kafka_client_crt_perms: - mode: 640 - user: 960 - group: 939 -{% endif %} +{% endif %} -{% if GLOBALS.role in ['so-manager', 'so-managersearch','so-receiver', 'so-standalone'] %} +{% if GLOBALS.role in ['so-manager', 'so-managersearch','so-receiver', 'so-standalone'] %} kafka_key: x509.private_key_managed: - name: /etc/pki/kafka.key @@ -87,12 +78,12 @@ kafka_key: kafka_crt: x509.certificate_managed: - name: /etc/pki/kafka.crt - - ca_server: {{ ca_server }} + - ca_server: {{ CA.server }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - signing_policy: kafka - private_key: /etc/pki/kafka.key - CN: {{ GLOBALS.hostname }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -103,6 +94,7 @@ kafka_crt: - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka.key -in /etc/pki/kafka.crt -export -out /etc/pki/kafka.p12 -nodes -passout pass:{{ kafka_password }}" - onchanges: - x509: /etc/pki/kafka.key + kafka_key_perms: file.managed: - replace: False @@ -126,11 +118,11 @@ kafka_pkcs12_perms: - mode: 640 - user: 960 - group: 939 -{% endif %} +{% endif %} # Standalone needs kafka-logstash for automated testing. Searchnode/manager search need it for logstash to consume from Kafka. # Manager will have cert, but be unused until a pipeline is created and logstash enabled. -{% if GLOBALS.role in ['so-standalone', 'so-managersearch', 'so-searchnode', 'so-manager'] %} +{% if GLOBALS.role in ['so-standalone', 'so-managersearch', 'so-searchnode', 'so-manager'] %} kafka_logstash_key: x509.private_key_managed: - name: /etc/pki/kafka-logstash.key @@ -148,12 +140,12 @@ kafka_logstash_key: kafka_logstash_crt: x509.certificate_managed: - name: /etc/pki/kafka-logstash.crt - - ca_server: {{ ca_server }} + - ca_server: {{ CA.server }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - signing_policy: kafka - private_key: /etc/pki/kafka-logstash.key - CN: {{ GLOBALS.hostname }} - - days_remaining: 0 + - days_remaining: 7 - days_valid: 820 - backup: True - timeout: 30 @@ -189,7 +181,6 @@ kafka_logstash_pkcs12_perms: - user: 931 - group: 939 -{% endif %} {% endif %} {% else %} @@ -198,4 +189,4 @@ kafka_logstash_pkcs12_perms: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 078f826a0..580891973 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -25,11 +25,10 @@ kibana: discardCorruptObjects: "8.18.8" telemetry: enabled: False - security: - showInsecureClusterWarning: False xpack: security: secureCookies: true + showInsecureClusterWarning: false reporting: kibanaServer: hostname: localhost diff --git a/salt/kibana/files/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson index 7aabe4404..69d678fa8 100644 --- a/salt/kibana/files/saved_objects.ndjson +++ b/salt/kibana/files/saved_objects.ndjson @@ -475,7 +475,7 @@ {"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Osquery","version":1},"coreMigrationVersion":"8.7.1","created_at":"2023-07-20T15:26:57.180Z","id":"9eed5fc0-afcb-11ea-b262-353d451b125b","migrationVersion":{"search":"8.0.0"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1689866817180,5707],"type":"search","updated_at":"2023-07-20T15:26:57.180Z","version":"WzQ1NDksMV0="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Content Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Content Type\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"sip.content_type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true,\"customLabel\":\"Type\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.content_type.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true,\"autoFitRowToContent\":false}}"},"coreMigrationVersion":"8.7.1","created_at":"2023-07-20T15:26:57.180Z","id":"9ff24600-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"8.5.0"},"references":[{"id":"logs-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1689866817180,5709],"type":"visualization","updated_at":"2023-07-20T15:26:57.180Z","version":"WzQ1NTAsMV0="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Command (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Command (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"coreMigrationVersion":"8.7.1","created_at":"2023-07-20T15:26:57.180Z","id":"9ff34f60-4a42-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"8.5.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1689866817180,5711],"type":"visualization","updated_at":"2023-07-20T15:26:57.180Z","version":"WzQ1NTEsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Help","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Help\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"markdown\":\"## Introduction\\nWelcome to the Security Onion Elastic Stack! This is our implementation of the Elastic Stack on Security Onion. The Elastic Stack consists of three primary components:\\n- `Elasticsearch` - stores logs\\n- `Logstash` - collects and enriches logs before storing them in Elasticsearch\\n- `Kibana` - web interface for visualizing logs\\n\\n## Sidebar\\nStarting on the far left side of the page, you see the Sidebar. This contains links such as:\\n- `Discover` - search data\\n- `Visualize` - create visualizations based on searches\\n- `Dashboard` - view or create dashboards based on visualizations\\n- `Timelion` - timeline analysis\\n- `Dev Tools` - query Elasticsearch directly\\n- `Management` - view or modify Kibana settings\\n- `Squert` - separate web interface for viewing NIDS and HIDS alerts\\n- `Logout` - log out of your session\\n\\nThe first six of those links are within Kibana itself. If you click one of those and then want to get back to the Dashboards area where you started, simply click the `Dashboard` link.\\n\\nClicking the `Squert` link will take you out of Kibana and into Squert. You will not be required to authenticate to Squert since you already have an active Single Sign On (SSO) session.\\n\\nClicking the `Logout` link in either Squert or Kibana will log you out of your SSO session and take you back to the logon screen.\\n\\n## Navigation Panel\\nWhen you are in the Kibana Dashboard area, the panel to the immediate right of the sidebar is the Navigation Panel and it includes links to our dashboards such as Home, Help (this page), Bro Notices, ElastAlert, HIDS, NIDS, etc. Clicking one of the links in the Navigation Panel will take you to a dashboard dedicated to that particular log type. \\n\\n## Dashboards\\nAll dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.\\n\\n### Dashboard Hyperlinks\\n\\nThe `source_ip` and `destination_ip` fields are hyperlinked. These hyperlinks will take you to the Indicator dashboard which will help you analyze the traffic relating to that particular IP address.\\n\\n`UID` fields are also hyperlinked. This hyperlink will start a new Kibana search for that particular UID. In the case of Bro UIDs this will show you all Bro logs related to that particular connection.\\n\\nEach log entry also has an `_id` field that is hyperlinked. This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type. This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log. \\n\\n### Overview Dashboard\\nWhen you first go to the Kibana Dashboard area, you are automatically placed into the Overview dashboard, where you will see overview information, such as total number of logs and sensors. Use the information on the Overview dashboard to determine which of the other dashboards on the Navigation Panel you might want to visit next.\\n\\n### Dashboard Categories\\nOur remaining dashboards are grouped into a few categories:\\n- `Alert Data` - dashboards that display alerts created by rules or signatures\\n- `Bro Hunting` - dashboards that allow you to slice and dice network metadata for hunting\\n- `Host Hunting` - dashboards that allow you to hunt via host telemetry\\n- `Other` - dashboards that don't fit into the categories above\\n\\n### Bro Notices\\nBro sniffs network traffic and generates notices such as `SSL::Invalid Server Cert` and `TeamCymruMalwareHashRegistry::Match`.\\n\\n### ElastAlert\\nElastAlert queries Elasticsearch on a regular basis and then generates alerts based on your desired criteria. Security Onion includes two example rules that alert on new IDS events and new connection logs. You can add your own ElastAlert rules in `/etc/elastalert/rules/`.\\n\\n### HIDS\\nOSSEC analyzes log files and generates Host Intrusion Detection System alerts based on its ruleset at `/var/ossec/rules/`. You can add your own rules in `/var/ossec/rules/local_rules.xml`.\\n\\n### NIDS\\nSecurity Onion can use either Snort or Suricata to sniff network traffic and generate Network Intrusion Detection System alerts. \\n\\n### Connections\\nBro sniffs network traffic and logs connection metadata including source IP/port, destination IP/port, protocol, and number of bytes.\\n\\n### DCE/RPC\\nBro sniffs network traffic and logs DCE/RPC metadata including source IP/port, destination IP/port, operation, endpoint, and named pipe.\\n\\n### DHCP\\nBro sniffs network traffic and logs DHCP requests and responses including source IP/port, destination IP/port, and MAC addresses.\\n\\n### DNP3\\nBro sniffs network traffic and logs DNP3 metadata including source IP/port, destination IP/port, function request, function reply.\\n\\n### DNS\\nBro sniffs network traffic and logs DNS queries and answers. Bro also includes other name lookups such as Windows NetBIOS name service requests and Bonjour.\\n\\n### Files\\nBro sniffs network traffic and logs metadata related to files being transferred over the network including IP addresses, MIME type, source, and checksums.\\n\\n### FTP\\nBro sniffs network traffic and logs FTP metadata including source IP/port, destination IP/port, command, reply code, argument, and username.\\n\\n### HTTP\\nBro sniffs network traffic and logs HTTP metadata including source IP/port, destination IP/port, method, status message, MIME type, site name, referer, and user agent.\\n\\n### Intel\\nBro sniffs network traffic and watches for indicators using the Intel framework. You can add your own indicators to `/opt/bro/share/bro/intel/intel.dat`.\\n\\n### IRC\\nBro sniffs network traffic and logs IRC metadata including source IP/port, destination IP/port, command, and username.\\n\\n### Kerberos\\nBro sniffs network traffic and logs Kerberos metadata including source IP/port, destination IP/port, cipher, client, server, service, request type, and success status.\\n\\n### Modbus\\nBro sniffs network traffic and logs Modbus metadata including source IP/port, destination IP/port, and function.\\n\\n### MySQL\\nBro sniffs network traffic and logs MySQL metadata including source IP/port, destination IP/port, command/argument, status, and response.\\n\\n### NTLM\\nBro sniffs network traffic and logs NTLM metadata including source IP/port, destination IP/port, hostname, username, and status.\\n\\n### PE\\nBro sniffs network traffic and logs PE metadata including OS, subsystem, machine, and section name.\\n\\n### RADIUS\\nBro sniffs network traffic and logs RADIUS metadata including source IP/port, destination IP/port, username, and result.\\n\\n### RDP\\nBro sniffs network traffic and logs RDP metadata including source IP/port, destination IP/port, client build, keyboard layout, encryption level, and result.\\n\\n### RFB\\nBro sniffs network traffic and logs RFB metadata including source IP/port, destination IP/port, authentication method, authentication status, client version, server version, and desktop name.\\n\\n### SIP\\nBro sniffs network traffic and logs SIP metadata including source IP/port, destination IP/port, method, content type, status, uri, and user agent.\\n\\n### SMB\\nBro sniffs network traffic and logs SMB metadata including source IP/port, destination IP/port, file name, and action.\\n\\n### SMTP\\nBro sniffs network traffic and logs SMTP metadata including source IP/port, destination IP/port, from, to, subject, and user agent.\\n\\n### SNMP\\nBro sniffs network traffic and logs SNMP metadata including source IP/port, destination IP/port, version, community, and duration.\\n\\n### Software\\nBro sniffs network traffic and logs metadata relating to the kinds of software that generated that traffic including name, type, and version.\\n\\n### SSH\\nBro sniffs network traffic and logs SSH metadata including source IP/port, destination IP/port, client version, server version, and success.\\n\\n### SSL\\nBro sniffs network traffic and logs SSL metadata including source IP/port, destination IP/port, server name, certificate subject, cipher, and validation status.\\n\\n### Syslog\\nBro sniffs network traffic and logs Syslog metadata including source IP/port, destination IP/port, severity, and protocol.\\n\\n### Tunnels\\nBro sniffs network traffic and detects IP, GRE, SOCKS, TEREDO, and AVAYA tunnels. It logs metadata including source IP/port, destination IP/port, type, and action.\\n\\n### Weird\\nBro sniffs network traffic and logs protocol anomalies metadata including source IP/port, destination IP/port, and the type of anomaly.\\n\\n### X.509\\nBro sniffs network traffic and logs X.509 metadata including certificate subject, issuer, key algorithm, key length, and signing algorithm.\\n\\n### Autoruns\\nSysinternals Autoruns can identify the processes which Windows is configured to automatically run. Autoruns data can then be ingested via [Autoruns To WinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog).\\n\\n### Beats\\nElastic Beats can be deployed on endpoints to collect host telemetry and send to Logstash for storage in Elasticsearch.\\n\\n### OSSEC\\nOSSEC agents can be deployed on endpoints to collect host telemetry and send to the OSSEC Server included in Security Onion. OSSEC Alerts can be found in the Alert Data category at the top of the Navigation Panel. This OSSEC hunting dashboard will allow you to hunt through all OSSEC logs, not just alerts.\\n\\n### Sysmon\\nSysinternal Sysmon provides comprehensive telemetry for Windows hosts. Its logs can be consumed using Beats, OSSEC, or other transport mechanism.\\n\\n### Domain Stats\\nSecurity Onion includes a tool called domain_stats which will do a whois lookup on a domain name to determine the age of the domain. If enabled, this dashboard looks for baby domains that have been recently registered. Please note that domain_stats is only enabled when running in Evaluation Mode.\\n\\n### Firewall\\nFirewall logs can be consumed via syslog or other transport mechanism. Once consumed, this dashboard allows you to slice and dice those firewall logs based on source IP/port, destination IP/port, protocol, and action.\\n\\n### Frequency\\nSecurity Onion includes a tool called freq_server which can perform frequency analysis of hostnames. If enabled, this dashboard will show hostnames with a frequency analysis score that indicates that they could have been randomly generated. Please note that freq_server is only enabled when running in Evaluation Mode.\\n\\n### Stats\\nThis dashboard shows statistics for Logstash including processing times for different log types and any errors that may have occurred.\\n\\n## More Information\\nFor additional information, please refer to our documentation at:\\n\\nhttps://securityonion.net/docs/Elastic\",\"type\":\"markdown\"},\"aggs\":[]}"},"coreMigrationVersion":"8.7.1","created_at":"2023-07-20T15:26:57.180Z","id":"AV6-PHKnDwoBUzALqJ_c","migrationVersion":{"visualization":"8.5.0"},"references":[],"sort":[1689866817180,5712],"type":"visualization","updated_at":"2023-07-20T15:26:57.180Z","version":"WzQ1NTIsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Help","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Help\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"markdown\":\"## Introduction\\nWelcome to the Security Onion Elastic Stack! This is our implementation of the Elastic Stack on Security Onion. The Elastic Stack consists of three primary components:\\n- `Elasticsearch` - stores logs\\n- `Logstash` - collects and enriches logs before storing them in Elasticsearch\\n- `Kibana` - web interface for visualizing logs\\n\\n## Sidebar\\nStarting on the far left side of the page, you see the Sidebar. This contains links such as:\\n- `Discover` - search data\\n- `Visualize` - create visualizations based on searches\\n- `Dashboard` - view or create dashboards based on visualizations\\n- `Timelion` - timeline analysis\\n- `Dev Tools` - query Elasticsearch directly\\n- `Management` - view or modify Kibana settings\\n- `Squert` - separate web interface for viewing NIDS and HIDS alerts\\n- `Logout` - log out of your session\\n\\nThe first six of those links are within Kibana itself. If you click one of those and then want to get back to the Dashboards area where you started, simply click the `Dashboard` link.\\n\\nClicking the `Squert` link will take you out of Kibana and into Squert. You will not be required to authenticate to Squert since you already have an active Single Sign On (SSO) session.\\n\\nClicking the `Logout` link in either Squert or Kibana will log you out of your SSO session and take you back to the logon screen.\\n\\n## Navigation Panel\\nWhen you are in the Kibana Dashboard area, the panel to the immediate right of the sidebar is the Navigation Panel and it includes links to our dashboards such as Home, Help (this page), Bro Notices, ElastAlert, HIDS, NIDS, etc. Clicking one of the links in the Navigation Panel will take you to a dashboard dedicated to that particular log type. \\n\\n## Dashboards\\nAll dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.\\n\\n### Dashboard Hyperlinks\\n\\nThe `source_ip` and `destination_ip` fields are hyperlinked. These hyperlinks will take you to the Indicator dashboard which will help you analyze the traffic relating to that particular IP address.\\n\\n`UID` fields are also hyperlinked. This hyperlink will start a new Kibana search for that particular UID. In the case of Bro UIDs this will show you all Bro logs related to that particular connection.\\n\\nEach log entry also has an `_id` field that is hyperlinked. This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type. This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log. \\n\\n### Overview Dashboard\\nWhen you first go to the Kibana Dashboard area, you are automatically placed into the Overview dashboard, where you will see overview information, such as total number of logs and sensors. Use the information on the Overview dashboard to determine which of the other dashboards on the Navigation Panel you might want to visit next.\\n\\n### Dashboard Categories\\nOur remaining dashboards are grouped into a few categories:\\n- `Alert Data` - dashboards that display alerts created by rules or signatures\\n- `Bro Hunting` - dashboards that allow you to slice and dice network metadata for hunting\\n- `Host Hunting` - dashboards that allow you to hunt via host telemetry\\n- `Other` - dashboards that don't fit into the categories above\\n\\n### Bro Notices\\nBro sniffs network traffic and generates notices such as `SSL::Invalid Server Cert` and `TeamCymruMalwareHashRegistry::Match`.\\n\\n### ElastAlert\\nElastAlert queries Elasticsearch on a regular basis and then generates alerts based on your desired criteria. Security Onion includes two example rules that alert on new IDS events and new connection logs. You can add your own ElastAlert rules in `/etc/elastalert/rules/`.\\n\\n### HIDS\\nOSSEC analyzes log files and generates Host Intrusion Detection System alerts based on its ruleset at `/var/ossec/rules/`. You can add your own rules in `/var/ossec/rules/local_rules.xml`.\\n\\n### NIDS\\nSecurity Onion can use either Snort or Suricata to sniff network traffic and generate Network Intrusion Detection System alerts. \\n\\n### Connections\\nBro sniffs network traffic and logs connection metadata including source IP/port, destination IP/port, protocol, and number of bytes.\\n\\n### DCE/RPC\\nBro sniffs network traffic and logs DCE/RPC metadata including source IP/port, destination IP/port, operation, endpoint, and named pipe.\\n\\n### DHCP\\nBro sniffs network traffic and logs DHCP requests and responses including source IP/port, destination IP/port, and MAC addresses.\\n\\n### DNP3\\nBro sniffs network traffic and logs DNP3 metadata including source IP/port, destination IP/port, function request, function reply.\\n\\n### DNS\\nBro sniffs network traffic and logs DNS queries and answers. Bro also includes other name lookups such as Windows NetBIOS name service requests and Bonjour.\\n\\n### Files\\nBro sniffs network traffic and logs metadata related to files being transferred over the network including IP addresses, MIME type, source, and checksums.\\n\\n### FTP\\nBro sniffs network traffic and logs FTP metadata including source IP/port, destination IP/port, command, reply code, argument, and username.\\n\\n### HTTP\\nBro sniffs network traffic and logs HTTP metadata including source IP/port, destination IP/port, method, status message, MIME type, site name, referer, and user agent.\\n\\n### Intel\\nBro sniffs network traffic and watches for indicators using the Intel framework. You can add your own indicators to `/opt/bro/share/bro/intel/intel.dat`.\\n\\n### IRC\\nBro sniffs network traffic and logs IRC metadata including source IP/port, destination IP/port, command, and username.\\n\\n### Kerberos\\nBro sniffs network traffic and logs Kerberos metadata including source IP/port, destination IP/port, cipher, client, server, service, request type, and success status.\\n\\n### Modbus\\nBro sniffs network traffic and logs Modbus metadata including source IP/port, destination IP/port, and function.\\n\\n### MySQL\\nBro sniffs network traffic and logs MySQL metadata including source IP/port, destination IP/port, command/argument, status, and response.\\n\\n### NTLM\\nBro sniffs network traffic and logs NTLM metadata including source IP/port, destination IP/port, hostname, username, and status.\\n\\n### PE\\nBro sniffs network traffic and logs PE metadata including OS, subsystem, machine, and section name.\\n\\n### RADIUS\\nBro sniffs network traffic and logs RADIUS metadata including source IP/port, destination IP/port, username, and result.\\n\\n### RDP\\nBro sniffs network traffic and logs RDP metadata including source IP/port, destination IP/port, client build, keyboard layout, encryption level, and result.\\n\\n### RFB\\nBro sniffs network traffic and logs RFB metadata including source IP/port, destination IP/port, authentication method, authentication status, client version, server version, and desktop name.\\n\\n### SIP\\nBro sniffs network traffic and logs SIP metadata including source IP/port, destination IP/port, method, content type, status, uri, and user agent.\\n\\n### SMB\\nBro sniffs network traffic and logs SMB metadata including source IP/port, destination IP/port, file name, and action.\\n\\n### SMTP\\nBro sniffs network traffic and logs SMTP metadata including source IP/port, destination IP/port, from, to, subject, and user agent.\\n\\n### SNMP\\nBro sniffs network traffic and logs SNMP metadata including source IP/port, destination IP/port, version, community, and duration.\\n\\n### Software\\nBro sniffs network traffic and logs metadata relating to the kinds of software that generated that traffic including name, type, and version.\\n\\n### SSH\\nBro sniffs network traffic and logs SSH metadata including source IP/port, destination IP/port, client version, server version, and success.\\n\\n### SSL\\nBro sniffs network traffic and logs SSL metadata including source IP/port, destination IP/port, server name, certificate subject, cipher, and validation status.\\n\\n### Syslog\\nBro sniffs network traffic and logs Syslog metadata including source IP/port, destination IP/port, severity, and protocol.\\n\\n### Tunnels\\nBro sniffs network traffic and detects IP, GRE, SOCKS, TEREDO, and AVAYA tunnels. It logs metadata including source IP/port, destination IP/port, type, and action.\\n\\n### Weird\\nBro sniffs network traffic and logs protocol anomalies metadata including source IP/port, destination IP/port, and the type of anomaly.\\n\\n### X.509\\nBro sniffs network traffic and logs X.509 metadata including certificate subject, issuer, key algorithm, key length, and signing algorithm.\\n\\n### Autoruns\\nSysinternals Autoruns can identify the processes which Windows is configured to automatically run. Autoruns data can then be ingested via [Autoruns To WinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog).\\n\\n### Beats\\nElastic Beats can be deployed on endpoints to collect host telemetry and send to Logstash for storage in Elasticsearch.\\n\\n### OSSEC\\nOSSEC agents can be deployed on endpoints to collect host telemetry and send to the OSSEC Server included in Security Onion. OSSEC Alerts can be found in the Alert Data category at the top of the Navigation Panel. This OSSEC hunting dashboard will allow you to hunt through all OSSEC logs, not just alerts.\\n\\n### Sysmon\\nSysinternal Sysmon provides comprehensive telemetry for Windows hosts. Its logs can be consumed using Beats, OSSEC, or other transport mechanism.\\n\\n### Domain Stats\\nSecurity Onion includes a tool called domain_stats which will do a whois lookup on a domain name to determine the age of the domain. If enabled, this dashboard looks for baby domains that have been recently registered. Please note that domain_stats is only enabled when running in Evaluation Mode.\\n\\n### Firewall\\nFirewall logs can be consumed via syslog or other transport mechanism. Once consumed, this dashboard allows you to slice and dice those firewall logs based on source IP/port, destination IP/port, protocol, and action.\\n\\n### Frequency\\nSecurity Onion includes a tool called freq_server which can perform frequency analysis of hostnames. If enabled, this dashboard will show hostnames with a frequency analysis score that indicates that they could have been randomly generated. Please note that freq_server is only enabled when running in Evaluation Mode.\\n\\n### Stats\\nThis dashboard shows statistics for Logstash including processing times for different log types and any errors that may have occurred.\\n\\n## More Information\\nFor additional information, please refer to our documentation at:\\n\\nhttps://securityonion.net/docs/elasticsearch\",\"type\":\"markdown\"},\"aggs\":[]}"},"coreMigrationVersion":"8.7.1","created_at":"2023-07-20T15:26:57.180Z","id":"AV6-PHKnDwoBUzALqJ_c","migrationVersion":{"visualization":"8.5.0"},"references":[],"sort":[1689866817180,5712],"type":"visualization","updated_at":"2023-07-20T15:26:57.180Z","version":"WzQ1NTIsMV0="} {"attributes":{"fieldFormatMap":"{\"process_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"event_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.error.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.a0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.acct\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.item\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.items\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.record_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.res\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.sequence\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AccountName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AlgorithmName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AuthenticationPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Configuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ConfigurationFileHash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CurrentDirectory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DirtyPages\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ElevatedToken\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EventType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoString\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FilterID\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hashes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImagePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImpersonationLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IntegrityLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpAddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyFilePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeysUpdated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LmPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OriginalSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentCommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentImage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PrivilegeList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProviderName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.RestrictedAdminMode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ReturnCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SchemaVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceHostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourcePort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.StartType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.State\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetFilename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLinkedLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetObject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TerminalSessionId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransmittedServices\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.UtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.VirtualAccount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Workstation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WorkstationName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param10\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param11\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param12\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param14\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param16\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param17\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param19\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param20\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param21\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param22\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param9\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.debug.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.main.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.startup.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.trace.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.pod.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.log.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_params\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.plugin_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.took_in_millis\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.took_in_nanos\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.availability_zone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.machine_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.project_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.error.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.lock_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_examined\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_sent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.timestamp\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.connection_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.database\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"postgresql.log.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"read_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"redis.log.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.role\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.duration.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related_activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"stream\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.dropped_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.home\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.uid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.backend_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.frontend_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.request_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryData\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryDataSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.xml_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"xml\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-beats-*"},"coreMigrationVersion":"8.7.1","created_at":"2023-07-20T15:26:57.180Z","id":"AWBLHZaBRuBloj96jvrD","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"sort":[1689866817180,5713],"type":"index-pattern","updated_at":"2023-07-20T15:26:57.180Z","version":"WzQ1NTMsMV0="} {"attributes":{"columns":["computer_name","process_id","user.name","event_id","event_data.Image"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"All Beats Logs","version":1},"coreMigrationVersion":"8.7.1","created_at":"2023-07-20T15:26:57.180Z","id":"AWBLMr9vRuBloj96jxp1","migrationVersion":{"search":"8.0.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1689866817180,5715],"type":"search","updated_at":"2023-07-20T15:26:57.180Z","version":"WzQ1NTQsMV0="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Process IDs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Process IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"8.7.1","created_at":"2023-07-20T15:26:57.180Z","id":"AWBLN7X2RuBloj96jxxY","migrationVersion":{"visualization":"8.5.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1689866817180,5717],"type":"visualization","updated_at":"2023-07-20T15:26:57.180Z","version":"WzQ1NTUsMV0="} diff --git a/salt/kratos/config.sls b/salt/kratos/config.sls index b9f5142f1..622522e0b 100644 --- a/salt/kratos/config.sls +++ b/salt/kratos/config.sls @@ -75,6 +75,7 @@ kratosconfig: - group: 928 - mode: 600 - template: jinja + - show_changes: False - defaults: KRATOSMERGED: {{ KRATOSMERGED }} diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml index 598a94fa1..b70141b6f 100644 --- a/salt/kratos/defaults.yaml +++ b/salt/kratos/defaults.yaml @@ -46,6 +46,7 @@ kratos: ui_url: https://URL_BASE/ login: ui_url: https://URL_BASE/login/ + lifespan: 60m error: ui_url: https://URL_BASE/login/ registration: diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index bc95d9b03..1b8c016c1 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -182,6 +182,10 @@ kratos: global: True advanced: True helpLink: kratos.html + lifespan: + description: Defines the duration that a login form will remain valid. + global: True + helpLink: kratos.html error: ui_url: description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation. diff --git a/salt/logstash/config.sls b/salt/logstash/config.sls index 5a1727e9b..d3df0b20f 100644 --- a/salt/logstash/config.sls +++ b/salt/logstash/config.sls @@ -10,11 +10,10 @@ {% from 'logstash/map.jinja' import LOGSTASH_MERGED %} {% set ASSIGNED_PIPELINES = LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %} +{% if GLOBALS.role not in ['so-receiver','so-fleet'] %} include: - - ssl - {% if GLOBALS.role not in ['so-receiver','so-fleet'] %} - elasticsearch - {% endif %} +{% endif %} # Create the logstash group logstashgroup: diff --git a/salt/logstash/defaults.yaml b/salt/logstash/defaults.yaml index 5af366459..520182555 100644 --- a/salt/logstash/defaults.yaml +++ b/salt/logstash/defaults.yaml @@ -63,7 +63,7 @@ logstash: settings: lsheap: 500m config: - http_x_host: 0.0.0.0 + api_x_http_x_host: 0.0.0.0 path_x_logs: /var/log/logstash pipeline_x_workers: 1 pipeline_x_batch_x_size: 125 diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index cd71cd574..3c083f4ce 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -12,6 +12,7 @@ {% set lsheap = LOGSTASH_MERGED.settings.lsheap %} include: + - ca {% if GLOBALS.role not in ['so-receiver','so-fleet'] %} - elasticsearch.ca {% endif %} @@ -20,9 +21,9 @@ include: - kafka.ca - kafka.ssl {% endif %} + - logstash.ssl - logstash.config - logstash.sostatus - - ssl so-logstash: docker_container.running: @@ -65,22 +66,18 @@ so-logstash: - /opt/so/log/logstash:/var/log/logstash:rw - /sys/fs/cgroup:/sys/fs/cgroup:ro - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro - {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} - - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro - - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro - {% endif %} + - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %} - /etc/pki/elasticfleet-logstash.crt:/usr/share/logstash/elasticfleet-logstash.crt:ro - /etc/pki/elasticfleet-logstash.key:/usr/share/logstash/elasticfleet-logstash.key:ro - /etc/pki/elasticfleet-lumberjack.crt:/usr/share/logstash/elasticfleet-lumberjack.crt:ro - /etc/pki/elasticfleet-lumberjack.key:/usr/share/logstash/elasticfleet-lumberjack.key:ro + {% if GLOBALS.role != 'so-fleet' %} + - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro + - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro + {% endif %} {% endif %} - {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %} - - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro - {% else %} - - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro - {% endif %} - {% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode' ] %} + {% if GLOBALS.role not in ['so-receiver','so-fleet'] %} - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro {% endif %} @@ -100,11 +97,22 @@ so-logstash: {% endfor %} {% endif %} - watch: - {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-receiver'] %} - - x509: etc_elasticfleet_logstash_key - - x509: etc_elasticfleet_logstash_crt - {% endif %} - file: lsetcsync + - file: trusttheca + {% if GLOBALS.is_manager %} + - file: elasticsearch_cacerts + - file: elasticsearch_capems + {% endif %} + {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %} + - x509: etc_elasticfleet_logstash_crt + - x509: etc_elasticfleet_logstash_key + - x509: etc_elasticfleetlumberjack_crt + - x509: etc_elasticfleetlumberjack_key + {% if GLOBALS.role != 'so-fleet' %} + - x509: etc_filebeat_crt + - file: logstash_filebeat_p8 + {% endif %} + {% endif %} {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %} - file: ls_pipeline_{{assigned_pipeline}} {% for CONFIGFILE in LOGSTASH_MERGED.defined_pipelines[assigned_pipeline] %} @@ -115,17 +123,20 @@ so-logstash: - file: kafkacertz {% endif %} - require: - {% if grains['role'] in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} + - file: trusttheca + {% if GLOBALS.is_manager %} + - file: elasticsearch_cacerts + - file: elasticsearch_capems + {% endif %} + {% if GLOBALS.is_manager or GLOBALS.role in ['so-fleet', 'so-heavynode', 'so-receiver'] %} + - x509: etc_elasticfleet_logstash_crt + - x509: etc_elasticfleet_logstash_key + - x509: etc_elasticfleetlumberjack_crt + - x509: etc_elasticfleetlumberjack_key + {% if GLOBALS.role != 'so-fleet' %} - x509: etc_filebeat_crt - {% endif %} - {% if grains['role'] in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %} - - x509: pki_public_ca_crt - {% else %} - - x509: trusttheca - {% endif %} - {% if grains.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-import'] %} - - file: cacertz - - file: capemz + - file: logstash_filebeat_p8 + {% endif %} {% endif %} {% if GLOBALS.pipeline == 'KAFKA' and GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone', 'so-searchnode'] %} - file: kafkacertz diff --git a/salt/logstash/pipelines/config/so/0011_input_endgame.conf b/salt/logstash/pipelines/config/so/0011_input_endgame.conf index 375585957..c6f9c59e8 100644 --- a/salt/logstash/pipelines/config/so/0011_input_endgame.conf +++ b/salt/logstash/pipelines/config/so/0011_input_endgame.conf @@ -5,10 +5,10 @@ input { codec => es_bulk request_headers_target_field => client_headers remote_host_target_field => client_host - ssl => true + ssl_enabled => true ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"] ssl_certificate => "/usr/share/logstash/filebeat.crt" ssl_key => "/usr/share/logstash/filebeat.key" - ssl_verify_mode => "peer" + ssl_client_authentication => "required" } } diff --git a/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf.jinja b/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf.jinja index 6ba29f8e5..a4d699aff 100644 --- a/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf.jinja +++ b/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf.jinja @@ -2,11 +2,11 @@ input { elastic_agent { port => 5055 tags => [ "elastic-agent", "input-{{ GLOBALS.hostname }}" ] - ssl => true + ssl_enabled => true ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"] ssl_certificate => "/usr/share/logstash/elasticfleet-logstash.crt" ssl_key => "/usr/share/logstash/elasticfleet-logstash.key" - ssl_verify_mode => "force_peer" + ssl_client_authentication => "required" ecs_compatibility => v8 } } diff --git a/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf b/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf index fd9a87a22..b31ffee8d 100644 --- a/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf +++ b/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf @@ -2,7 +2,7 @@ input { elastic_agent { port => 5056 tags => [ "elastic-agent", "fleet-lumberjack-input" ] - ssl => true + ssl_enabled => true ssl_certificate => "/usr/share/logstash/elasticfleet-lumberjack.crt" ssl_key => "/usr/share/logstash/elasticfleet-lumberjack.key" ecs_compatibility => v8 diff --git a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja index be7ec6898..4fe138dd8 100644 --- a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja +++ b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja @@ -8,8 +8,8 @@ output { document_id => "%{[metadata][_id]}" index => "so-ip-mappings" silence_errors_in_log => ["version_conflict_engine_exception"] - ssl => true - ssl_certificate_verification => false + ssl_enabled => true + ssl_verification_mode => "none" } } else { @@ -25,8 +25,8 @@ output { document_id => "%{[metadata][_id]}" pipeline => "%{[metadata][pipeline]}" silence_errors_in_log => ["version_conflict_engine_exception"] - ssl => true - ssl_certificate_verification => false + ssl_enabled => true + ssl_verification_mode => "none" } } else { @@ -37,8 +37,8 @@ output { user => "{{ ES_USER }}" password => "{{ ES_PASS }}" pipeline => "%{[metadata][pipeline]}" - ssl => true - ssl_certificate_verification => false + ssl_enabled => true + ssl_verification_mode => "none" } } } @@ -49,8 +49,8 @@ output { data_stream => true user => "{{ ES_USER }}" password => "{{ ES_PASS }}" - ssl => true - ssl_certificate_verification => false + ssl_enabled => true + ssl_verification_mode=> "none" } } } diff --git a/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja b/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja index c056f5774..27e311fc4 100644 --- a/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja +++ b/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja @@ -13,8 +13,8 @@ output { user => "{{ ES_USER }}" password => "{{ ES_PASS }}" index => "endgame-%{+YYYY.MM.dd}" - ssl => true - ssl_certificate_verification => false + ssl_enabled => true + ssl_verification_mode => "none" } } } diff --git a/salt/logstash/soc_logstash.yaml b/salt/logstash/soc_logstash.yaml index b617abfdd..9560b5c36 100644 --- a/salt/logstash/soc_logstash.yaml +++ b/salt/logstash/soc_logstash.yaml @@ -56,7 +56,7 @@ logstash: helpLink: logstash.html global: False config: - http_x_host: + api_x_http_x_host: description: Host interface to listen to connections. helpLink: logstash.html readonly: True diff --git a/salt/logstash/ssl.sls b/salt/logstash/ssl.sls new file mode 100644 index 000000000..935088e30 --- /dev/null +++ b/salt/logstash/ssl.sls @@ -0,0 +1,287 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states or sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} +{% from 'ca/map.jinja' import CA %} + +{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %} + +{% if grains['role'] not in [ 'so-heavynode'] %} +# Start -- Elastic Fleet Logstash Input Cert +etc_elasticfleet_logstash_key: + x509.private_key_managed: + - name: /etc/pki/elasticfleet-logstash.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%} + - prereq: + - x509: etc_elasticfleet_logstash_crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +etc_elasticfleet_logstash_crt: + x509.certificate_managed: + - name: /etc/pki/elasticfleet-logstash.crt + - ca_server: {{ CA.server }} + - signing_policy: elasticfleet + - private_key: /etc/pki/elasticfleet-logstash.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + cmd.run: + - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-logstash.key -topk8 -out /etc/pki/elasticfleet-logstash.p8 -nocrypt" + - onchanges: + - x509: etc_elasticfleet_logstash_key + +eflogstashperms: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-logstash.key + - mode: 640 + - group: 939 + +chownelasticfleetlogstashcrt: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-logstash.crt + - mode: 640 + - user: 931 + - group: 939 + +chownelasticfleetlogstashkey: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-logstash.key + - mode: 640 + - user: 931 + - group: 939 +# End -- Elastic Fleet Logstash Input Cert +{% endif %} # endif is for not including HeavyNodes + +# Start -- Elastic Fleet Node - Logstash Lumberjack Input / Output +# Cert needed on: Managers, Receivers +etc_elasticfleetlumberjack_key: + x509.private_key_managed: + - name: /etc/pki/elasticfleet-lumberjack.key + - bits: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%} + - prereq: + - x509: etc_elasticfleetlumberjack_crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +etc_elasticfleetlumberjack_crt: + x509.certificate_managed: + - name: /etc/pki/elasticfleet-lumberjack.crt + - ca_server: {{ CA.server }} + - signing_policy: elasticfleet + - private_key: /etc/pki/elasticfleet-lumberjack.key + - CN: {{ GLOBALS.node_ip }} + - subjectAltName: DNS:{{ GLOBALS.hostname }} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + cmd.run: + - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt" + - onchanges: + - x509: etc_elasticfleetlumberjack_key + +eflogstashlumberjackperms: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-lumberjack.key + - mode: 640 + - group: 939 + +chownilogstashelasticfleetlumberjackp8: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-lumberjack.p8 + - mode: 640 + - user: 931 + - group: 939 + +chownilogstashelasticfleetlogstashlumberjackcrt: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-lumberjack.crt + - mode: 640 + - user: 931 + - group: 939 + +chownilogstashelasticfleetlogstashlumberjackkey: + file.managed: + - replace: False + - name: /etc/pki/elasticfleet-lumberjack.key + - mode: 640 + - user: 931 + - group: 939 +# End -- Elastic Fleet Node - Logstash Lumberjack Input / Output +{% endif %} + +{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-receiver'] %} +etc_filebeat_key: + x509.private_key_managed: + - name: /etc/pki/filebeat.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%} + - prereq: + - x509: etc_filebeat_crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +# Request a cert and drop it where it needs to go to be distributed +etc_filebeat_crt: + x509.certificate_managed: + - name: /etc/pki/filebeat.crt + - ca_server: {{ CA.server }} + - signing_policy: filebeat + - private_key: /etc/pki/filebeat.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + cmd.run: + - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" + - onchanges: + - x509: etc_filebeat_key + +fbperms: + file.managed: + - replace: False + - name: /etc/pki/filebeat.key + - mode: 640 + - group: 939 + +logstash_filebeat_p8: + file.managed: + - replace: False + - name: /etc/pki/filebeat.p8 + - mode: 640 + - user: 931 + - group: 939 + +{% if grains.role not in ['so-heavynode', 'so-receiver'] %} +# Create Symlinks to the keys so I can distribute it to all the things +filebeatdir: + file.directory: + - name: /opt/so/saltstack/local/salt/filebeat/files + - makedirs: True + +fbkeylink: + file.symlink: + - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.p8 + - target: /etc/pki/filebeat.p8 + - user: socore + - group: socore + +fbcrtlink: + file.symlink: + - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt + - target: /etc/pki/filebeat.crt + - user: socore + - group: socore + +{% endif %} +{% endif %} + +{% if GLOBALS.is_manager or GLOBALS.role in ['so-sensor', 'so-searchnode', 'so-heavynode', 'so-fleet', 'so-idh', 'so-receiver'] %} + +fbcertdir: + file.directory: + - name: /opt/so/conf/filebeat/etc/pki + - makedirs: True + +conf_filebeat_key: + x509.private_key_managed: + - name: /opt/so/conf/filebeat/etc/pki/filebeat.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%} + - prereq: + - x509: conf_filebeat_crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +# Request a cert and drop it where it needs to go to be distributed +conf_filebeat_crt: + x509.certificate_managed: + - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt + - ca_server: {{ CA.server }} + - signing_policy: filebeat + - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +# Convert the key to pkcs#8 so logstash will work correctly. +filebeatpkcs: + cmd.run: + - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:" + - onchanges: + - x509: conf_filebeat_key + +filebeatkeyperms: + file.managed: + - replace: False + - name: /opt/so/conf/filebeat/etc/pki/filebeat.key + - mode: 640 + - group: 939 + +chownfilebeatp8: + file.managed: + - replace: False + - name: /opt/so/conf/filebeat/etc/pki/filebeat.p8 + - mode: 640 + - user: 931 + - group: 939 + +{% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/manager/elasticsearch.sls b/salt/manager/elasticsearch.sls index ab9dbb287..7731859e3 100644 --- a/salt/manager/elasticsearch.sls +++ b/salt/manager/elasticsearch.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + elastic_curl_config_distributed: file.managed: - name: /opt/so/saltstack/local/salt/elasticsearch/curl.config diff --git a/salt/manager/kibana.sls b/salt/manager/kibana.sls index 17ac826c2..8ff876051 100644 --- a/salt/manager/kibana.sls +++ b/salt/manager/kibana.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + kibana_curl_config_distributed: file.managed: - name: /opt/so/conf/kibana/curl.config @@ -5,4 +10,4 @@ kibana_curl_config_distributed: - template: jinja - mode: 600 - show_changes: False - - makedirs: True \ No newline at end of file + - makedirs: True diff --git a/salt/manager/managed_soc_annotations.sls b/salt/manager/managed_soc_annotations.sls index 4357b53a2..b2fbb7334 100644 --- a/salt/manager/managed_soc_annotations.sls +++ b/salt/manager/managed_soc_annotations.sls @@ -4,7 +4,7 @@ # Elastic License 2.0. {# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #} -{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %} +{% set managed_integrations = salt['pillar.get']('manager:managed_integrations', []) %} {% if managed_integrations and salt['file.file_exists']('/opt/so/state/esfleet_package_components.json') and salt['file.file_exists']('/opt/so/state/esfleet_component_templates.json') %} {% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} {% set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %} diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index f0d699f58..af66d62d8 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -78,3 +78,10 @@ manager: advanced: True helpLink: elastic-fleet.html forcedType: int + managed_integrations: + description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass + forcedType: "[]string" + multiline: True + global: True + advanced: True + helpLink: elasticsearch.html \ No newline at end of file diff --git a/salt/manager/sync_es_users.sls b/salt/manager/sync_es_users.sls index 5b9fb4efd..29b090e18 100644 --- a/salt/manager/sync_es_users.sls +++ b/salt/manager/sync_es_users.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + include: - elasticsearch.auth - kratos diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index abb8f96ec..417b1eaf3 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -716,6 +716,18 @@ function checkMine() { } } +function create_ca_pillar() { + local capillar=/opt/so/saltstack/local/pillar/ca/init.sls + printf '%s\n'\ + "ca:"\ + " server: $MINION_ID"\ + " " > $capillar + if [ $? -ne 0 ]; then + log "ERROR" "Failed to add $MINION_ID to $capillar" + return 1 + fi +} + function createEVAL() { log "INFO" "Creating EVAL configuration for minion $MINION_ID" is_pcaplimit=true @@ -827,7 +839,6 @@ function createHEAVYNODE() { add_elastic_agent_to_minion || return 1 add_sensor_to_minion || return 1 add_strelka_to_minion || return 1 - add_redis_to_minion || return 1 add_telegraf_to_minion || return 1 } @@ -1013,6 +1024,7 @@ function setupMinionFiles() { managers=("EVAL" "STANDALONE" "IMPORT" "MANAGER" "MANAGERSEARCH") if echo "${managers[@]}" | grep -qw "$NODETYPE"; then add_sensoroni_with_analyze_to_minion || return 1 + create_ca_pillar || return 1 else add_sensoroni_to_minion || return 1 fi diff --git a/salt/manager/tools/sbin/so-yaml.py b/salt/manager/tools/sbin/so-yaml.py index 00290f18b..fd5d8b056 100755 --- a/salt/manager/tools/sbin/so-yaml.py +++ b/salt/manager/tools/sbin/so-yaml.py @@ -9,6 +9,7 @@ import os import sys import time import yaml +import json lockFile = "/tmp/so-yaml.lock" @@ -16,19 +17,24 @@ lockFile = "/tmp/so-yaml.lock" def showUsage(args): print('Usage: {} [ARGS...]'.format(sys.argv[0]), file=sys.stderr) print(' General commands:', file=sys.stderr) - print(' append - Append a list item to a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr) - print(' removelistitem - Remove a list item from a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr) - print(' add - Add a new key and set its value. Fails if key already exists. Requires KEY and VALUE args.', file=sys.stderr) - print(' get - Displays (to stdout) the value stored in the given key. Requires KEY arg.', file=sys.stderr) - print(' remove - Removes a yaml key, if it exists. Requires KEY arg.', file=sys.stderr) - print(' replace - Replaces (or adds) a new key and set its value. Requires KEY and VALUE args.', file=sys.stderr) - print(' help - Prints this usage information.', file=sys.stderr) + print(' append - Append a list item to a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr) + print(' appendlistobject - Append an object to a yaml list key. Requires KEY and JSON_OBJECT args.', file=sys.stderr) + print(' removelistitem - Remove a list item from a yaml key, if it exists and is a list. Requires KEY and LISTITEM args.', file=sys.stderr) + print(' replacelistobject - Replace a list object based on a condition. Requires KEY, CONDITION_FIELD, CONDITION_VALUE, and JSON_OBJECT args.', file=sys.stderr) + print(' add - Add a new key and set its value. Fails if key already exists. Requires KEY and VALUE args.', file=sys.stderr) + print(' get - Displays (to stdout) the value stored in the given key. Requires KEY arg.', file=sys.stderr) + print(' remove - Removes a yaml key, if it exists. Requires KEY arg.', file=sys.stderr) + print(' replace - Replaces (or adds) a new key and set its value. Requires KEY and VALUE args.', file=sys.stderr) + print(' help - Prints this usage information.', file=sys.stderr) print('', file=sys.stderr) print(' Where:', file=sys.stderr) - print(' YAML_FILE - Path to the file that will be modified. Ex: /opt/so/conf/service/conf.yaml', file=sys.stderr) - print(' KEY - YAML key, does not support \' or " characters at this time. Ex: level1.level2', file=sys.stderr) - print(' VALUE - Value to set for a given key. Can be a literal value or file: to load from a YAML file.', file=sys.stderr) - print(' LISTITEM - Item to append to a given key\'s list value. Can be a literal value or file: to load from a YAML file.', file=sys.stderr) + print(' YAML_FILE - Path to the file that will be modified. Ex: /opt/so/conf/service/conf.yaml', file=sys.stderr) + print(' KEY - YAML key, does not support \' or " characters at this time. Ex: level1.level2', file=sys.stderr) + print(' VALUE - Value to set for a given key. Can be a literal value or file: to load from a YAML file.', file=sys.stderr) + print(' LISTITEM - Item to append to a given key\'s list value. Can be a literal value or file: to load from a YAML file.', file=sys.stderr) + print(' JSON_OBJECT - JSON string representing an object to append to a list.', file=sys.stderr) + print(' CONDITION_FIELD - Field name to match in list items (e.g., "name").', file=sys.stderr) + print(' CONDITION_VALUE - Value to match for the condition field.', file=sys.stderr) sys.exit(1) @@ -122,6 +128,52 @@ def append(args): return 0 +def appendListObjectItem(content, key, listObject): + pieces = key.split(".", 1) + if len(pieces) > 1: + appendListObjectItem(content[pieces[0]], pieces[1], listObject) + else: + try: + if not isinstance(content[key], list): + raise AttributeError("Value is not a list") + content[key].append(listObject) + except AttributeError: + print("The existing value for the given key is not a list. No action was taken on the file.", file=sys.stderr) + return 1 + except KeyError: + print("The key provided does not exist. No action was taken on the file.", file=sys.stderr) + return 1 + + +def appendlistobject(args): + if len(args) != 3: + print('Missing filename, key arg, or JSON object to append', file=sys.stderr) + showUsage(None) + return 1 + + filename = args[0] + key = args[1] + jsonString = args[2] + + try: + # Parse the JSON string into a Python dictionary + listObject = json.loads(jsonString) + except json.JSONDecodeError as e: + print(f'Invalid JSON string: {e}', file=sys.stderr) + return 1 + + # Verify that the parsed content is a dictionary (object) + if not isinstance(listObject, dict): + print('The JSON string must represent an object (dictionary), not an array or primitive value.', file=sys.stderr) + return 1 + + content = loadYaml(filename) + appendListObjectItem(content, key, listObject) + writeYaml(filename, content) + + return 0 + + def removelistitem(args): if len(args) != 3: print('Missing filename, key arg, or list item to remove', file=sys.stderr) @@ -139,6 +191,68 @@ def removelistitem(args): return 0 +def replaceListObjectByCondition(content, key, conditionField, conditionValue, newObject): + pieces = key.split(".", 1) + if len(pieces) > 1: + replaceListObjectByCondition(content[pieces[0]], pieces[1], conditionField, conditionValue, newObject) + else: + try: + if not isinstance(content[key], list): + raise AttributeError("Value is not a list") + + # Find and replace the item that matches the condition + found = False + for i, item in enumerate(content[key]): + if isinstance(item, dict) and item.get(conditionField) == conditionValue: + content[key][i] = newObject + found = True + break + + if not found: + print(f"No list item found with {conditionField}={conditionValue}. No action was taken on the file.", file=sys.stderr) + return 1 + + except AttributeError: + print("The existing value for the given key is not a list. No action was taken on the file.", file=sys.stderr) + return 1 + except KeyError: + print("The key provided does not exist. No action was taken on the file.", file=sys.stderr) + return 1 + + +def replacelistobject(args): + if len(args) != 5: + print('Missing filename, key arg, condition field, condition value, or JSON object', file=sys.stderr) + showUsage(None) + return 1 + + filename = args[0] + key = args[1] + conditionField = args[2] + conditionValue = args[3] + jsonString = args[4] + + try: + # Parse the JSON string into a Python dictionary + newObject = json.loads(jsonString) + except json.JSONDecodeError as e: + print(f'Invalid JSON string: {e}', file=sys.stderr) + return 1 + + # Verify that the parsed content is a dictionary (object) + if not isinstance(newObject, dict): + print('The JSON string must represent an object (dictionary), not an array or primitive value.', file=sys.stderr) + return 1 + + content = loadYaml(filename) + result = replaceListObjectByCondition(content, key, conditionField, conditionValue, newObject) + + if result != 1: + writeYaml(filename, content) + + return result if result is not None else 0 + + def addKey(content, key, value): pieces = key.split(".", 1) if len(pieces) > 1: @@ -229,7 +343,7 @@ def get(args): content = loadYaml(filename) output = getKeyValue(content, key) if output is None: - print("Not found", file=sys.stderr) + print(f"Key '{key}' not found by so-yaml.py", file=sys.stderr) return 2 print(yaml.safe_dump(output)) @@ -247,7 +361,9 @@ def main(): "help": showUsage, "add": add, "append": append, + "appendlistobject": appendlistobject, "removelistitem": removelistitem, + "replacelistobject": replacelistobject, "get": get, "remove": remove, "replace": replace, diff --git a/salt/manager/tools/sbin/so-yaml_test.py b/salt/manager/tools/sbin/so-yaml_test.py index 3b5ec498e..6f479921b 100644 --- a/salt/manager/tools/sbin/so-yaml_test.py +++ b/salt/manager/tools/sbin/so-yaml_test.py @@ -580,3 +580,340 @@ class TestRemoveListItem(unittest.TestCase): soyaml.main() sysmock.assert_called() self.assertEqual("The existing value for the given key is not a list. No action was taken on the file.\n", mock_stderr.getvalue()) + + +class TestAppendListObject(unittest.TestCase): + + def test_appendlistobject_missing_arg(self): + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd", "help"] + soyaml.appendlistobject(["file", "key"]) + sysmock.assert_called() + self.assertIn("Missing filename, key arg, or JSON object to append", mock_stderr.getvalue()) + + def test_appendlistobject(self): + filename = "/tmp/so-yaml_test-appendlistobject.yaml" + file = open(filename, "w") + file.write("{key1: { child1: 123 }, key2: [{name: item1, value: 10}]}") + file.close() + + json_obj = '{"name": "item2", "value": 20}' + soyaml.appendlistobject([filename, "key2", json_obj]) + + file = open(filename, "r") + actual = file.read() + file.close() + + expected = "key1:\n child1: 123\nkey2:\n- name: item1\n value: 10\n- name: item2\n value: 20\n" + self.assertEqual(actual, expected) + + def test_appendlistobject_nested(self): + filename = "/tmp/so-yaml_test-appendlistobject.yaml" + file = open(filename, "w") + file.write("{key1: { child1: [{name: a, id: 1}], child2: abc }, key2: false}") + file.close() + + json_obj = '{"name": "b", "id": 2}' + soyaml.appendlistobject([filename, "key1.child1", json_obj]) + + file = open(filename, "r") + actual = file.read() + file.close() + + # YAML doesn't guarantee key order in dictionaries, so check for content + self.assertIn("child1:", actual) + self.assertIn("name: a", actual) + self.assertIn("id: 1", actual) + self.assertIn("name: b", actual) + self.assertIn("id: 2", actual) + self.assertIn("child2: abc", actual) + self.assertIn("key2: false", actual) + + def test_appendlistobject_nested_deep(self): + filename = "/tmp/so-yaml_test-appendlistobject.yaml" + file = open(filename, "w") + file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [{x: 1}] } }, key2: false}") + file.close() + + json_obj = '{"x": 2, "y": 3}' + soyaml.appendlistobject([filename, "key1.child2.deep2", json_obj]) + + file = open(filename, "r") + actual = file.read() + file.close() + + expected = "key1:\n child1: 123\n child2:\n deep1: 45\n deep2:\n - x: 1\n - x: 2\n y: 3\nkey2: false\n" + self.assertEqual(actual, expected) + + def test_appendlistobject_invalid_json(self): + filename = "/tmp/so-yaml_test-appendlistobject.yaml" + file = open(filename, "w") + file.write("{key1: [{name: item1}]}") + file.close() + + with patch('sys.stderr', new=StringIO()) as mock_stderr: + result = soyaml.appendlistobject([filename, "key1", "{invalid json"]) + self.assertEqual(result, 1) + self.assertIn("Invalid JSON string:", mock_stderr.getvalue()) + + def test_appendlistobject_not_dict(self): + filename = "/tmp/so-yaml_test-appendlistobject.yaml" + file = open(filename, "w") + file.write("{key1: [{name: item1}]}") + file.close() + + with patch('sys.stderr', new=StringIO()) as mock_stderr: + # Try to append an array instead of an object + result = soyaml.appendlistobject([filename, "key1", "[1, 2, 3]"]) + self.assertEqual(result, 1) + self.assertIn("The JSON string must represent an object (dictionary)", mock_stderr.getvalue()) + + def test_appendlistobject_not_dict_primitive(self): + filename = "/tmp/so-yaml_test-appendlistobject.yaml" + file = open(filename, "w") + file.write("{key1: [{name: item1}]}") + file.close() + + with patch('sys.stderr', new=StringIO()) as mock_stderr: + # Try to append a primitive value + result = soyaml.appendlistobject([filename, "key1", "123"]) + self.assertEqual(result, 1) + self.assertIn("The JSON string must represent an object (dictionary)", mock_stderr.getvalue()) + + def test_appendlistobject_key_noexist(self): + filename = "/tmp/so-yaml_test-appendlistobject.yaml" + file = open(filename, "w") + file.write("{key1: [{name: item1}]}") + file.close() + + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd", "appendlistobject", filename, "key2", '{"name": "item2"}'] + soyaml.main() + sysmock.assert_called() + self.assertEqual("The key provided does not exist. No action was taken on the file.\n", mock_stderr.getvalue()) + + def test_appendlistobject_key_noexist_deep(self): + filename = "/tmp/so-yaml_test-appendlistobject.yaml" + file = open(filename, "w") + file.write("{key1: { child1: [{name: a}] }}") + file.close() + + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd", "appendlistobject", filename, "key1.child2", '{"name": "b"}'] + soyaml.main() + sysmock.assert_called() + self.assertEqual("The key provided does not exist. No action was taken on the file.\n", mock_stderr.getvalue()) + + def test_appendlistobject_key_nonlist(self): + filename = "/tmp/so-yaml_test-appendlistobject.yaml" + file = open(filename, "w") + file.write("{key1: { child1: 123 }}") + file.close() + + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd", "appendlistobject", filename, "key1", '{"name": "item"}'] + soyaml.main() + sysmock.assert_called() + self.assertEqual("The existing value for the given key is not a list. No action was taken on the file.\n", mock_stderr.getvalue()) + + def test_appendlistobject_key_nonlist_deep(self): + filename = "/tmp/so-yaml_test-appendlistobject.yaml" + file = open(filename, "w") + file.write("{key1: { child1: 123, child2: { deep1: 45 } }}") + file.close() + + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd", "appendlistobject", filename, "key1.child2.deep1", '{"name": "item"}'] + soyaml.main() + sysmock.assert_called() + self.assertEqual("The existing value for the given key is not a list. No action was taken on the file.\n", mock_stderr.getvalue()) + + +class TestReplaceListObject(unittest.TestCase): + + def test_replacelistobject_missing_arg(self): + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd", "help"] + soyaml.replacelistobject(["file", "key", "field"]) + sysmock.assert_called() + self.assertIn("Missing filename, key arg, condition field, condition value, or JSON object", mock_stderr.getvalue()) + + def test_replacelistobject(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: [{name: item1, value: 10}, {name: item2, value: 20}]}") + file.close() + + json_obj = '{"name": "item2", "value": 25, "extra": "field"}' + soyaml.replacelistobject([filename, "key1", "name", "item2", json_obj]) + + file = open(filename, "r") + actual = file.read() + file.close() + + expected = "key1:\n- name: item1\n value: 10\n- extra: field\n name: item2\n value: 25\n" + self.assertEqual(actual, expected) + + def test_replacelistobject_nested(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: { child1: [{id: '1', status: active}, {id: '2', status: inactive}] }}") + file.close() + + json_obj = '{"id": "2", "status": "active", "updated": true}' + soyaml.replacelistobject([filename, "key1.child1", "id", "2", json_obj]) + + file = open(filename, "r") + actual = file.read() + file.close() + + expected = "key1:\n child1:\n - id: '1'\n status: active\n - id: '2'\n status: active\n updated: true\n" + self.assertEqual(actual, expected) + + def test_replacelistobject_nested_deep(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: { child1: 123, child2: { deep1: 45, deep2: [{name: a, val: 1}, {name: b, val: 2}] } }}") + file.close() + + json_obj = '{"name": "b", "val": 99}' + soyaml.replacelistobject([filename, "key1.child2.deep2", "name", "b", json_obj]) + + file = open(filename, "r") + actual = file.read() + file.close() + + expected = "key1:\n child1: 123\n child2:\n deep1: 45\n deep2:\n - name: a\n val: 1\n - name: b\n val: 99\n" + self.assertEqual(actual, expected) + + def test_replacelistobject_invalid_json(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: [{name: item1}]}") + file.close() + + with patch('sys.stderr', new=StringIO()) as mock_stderr: + result = soyaml.replacelistobject([filename, "key1", "name", "item1", "{invalid json"]) + self.assertEqual(result, 1) + self.assertIn("Invalid JSON string:", mock_stderr.getvalue()) + + def test_replacelistobject_not_dict(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: [{name: item1}]}") + file.close() + + with patch('sys.stderr', new=StringIO()) as mock_stderr: + result = soyaml.replacelistobject([filename, "key1", "name", "item1", "[1, 2, 3]"]) + self.assertEqual(result, 1) + self.assertIn("The JSON string must represent an object (dictionary)", mock_stderr.getvalue()) + + def test_replacelistobject_condition_not_found(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: [{name: item1, value: 10}, {name: item2, value: 20}]}") + file.close() + + with patch('sys.stderr', new=StringIO()) as mock_stderr: + json_obj = '{"name": "item3", "value": 30}' + result = soyaml.replacelistobject([filename, "key1", "name", "item3", json_obj]) + self.assertEqual(result, 1) + self.assertIn("No list item found with name=item3", mock_stderr.getvalue()) + + # Verify file was not modified + file = open(filename, "r") + actual = file.read() + file.close() + self.assertIn("item1", actual) + self.assertIn("item2", actual) + self.assertNotIn("item3", actual) + + def test_replacelistobject_key_noexist(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: [{name: item1}]}") + file.close() + + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd", "replacelistobject", filename, "key2", "name", "item1", '{"name": "item2"}'] + soyaml.main() + sysmock.assert_called() + self.assertEqual("The key provided does not exist. No action was taken on the file.\n", mock_stderr.getvalue()) + + def test_replacelistobject_key_noexist_deep(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: { child1: [{name: a}] }}") + file.close() + + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd", "replacelistobject", filename, "key1.child2", "name", "a", '{"name": "b"}'] + soyaml.main() + sysmock.assert_called() + self.assertEqual("The key provided does not exist. No action was taken on the file.\n", mock_stderr.getvalue()) + + def test_replacelistobject_key_nonlist(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: { child1: 123 }}") + file.close() + + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd", "replacelistobject", filename, "key1", "name", "item", '{"name": "item"}'] + soyaml.main() + sysmock.assert_called() + self.assertEqual("The existing value for the given key is not a list. No action was taken on the file.\n", mock_stderr.getvalue()) + + def test_replacelistobject_key_nonlist_deep(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: { child1: 123, child2: { deep1: 45 } }}") + file.close() + + with patch('sys.exit', new=MagicMock()) as sysmock: + with patch('sys.stderr', new=StringIO()) as mock_stderr: + sys.argv = ["cmd", "replacelistobject", filename, "key1.child2.deep1", "name", "item", '{"name": "item"}'] + soyaml.main() + sysmock.assert_called() + self.assertEqual("The existing value for the given key is not a list. No action was taken on the file.\n", mock_stderr.getvalue()) + + def test_replacelistobject_string_condition_value(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: [{name: item1, value: 10}, {name: item2, value: 20}]}") + file.close() + + json_obj = '{"name": "item1", "value": 15}' + soyaml.replacelistobject([filename, "key1", "name", "item1", json_obj]) + + file = open(filename, "r") + actual = file.read() + file.close() + + expected = "key1:\n- name: item1\n value: 15\n- name: item2\n value: 20\n" + self.assertEqual(actual, expected) + + def test_replacelistobject_numeric_condition_value(self): + filename = "/tmp/so-yaml_test-replacelistobject.yaml" + file = open(filename, "w") + file.write("{key1: [{id: '1', status: active}, {id: '2', status: inactive}]}") + file.close() + + json_obj = '{"id": "1", "status": "updated"}' + soyaml.replacelistobject([filename, "key1", "id", "1", json_obj]) + + file = open(filename, "r") + actual = file.read() + file.close() + + expected = "key1:\n- id: '1'\n status: updated\n- id: '2'\n status: inactive\n" + self.assertEqual(actual, expected) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 87de5baf0..693c48505 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -52,7 +52,7 @@ check_err() { ;; 28) echo 'No space left on device' - echo "Likely ran out of space on disk, please review hardware requirements for Security Onion: $DOC_BASE_URL/hardware.html" + echo "Likely ran out of space on disk, please review hardware requirements for Security Onion: $DOC_BASE_URL/hardware" ;; 30) echo 'Read-only file system' @@ -87,6 +87,16 @@ check_err() { 113) echo 'No route to host' ;; + 160) + echo 'Incompatiable Elasticsearch upgrade' + ;; + 161) + echo 'Required intermediate Elasticsearch upgrade not complete' + ;; + 170) + echo "Intermediate upgrade completed successfully to $next_step_so_version, but next soup to Security Onion $originally_requested_so_version could not be started automatically." + echo "Start soup again manually to continue the upgrade to Security Onion $originally_requested_so_version." + ;; *) echo 'Unhandled error' echo "$err_msg" @@ -148,7 +158,7 @@ EOF echo "Ensure you verify the ISO that you downloaded." exit 0 else - echo "Device has been mounted!" + echo "Device has been mounted! $(cat /tmp/soagupdate/SecurityOnion/VERSION)" fi else echo "Could not find Security Onion ISO content at ${ISOLOC}" @@ -319,6 +329,19 @@ clone_to_tmp() { fi } +# there is a function like this in so-minion, but we cannot source it since args required for so-minion +create_ca_pillar() { + local ca_pillar_dir="/opt/so/saltstack/local/pillar/ca" + local ca_pillar_file="${ca_pillar_dir}/init.sls" + + echo "Updating CA pillar configuration" + mkdir -p "$ca_pillar_dir" + echo "ca: {}" > "$ca_pillar_file" + + so-yaml.py add "$ca_pillar_file" ca.server "$MINIONID" + chown -R socore:socore "$ca_pillar_dir" +} + disable_logstash_heavynodes() { c=0 printf "\nChecking for heavynodes and disabling Logstash if they exist\n" @@ -334,6 +357,22 @@ disable_logstash_heavynodes() { done } +disable_redis_heavynodes() { + local c=0 + printf "\nChecking for heavynodes and disabling Redis if they exist\n" + for file in /opt/so/saltstack/local/pillar/minions/*.sls; do + if [[ "$file" =~ "_heavynode.sls" && ! "$file" =~ "/opt/so/saltstack/local/pillar/minions/adv_" ]]; then + c=1 + echo "Disabling Redis for: $file" + so-yaml.py replace "$file" redis.enabled False + fi + done + + if [[ "$c" != 0 ]]; then + FINAL_MESSAGE_QUEUE+=("Redis has been disabled on all heavynodes.") + fi +} + enable_highstate() { echo "Enabling highstate." salt-call state.enable highstate -l info --local @@ -362,7 +401,6 @@ masterlock() { echo "base:" > $TOPFILE echo " $MINIONID:" >> $TOPFILE echo " - ca" >> $TOPFILE - echo " - ssl" >> $TOPFILE echo " - elasticsearch" >> $TOPFILE } @@ -428,6 +466,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.180 ]] && up_to_2.4.190 [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200 [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.201 + [[ "$INSTALLEDVERSION" == 2.4.201 ]] && up_to_2.4.210 true } @@ -442,25 +481,26 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.10 ]] && post_to_2.4.20 [[ "$POSTVERSION" == 2.4.20 ]] && post_to_2.4.30 [[ "$POSTVERSION" == 2.4.30 ]] && post_to_2.4.40 - [[ "$POSTVERSION" == 2.4.40 ]] && post_to_2.4.50 - [[ "$POSTVERSION" == 2.4.50 ]] && post_to_2.4.60 - [[ "$POSTVERSION" == 2.4.60 ]] && post_to_2.4.70 - [[ "$POSTVERSION" == 2.4.70 ]] && post_to_2.4.80 - [[ "$POSTVERSION" == 2.4.80 ]] && post_to_2.4.90 - [[ "$POSTVERSION" == 2.4.90 ]] && post_to_2.4.100 - [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110 + [[ "$POSTVERSION" == 2.4.40 ]] && post_to_2.4.50 + [[ "$POSTVERSION" == 2.4.50 ]] && post_to_2.4.60 + [[ "$POSTVERSION" == 2.4.60 ]] && post_to_2.4.70 + [[ "$POSTVERSION" == 2.4.70 ]] && post_to_2.4.80 + [[ "$POSTVERSION" == 2.4.80 ]] && post_to_2.4.90 + [[ "$POSTVERSION" == 2.4.90 ]] && post_to_2.4.100 + [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110 [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111 - [[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120 - [[ "$POSTVERSION" == 2.4.120 ]] && post_to_2.4.130 - [[ "$POSTVERSION" == 2.4.130 ]] && post_to_2.4.140 - [[ "$POSTVERSION" == 2.4.140 ]] && post_to_2.4.141 - [[ "$POSTVERSION" == 2.4.141 ]] && post_to_2.4.150 - [[ "$POSTVERSION" == 2.4.150 ]] && post_to_2.4.160 - [[ "$POSTVERSION" == 2.4.160 ]] && post_to_2.4.170 - [[ "$POSTVERSION" == 2.4.170 ]] && post_to_2.4.180 - [[ "$POSTVERSION" == 2.4.180 ]] && post_to_2.4.190 - [[ "$POSTVERSION" == 2.4.190 ]] && post_to_2.4.200 - [[ "$POSTVERSION" == 2.4.200 ]] && post_to_2.4.201 + [[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120 + [[ "$POSTVERSION" == 2.4.120 ]] && post_to_2.4.130 + [[ "$POSTVERSION" == 2.4.130 ]] && post_to_2.4.140 + [[ "$POSTVERSION" == 2.4.140 ]] && post_to_2.4.141 + [[ "$POSTVERSION" == 2.4.141 ]] && post_to_2.4.150 + [[ "$POSTVERSION" == 2.4.150 ]] && post_to_2.4.160 + [[ "$POSTVERSION" == 2.4.160 ]] && post_to_2.4.170 + [[ "$POSTVERSION" == 2.4.170 ]] && post_to_2.4.180 + [[ "$POSTVERSION" == 2.4.180 ]] && post_to_2.4.190 + [[ "$POSTVERSION" == 2.4.190 ]] && post_to_2.4.200 + [[ "$POSTVERSION" == 2.4.200 ]] && post_to_2.4.201 + [[ "$POSTVERSION" == 2.4.201 ]] && post_to_2.4.210 true } @@ -617,9 +657,6 @@ post_to_2.4.180() { } post_to_2.4.190() { - echo "Regenerating Elastic Agent Installers" - /sbin/so-elastic-agent-gen-installers - # Only need to update import / eval nodes if [[ "$MINION_ROLE" == "import" ]] || [[ "$MINION_ROLE" == "eval" ]]; then update_import_fleet_output @@ -652,6 +689,36 @@ post_to_2.4.201() { POSTVERSION=2.4.201 } +post_to_2.4.210() { + echo "Rolling over Kratos index to apply new index template" + + rollover_index "logs-kratos-so" + + disable_redis_heavynodes + + initialize_elasticsearch_indices "so-case so-casehistory so-assistant-session so-assistant-chat" + + echo "Regenerating Elastic Agent Installers" + /sbin/so-elastic-agent-gen-installers + + # migrate elasticsearch:managed_integrations pillar to manager:managed_integrations + if managed_integrations=$(/usr/sbin/so-yaml.py get /opt/so/saltstack/local/pillar/elasticsearch/soc_elasticsearch.sls elasticsearch.managed_integrations 2>/dev/null); then + local managed_integrations_old_pillar="/tmp/elasticsearch-managed_integrations.yaml" + + echo "Migrating managed_integrations pillar" + echo -e "$managed_integrations" > "$managed_integrations_old_pillar" + + /usr/sbin/so-yaml.py add /opt/so/saltstack/local/pillar/manager/soc_manager.sls manager.managed_integrations file:$managed_integrations_old_pillar > /dev/null 2>&1 + + /usr/sbin/so-yaml.py remove /opt/so/saltstack/local/pillar/elasticsearch/soc_elasticsearch.sls elasticsearch.managed_integrations + fi + + # Remove so-rule-update script left behind by the idstools removal in 2.4.200 + rm -f /usr/sbin/so-rule-update + + POSTVERSION=2.4.210 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -913,9 +980,7 @@ up_to_2.4.180() { } up_to_2.4.190() { - # Elastic Update for this release, so download Elastic Agent files - determine_elastic_agent_upgrade - + echo "Nothing to do for 2.4.190" INSTALLEDVERSION=2.4.190 } @@ -928,6 +993,22 @@ up_to_2.4.200() { INSTALLEDVERSION=2.4.200 } +up_to_2.4.201() { + echo "Nothing to do for 2.4.201" + + INSTALLEDVERSION=2.4.201 +} + +up_to_2.4.210() { + # Elastic Update for this release, so download Elastic Agent files + determine_elastic_agent_upgrade + create_ca_pillar + # This state is used to deal with the breaking change introduced in 3006.17 - https://docs.saltproject.io/en/3006/topics/releases/3006.17.html + # This is the only way the state is called so we can use concurrent=True + salt-call state.apply salt.master.add_minimum_auth_version --file-root=$UPDATE_DIR/salt --local concurrent=True + INSTALLEDVERSION=2.4.210 +} + add_hydra_pillars() { mkdir -p /opt/so/saltstack/local/pillar/hydra touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls @@ -972,7 +1053,7 @@ used and enables informed prioritization of future development. Adjust this setting at anytime via the SOC Configuration screen. -Documentation: https://docs.securityonion.net/en/2.4/telemetry.html +Documentation: https://securityonion.net/docs/telemetry ASSIST_EOF @@ -1120,7 +1201,7 @@ suricata_idstools_removal_pre() { install -d -o 939 -g 939 -m 755 /opt/so/conf/soc/fingerprints install -o 939 -g 939 -m 644 /dev/null /opt/so/conf/soc/fingerprints/suricataengine.syncBlock cat > /opt/so/conf/soc/fingerprints/suricataengine.syncBlock << EOF -Suricata ruleset sync is blocked until this file is removed. **CRITICAL** Make sure that you have manually added any custom Suricata rulesets via SOC config before removing this file - review the documentation for more details: https://docs.securityonion.net/en/2.4/nids.html#sync-block +Suricata ruleset sync is blocked until this file is removed. **CRITICAL** Make sure that you have manually added any custom Suricata rulesets via SOC config before removing this file - review the documentation for more details: https://securityonion.net/docs/nids EOF # Remove possible symlink & create salt local rules dir @@ -1324,12 +1405,6 @@ so-yaml.py removelistitem /etc/salt/master file_roots.base /opt/so/rules/nids } -up_to_2.4.201() { - echo "Nothing to do for 2.4.201" - - INSTALLEDVERSION=2.4.201 -} - determine_elastic_agent_upgrade() { if [[ $is_airgap -eq 0 ]]; then update_elastic_agent_airgap @@ -1625,6 +1700,374 @@ verify_latest_update_script() { fi } + +verify_es_version_compatibility() { + + local es_required_version_statefile_base="/opt/so/state/so_es_required_upgrade_version" + local es_verification_script="/tmp/so_intermediate_upgrade_verification.sh" + local is_active_intermediate_upgrade=1 + # supported upgrade paths for SO-ES versions + declare -A es_upgrade_map=( + ["8.14.3"]="8.17.3 8.18.4 8.18.6 8.18.8" + ["8.17.3"]="8.18.4 8.18.6 8.18.8" + ["8.18.4"]="8.18.6 8.18.8 9.0.8" + ["8.18.6"]="8.18.8 9.0.8" + ["8.18.8"]="9.0.8" + ) + + # Elasticsearch MUST upgrade through these versions + declare -A es_to_so_version=( + ["8.18.8"]="2.4.190-20251024" + ) + + # Get current Elasticsearch version + if es_version_raw=$(so-elasticsearch-query / --fail --retry 5 --retry-delay 10); then + es_version=$(echo "$es_version_raw" | jq -r '.version.number' ) + else + echo "Could not determine current Elasticsearch version to validate compatibility with post soup Elasticsearch version." + + exit 160 + fi + + if ! target_es_version_raw=$(so-yaml.py get $UPDATE_DIR/salt/elasticsearch/defaults.yaml elasticsearch.version); then + # so-yaml.py failed to get the ES version from upgrade versions elasticsearch/defaults.yaml file. Likely they are upgrading to an SO version older than 2.4.110 prior to the ES version pinning and should be OKAY to continue with the upgrade. + + # if so-yaml.py failed to get the ES version AND the version we are upgrading to is newer than 2.4.110 then we should bail + if [[ $(cat $UPDATE_DIR/VERSION | cut -d'.' -f3) > 110 ]]; then + echo "Couldn't determine the target Elasticsearch version (post soup version) to ensure compatibility with current Elasticsearch version. Exiting" + + exit 160 + fi + + # allow upgrade to version < 2.4.110 without checking ES version compatibility + return 0 + else + target_es_version=$(sed -n '1p' <<< "$target_es_version_raw") + fi + + for statefile in "${es_required_version_statefile_base}"-*; do + [[ -f $statefile ]] || continue + + local es_required_version_statefile_value=$(cat "$statefile") + + if [[ "$es_required_version_statefile_value" == "$target_es_version" ]]; then + echo "Intermediate upgrade to ES $target_es_version is in progress. Skipping Elasticsearch version compatibility check." + is_active_intermediate_upgrade=0 + continue + fi + + # use sort to check if es_required_statefile_value is < the current es_version. + if [[ "$(printf '%s\n' $es_required_version_statefile_value $es_version | sort -V | head -n1)" == "$es_required_version_statefile_value" ]]; then + rm -f "$statefile" + continue + fi + + if [[ ! -f "$es_verification_script" ]]; then + create_intermediate_upgrade_verification_script "$es_verification_script" + fi + + echo -e "\n##############################################################################################################################\n" + echo "A previously required intermediate Elasticsearch upgrade was detected. Verifying that all Searchnodes/Heavynodes have successfully upgraded Elasticsearch to $es_required_version_statefile_value before proceeding with soup to avoid potential data loss! This command can take up to an hour to complete." + timeout --foreground 4000 bash "$es_verification_script" "$es_required_version_statefile_value" "$statefile" + if [[ $? -ne 0 ]]; then + echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n" + + echo "A previous required intermediate Elasticsearch upgrade to $es_required_version_statefile_value has yet to successfully complete across the grid. Please allow time for all Searchnodes/Heavynodes to have upgraded Elasticsearch to $es_required_version_statefile_value before running soup again to avoid potential data loss!" + + echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n" + + exit 161 + fi + echo -e "\n##############################################################################################################################\n" + done + + # if current soup is an intermediate upgrade we can skip the upgrade map check below + if [[ $is_active_intermediate_upgrade -eq 0 ]]; then + return 0 + fi + + if [[ " ${es_upgrade_map[$es_version]} " =~ " $target_es_version " || "$es_version" == "$target_es_version" ]]; then + # supported upgrade + return 0 + else + compatible_versions=${es_upgrade_map[$es_version]} + if [[ -z "$compatible_versions" ]]; then + # If current ES version is not explicitly defined in the upgrade map, we know they have an intermediate upgrade to do. + # We default to the lowest ES version defined in es_to_so_version as $first_es_required_version + local first_es_required_version=$(printf '%s\n' "${!es_to_so_version[@]}" | sort -V | head -n1) + next_step_so_version=${es_to_so_version[$first_es_required_version]} + required_es_upgrade_version="$first_es_required_version" + else + next_step_so_version=${es_to_so_version[${compatible_versions##* }]} + required_es_upgrade_version="${compatible_versions##* }" + fi + echo -e "\n##############################################################################################################################\n" + echo -e "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version $next_step_so_version before updating to $(cat $UPDATE_DIR/VERSION).\n" + + es_required_version_statefile="${es_required_version_statefile_base}-${required_es_upgrade_version}" + echo "$required_es_upgrade_version" > "$es_required_version_statefile" + + # We expect to upgrade to the latest compatiable minor version of ES + create_intermediate_upgrade_verification_script "$es_verification_script" + + if [[ $is_airgap -eq 0 ]]; then + run_airgap_intermediate_upgrade + else + if [[ ! -z $ISOLOC ]]; then + originally_requested_iso_location="$ISOLOC" + fi + # Make sure ISOLOC is not set. Network installs that used soup -f would have ISOLOC set. + unset ISOLOC + + run_network_intermediate_upgrade + fi + fi + +} + +wait_for_salt_minion_with_restart() { + local minion="$1" + local max_wait="${2:-60}" + local interval="${3:-3}" + local logfile="$4" + + wait_for_salt_minion "$minion" "$max_wait" "$interval" "$logfile" + local result=$? + + if [[ $result -ne 0 ]]; then + echo "$(date '+%a %d %b %Y %H:%M:%S.%6N') - salt-minion not ready, attempting restart..." + systemctl_func "restart" "salt-minion" + wait_for_salt_minion "$minion" "$max_wait" "$interval" "$logfile" + result=$? + fi + + return $result +} + +run_airgap_intermediate_upgrade() { + local originally_requested_so_version=$(cat $UPDATE_DIR/VERSION) + # preserve ISOLOC value, so we can try to use it post intermediate upgrade + local originally_requested_iso_location="$ISOLOC" + + # make sure a fresh ISO gets mounted + unmount_update + + echo "You can download the $next_step_so_version ISO image from https://download.securityonion.net/file/securityonion/securityonion-$next_step_so_version.iso" + echo -e "\nIf you have the next ISO / USB ready, enter the path now eg. /dev/sdd, /home/onion/securityonion-$next_step_so_version.iso:" + + while [[ -z "$next_iso_location" ]] || [[ ! -f "$next_iso_location" && ! -b "$next_iso_location" ]]; do + # List removable devices if any are present + local removable_devices=$(lsblk -no PATH,SIZE,TYPE,MOUNTPOINTS,RM | awk '$NF==1') + if [[ -n "$removable_devices" ]]; then + echo "PATH SIZE TYPE MOUNTPOINTS RM" + echo "$removable_devices" + fi + + read -rp "Device/ISO Path (or 'exit' to quit): " next_iso_location + if [[ "${next_iso_location,,}" == "exit" ]]; then + echo "Exiting soup. Before reattempting to upgrade to $originally_requested_so_version, please first upgrade to $next_step_so_version to ensure Elasticsearch can properly update through the required versions." + + exit 160 + fi + + if [[ ! -f "$next_iso_location" && ! -b "$next_iso_location" ]]; then + echo "$next_iso_location is not a valid file or block device." + next_iso_location="" + fi + done + + echo "Using $next_iso_location for required intermediary upgrade." + exec bash < "$verification_script" + #!/bin/bash + + SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE="/root/so_intermediate_upgrade_verification_failures.log" + CURRENT_TIME=$(date +%Y%m%d.%H%M%S) + EXPECTED_ES_VERSION="$1" + + if [[ -z "$EXPECTED_ES_VERSION" ]]; then + echo -e "\nExpected Elasticsearch version not provided. Usage: $0 " + exit 1 + fi + + if [[ -f "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE" ]]; then + mv "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE" "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE.$CURRENT_TIME" + fi + + check_heavynodes_es_version() { + # Check if heavynodes are in this grid + if ! salt-key -l accepted | grep -q 'heavynode$'; then + + # No heavynodes, skip version check + echo "No heavynodes detected in this Security Onion deployment. Skipping heavynode Elasticsearch version verification." + return 0 + fi + + echo -e "\nOne or more heavynodes detected. Verifying their Elasticsearch versions." + + local retries=20 + local retry_count=0 + local delay=180 + + while [[ $retry_count -lt $retries ]]; do + # keep stderr with variable for logging + heavynode_versions=$(salt -C 'G@role:so-heavynode' cmd.run 'so-elasticsearch-query / --retry 3 --retry-delay 10 | jq ".version.number"' shell=/bin/bash --out=json 2> /dev/null) + local exit_status=$? + + # Check that all heavynodes returned good data + if [[ $exit_status -ne 0 ]]; then + echo "Failed to retrieve Elasticsearch version from one or more heavynodes... Retrying in $delay seconds. Attempt $((retry_count + 1)) of $retries." + ((retry_count++)) + sleep $delay + + continue + else + if echo "$heavynode_versions" | jq -s --arg expected "\"$EXPECTED_ES_VERSION\"" --exit-status 'all(.[]; . | to_entries | all(.[]; .value == $expected))' > /dev/null; then + echo -e "\nAll heavynodes are at the expected Elasticsearch version $EXPECTED_ES_VERSION." + + return 0 + else + echo "One or more heavynodes are not at the expected Elasticsearch version $EXPECTED_ES_VERSION. Rechecking in $delay seconds. Attempt $((retry_count + 1)) of $retries." + ((retry_count++)) + sleep $delay + + continue + fi + fi + done + + echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n" + echo "One or more heavynodes is not at the expected Elasticsearch version $EXPECTED_ES_VERSION." + echo "Current versions:" + echo "$heavynode_versions" | jq -s 'add' + echo "$heavynode_versions" | jq -s 'add' >> "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE" + echo -e "\n Stopping automatic upgrade to latest Security Onion version. Heavynodes must ALL be at Elasticsearch version $EXPECTED_ES_VERSION before proceeding with the next upgrade step to avoid potential data loss!" + echo -e "\n Heavynodes will upgrade themselves to Elasticsearch $EXPECTED_ES_VERSION on their own, but this process can take a long time depending on network link between Manager and Heavynodes." + echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n" + + return 1 + } + + check_searchnodes_es_version() { + local retries=20 + local retry_count=0 + local delay=180 + + while [[ $retry_count -lt $retries ]]; do + # keep stderr with variable for logging + cluster_versions=$(so-elasticsearch-query _nodes/_all/version --retry 5 --retry-delay 10 --fail 2>&1) + local exit_status=$? + + if [[ $exit_status -ne 0 ]]; then + echo "Failed to retrieve Elasticsearch versions from searchnodes... Retrying in $delay seconds. Attempt $((retry_count + 1)) of $retries." + ((retry_count++)) + sleep $delay + + continue + else + if echo "$cluster_versions" | jq --arg expected "$EXPECTED_ES_VERSION" --exit-status '.nodes | to_entries | all(.[].value.version; . == $expected)' > /dev/null; then + echo "All Searchnodes are at the expected Elasticsearch version $EXPECTED_ES_VERSION." + + return 0 + else + echo "One or more Searchnodes is not at the expected Elasticsearch version $EXPECTED_ES_VERSION. Rechecking in $delay seconds. Attempt $((retry_count + 1)) of $retries." + ((retry_count++)) + sleep $delay + + continue + fi + fi + done + + echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n" + echo "One or more Searchnodes is not at the expected Elasticsearch version $EXPECTED_ES_VERSION." + echo "Current versions:" + echo "$cluster_versions" | jq '.nodes | to_entries | map({(.value.name): .value.version}) | sort | add' + echo "$cluster_versions" >> "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE" + echo -e "\nStopping automatic upgrade to latest version. Searchnodes must ALL be at Elasticsearch version $EXPECTED_ES_VERSION before proceeding with the next upgrade step to avoid potential data loss!" + echo -e "\nSearchnodes will upgrade themselves to Elasticsearch $EXPECTED_ES_VERSION on their own, but this process can take a while depending on cluster size / network link between Manager and Searchnodes." + echo -e "\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n" + + echo "$cluster_versions" > "$SOUP_INTERMEDIATE_UPGRADE_FAILURES_LOG_FILE" + + return 1 + + } + + # Need to add a check for heavynodes and ensure all heavynodes get their own "cluster" upgraded before moving on to final upgrade. + check_searchnodes_es_version || exit 1 + check_heavynodes_es_version || exit 1 + + # Remove required version state file after successful verification + rm -f "$2" + + exit 0 + +EOF +} + # Keeping this block in case we need to do a hotfix that requires salt update apply_hotfix() { if [[ "$INSTALLEDVERSION" == "2.4.20" ]] ; then @@ -1651,7 +2094,7 @@ apply_hotfix() { mv /etc/pki/managerssl.crt /etc/pki/managerssl.crt.old mv /etc/pki/managerssl.key /etc/pki/managerssl.key.old systemctl_func "start" "salt-minion" - (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG" + wait_for_salt_minion_with_restart "$MINIONID" "60" "3" "$SOUP_LOG" || fail "Salt minion was not running or ready." fi else echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" @@ -1721,6 +2164,9 @@ main() { echo "Verifying we have the latest soup script." verify_latest_update_script + echo "Verifying Elasticsearch version compatibility before upgrading." + verify_es_version_compatibility + echo "Let's see if we need to update Security Onion." upgrade_check upgrade_space @@ -1770,7 +2216,7 @@ main() { else update_registry set +e - update_docker_containers 'soup' '' '' '/dev/stdout' 2>&1 | tee -a "$SOUP_LOG" + update_docker_containers 'soup' '' '' '/dev/stdout' 2>&1 set -e fi @@ -1848,7 +2294,7 @@ main() { echo "" echo "Running a highstate. This could take several minutes." set +e - (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG" + wait_for_salt_minion_with_restart "$MINIONID" "60" "3" "$SOUP_LOG" || fail "Salt minion was not running or ready." highstate set -e @@ -1861,10 +2307,15 @@ main() { check_saltmaster_status echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes." - (wait_for_salt_minion "$MINIONID" "5" '/dev/stdout' || fail "Salt minion was not running or ready.") 2>&1 | tee -a "$SOUP_LOG" + wait_for_salt_minion_with_restart "$MINIONID" "60" "3" "$SOUP_LOG" || fail "Salt minion was not running or ready." # Stop long-running scripts to allow potentially updated scripts to load on the next execution. - killall salt-relay.sh + if pgrep salt-relay.sh > /dev/null 2>&1; then + echo "Stopping salt-relay.sh" + killall salt-relay.sh + else + echo "salt-relay.sh is not running" + fi # ensure the mine is updated and populated before highstates run, following the salt-master restart update_salt_mine @@ -1927,7 +2378,7 @@ Each minion is on a random 15 minute check-in period and things like network ban If it looks like you’re missing data after the upgrade, please avoid restarting services and instead make sure at least one search node has completed its upgrade. The best way to do this is to run 'sudo salt-call state.highstate' from a search node and make sure there are no errors. Typically if it works on one node it will work on the rest. Sensor nodes are less complex and will update as they check in so you can monitor those from the Grid section of SOC. -For more information, please see $DOC_BASE_URL/soup.html#distributed-deployments. +For more information, please see $DOC_BASE_URL/soup#distributed-deployments. EOF @@ -1941,7 +2392,7 @@ EOF A custom Elasticsearch configuration has been found at /opt/so/saltstack/local/elasticsearch/files/elasticsearch.yml. This file is no longer referenced in Security Onion versions >= 2.3.80. -If you still need those customizations, you'll need to manually migrate them to the new Elasticsearch config as shown at $DOC_BASE_URL/elasticsearch.html. +If you still need those customizations, you'll need to manually migrate them to the new Elasticsearch config as shown at $DOC_BASE_URL/elasticsearch. EOF @@ -2002,7 +2453,7 @@ if [[ -z $UNATTENDED ]]; then SOUP - Security Onion UPdater Please review the following for more information about the update process and recent updates: -$DOC_BASE_URL/soup.html +$DOC_BASE_URL/soup https://blog.securityonion.net WARNING: If you run soup via an SSH session and that SSH session terminates, then any processes running in that session would terminate. You should avoid leaving soup unattended especially if the machine you are SSHing from is configured to sleep after a period of time. You might also consider using something like screen or tmux so that if your SSH session terminates, the processes will continue running on the server. diff --git a/salt/manager/tools/sbin/soupto3 b/salt/manager/tools/sbin/soupto3 new file mode 100755 index 000000000..d830eb07c --- /dev/null +++ b/salt/manager/tools/sbin/soupto3 @@ -0,0 +1,184 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +. /usr/sbin/so-common + +UPDATE_URL=https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/refs/heads/3/main/VERSION + +# Check if already running version 3 +CURRENT_VERSION=$(cat /etc/soversion 2>/dev/null) +if [[ "$CURRENT_VERSION" =~ ^3\. ]]; then + echo "" + echo "=========================================================================" + echo " Already Running Security Onion 3" + echo "=========================================================================" + echo "" + echo " This system is already running Security Onion $CURRENT_VERSION." + echo " Use 'soup' to update within the 3.x release line." + echo "" + exit 0 +fi + +echo "" +echo "Checking PCAP settings." +echo "" + +# Check pcapengine setting - must be SURICATA before upgrading to version 3 +PCAP_ENGINE=$(lookup_pillar "pcapengine") + +PCAP_DELETED=false + +prompt_delete_pcap() { + read -rp " Would you like to delete all remaining Stenographer PCAP data? (y/N): " DELETE_PCAP + if [[ "$DELETE_PCAP" =~ ^[Yy]$ ]]; then + echo "" + echo " WARNING: This will permanently delete all Stenographer PCAP data" + echo " on all nodes. This action cannot be undone." + echo "" + read -rp " Are you sure? (y/N): " CONFIRM_DELETE + if [[ "$CONFIRM_DELETE" =~ ^[Yy]$ ]]; then + echo "" + echo " Deleting Stenographer PCAP data on all nodes..." + salt '*' cmd.run "rm -rf /nsm/pcap/* && rm -rf /nsm/pcapindex/*" + echo " Done." + PCAP_DELETED=true + else + echo "" + echo " Delete cancelled." + fi + fi +} + +pcapengine_not_changed() { + echo "" + echo " PCAP engine must be set to SURICATA before upgrading to Security Onion 3." + echo " You can change this in SOC by navigating to:" + echo " Configuration -> global -> pcapengine" +} + +prompt_change_engine() { + local current_engine=$1 + echo "" + read -rp " Would you like to change the PCAP engine to SURICATA now? (y/N): " CHANGE_ENGINE + if [[ "$CHANGE_ENGINE" =~ ^[Yy]$ ]]; then + if [[ "$PCAP_DELETED" != "true" ]]; then + echo "" + echo " WARNING: Stenographer PCAP data was not deleted. If you proceed," + echo " this data will no longer be accessible through SOC and will never" + echo " be automatically deleted. You will need to manually remove it later." + echo "" + read -rp " Continue with changing pcapengine to SURICATA? (y/N): " CONFIRM_CHANGE + if [[ ! "$CONFIRM_CHANGE" =~ ^[Yy]$ ]]; then + pcapengine_not_changed + return 1 + fi + fi + echo "" + echo " Updating PCAP engine to SURICATA..." + so-yaml.py replace /opt/so/saltstack/local/pillar/global/soc_global.sls global.pcapengine SURICATA + echo " Done." + return 0 + else + pcapengine_not_changed + return 1 + fi +} + +case "$PCAP_ENGINE" in + SURICATA) + echo "PCAP engine settings OK." + ;; + TRANSITION|STENO) + echo "" + echo "=========================================================================" + echo " PCAP Engine Check Failed" + echo "=========================================================================" + echo "" + echo " Your PCAP engine is currently set to $PCAP_ENGINE." + echo "" + echo " Before upgrading to Security Onion 3, Stenographer PCAP data must be" + echo " removed and the PCAP engine must be set to SURICATA." + echo "" + echo " To check remaining Stenographer PCAP usage, run:" + echo " salt '*' cmd.run 'du -sh /nsm/pcap'" + echo "" + + prompt_delete_pcap + if ! prompt_change_engine "$PCAP_ENGINE"; then + echo "" + exit 1 + fi + ;; + *) + echo "" + echo "=========================================================================" + echo " PCAP Engine Check Failed" + echo "=========================================================================" + echo "" + echo " Unable to determine the PCAP engine setting (got: '$PCAP_ENGINE')." + echo " Please ensure the PCAP engine is set to SURICATA." + echo " In SOC, navigate to Configuration -> global -> pcapengine" + echo " and change the value to SURICATA." + echo "" + exit 1 + ;; +esac + +echo "" +echo "Checking Versions." +echo "" + +# Check if Security Onion 3 has been released +VERSION=$(curl -sSf "$UPDATE_URL" 2>/dev/null) + +if [[ -z "$VERSION" ]]; then + echo "" + echo "=========================================================================" + echo " Unable to Check Version" + echo "=========================================================================" + echo "" + echo " Could not retrieve version information from:" + echo " $UPDATE_URL" + echo "" + echo " Please check your network connection and try again." + echo "" + exit 1 +fi + +if [[ "$VERSION" == "UNRELEASED" ]]; then + echo "" + echo "=========================================================================" + echo " Security Onion 3 Not Available" + echo "=========================================================================" + echo "" + echo " Security Onion 3 has not been released yet." + echo "" + echo " Please check back later or visit https://securityonion.net for updates." + echo "" + exit 1 +fi + +# Validate version format (e.g., 3.0.2) +if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "" + echo "=========================================================================" + echo " Invalid Version" + echo "=========================================================================" + echo "" + echo " Received unexpected version format: '$VERSION'" + echo "" + echo " Please check back later or visit https://securityonion.net for updates." + echo "" + exit 1 +fi + +echo "Security Onion 3 ($VERSION) is available. Upgrading..." +echo "" + +# All checks passed - proceed with upgrade +BRANCH=3/main soup diff --git a/salt/nginx/config.sls b/salt/nginx/config.sls index 27611034c..ead3d9986 100644 --- a/salt/nginx/config.sls +++ b/salt/nginx/config.sls @@ -6,9 +6,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -include: - - ssl - # Drop the correct nginx config based on role nginxconfdir: file.directory: diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 4f57063c2..4ebeb9349 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -8,81 +8,14 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'nginx/map.jinja' import NGINXMERGED %} -{% set ca_server = GLOBALS.minion_id %} include: + - nginx.ssl - nginx.config - nginx.sostatus - -{% if grains.role not in ['so-fleet'] %} - -{# if the user has selected to replace the crt and key in the ui #} -{% if NGINXMERGED.ssl.replace_cert %} - -managerssl_key: - file.managed: - - name: /etc/pki/managerssl.key - - source: salt://nginx/ssl/ssl.key - - mode: 640 - - group: 939 - - watch_in: - - docker_container: so-nginx - -managerssl_crt: - file.managed: - - name: /etc/pki/managerssl.crt - - source: salt://nginx/ssl/ssl.crt - - mode: 644 - - watch_in: - - docker_container: so-nginx - -{% else %} - -managerssl_key: - x509.private_key_managed: - - name: /etc/pki/managerssl.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} - - prereq: - - x509: /etc/pki/managerssl.crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - - watch_in: - - docker_container: so-nginx - -# Create a cert for the reverse proxy -managerssl_crt: - x509.certificate_managed: - - name: /etc/pki/managerssl.crt - - ca_server: {{ ca_server }} - - signing_policy: managerssl - - private_key: /etc/pki/managerssl.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - - watch_in: - - docker_container: so-nginx - -{% endif %} - -msslkeyperms: - file.managed: - - replace: False - - name: /etc/pki/managerssl.key - - mode: 640 - - group: 939 - +{% if GLOBALS.role != 'so-fleet' %} +{% set container_config = 'so-nginx' %} make-rule-dir-nginx: file.directory: - name: /nsm/rules @@ -92,15 +25,11 @@ make-rule-dir-nginx: - user - group - show_changes: False - -{% endif %} -{# if this is an so-fleet node then we want to use the port bindings, custom bind mounts defined for fleet #} -{% if GLOBALS.role == 'so-fleet' %} -{% set container_config = 'so-nginx-fleet-node' %} -{% else %} -{% set container_config = 'so-nginx' %} -{% endif %} +{% else %} +{# if this is an so-fleet node then we want to use the port bindings, custom bind mounts defined for fleet #} +{% set container_config = 'so-nginx-fleet-node' %} +{% endif %} so-nginx: docker_container.running: @@ -154,18 +83,27 @@ so-nginx: - watch: - file: nginxconf - file: nginxconfdir - - require: - - file: nginxconf -{% if GLOBALS.is_manager %} -{% if NGINXMERGED.ssl.replace_cert %} + {% if GLOBALS.is_manager %} + {% if NGINXMERGED.ssl.replace_cert %} - file: managerssl_key - file: managerssl_crt -{% else %} + {% else %} - x509: managerssl_key - x509: managerssl_crt -{% endif%} + {% endif%} + {% endif %} + - require: + - file: nginxconf + {% if GLOBALS.is_manager %} + {% if NGINXMERGED.ssl.replace_cert %} + - file: managerssl_key + - file: managerssl_crt + {% else %} + - x509: managerssl_key + - x509: managerssl_crt + {% endif%} - file: navigatorconfig -{% endif %} + {% endif %} delete_so-nginx_so-status.disabled: file.uncomment: diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index caa05bbff..6b322c397 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -181,7 +181,7 @@ http { ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; - location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) { + location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*|^/pages/.*|^/docs/.*) { proxy_pass http://{{ GLOBALS.manager }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -213,6 +213,9 @@ http { proxy_buffering off; proxy_cache off; proxy_request_buffering off; + add_header Cache-Control "no-cache, no-store, must-revalidate"; + add_header Pragma "no-cache"; + add_header Expires "0"; } location ~ ^/auth/.*?(login|oidc/callback) { @@ -383,12 +386,16 @@ http { location @error401 { if ($request_uri ~* (^/connect/.*|^/oauth2/.*)) { - return 401; + return 401; } + if ($request_uri ~* ^/(?!(^/api/.*))) { - add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; } + + if ($request_uri ~* ^/(?!(api/|login|auth|oauth2|$))) { + add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; + } return 302 /auth/self-service/login/browser; } diff --git a/salt/nginx/ssl.sls b/salt/nginx/ssl.sls new file mode 100644 index 000000000..c699e1be3 --- /dev/null +++ b/salt/nginx/ssl.sls @@ -0,0 +1,87 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'nginx/map.jinja' import NGINXMERGED %} +{% from 'ca/map.jinja' import CA %} + +{% if GLOBALS.role != 'so-fleet' %} +{# if the user has selected to replace the crt and key in the ui #} +{% if NGINXMERGED.ssl.replace_cert %} + +managerssl_key: + file.managed: + - name: /etc/pki/managerssl.key + - source: salt://nginx/ssl/ssl.key + - mode: 640 + - group: 939 + - watch_in: + - docker_container: so-nginx + +managerssl_crt: + file.managed: + - name: /etc/pki/managerssl.crt + - source: salt://nginx/ssl/ssl.crt + - mode: 644 + - watch_in: + - docker_container: so-nginx + +{% else %} + +managerssl_key: + x509.private_key_managed: + - name: /etc/pki/managerssl.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} + - prereq: + - x509: /etc/pki/managerssl.crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + - watch_in: + - docker_container: so-nginx + +# Create a cert for the reverse proxy +managerssl_crt: + x509.certificate_managed: + - name: /etc/pki/managerssl.crt + - ca_server: {{ CA.server }} + - signing_policy: managerssl + - private_key: /etc/pki/managerssl.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + - watch_in: + - docker_container: so-nginx + +{% endif %} + +msslkeyperms: + file.managed: + - replace: False + - name: /etc/pki/managerssl.key + - mode: 640 + - group: 939 + +{% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/pcap/ca.sls b/salt/pcap/ca.sls new file mode 100644 index 000000000..01542b7dc --- /dev/null +++ b/salt/pcap/ca.sls @@ -0,0 +1,22 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states or sls in allowed_states%} + +stenoca: + file.directory: + - name: /opt/so/conf/steno/certs + - user: 941 + - group: 939 + - makedirs: True + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/pcap/config.sls b/salt/pcap/config.sls index c37da9694..3df29da1b 100644 --- a/salt/pcap/config.sls +++ b/salt/pcap/config.sls @@ -57,12 +57,6 @@ stenoconf: PCAPMERGED: {{ PCAPMERGED }} STENO_BPF_COMPILED: "{{ STENO_BPF_COMPILED }}" -stenoca: - file.directory: - - name: /opt/so/conf/steno/certs - - user: 941 - - group: 939 - pcaptmpdir: file.directory: - name: /nsm/pcaptmp diff --git a/salt/pcap/enabled.sls b/salt/pcap/enabled.sls index b7b030516..a62c3ee3c 100644 --- a/salt/pcap/enabled.sls +++ b/salt/pcap/enabled.sls @@ -10,6 +10,7 @@ include: + - pcap.ca - pcap.config - pcap.sostatus diff --git a/salt/redis/config.sls b/salt/redis/config.sls index 053d46707..11aaa1f0e 100644 --- a/salt/redis/config.sls +++ b/salt/redis/config.sls @@ -7,9 +7,6 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'redis/map.jinja' import REDISMERGED %} -include: - - ssl - # Redis Setup redisconfdir: file.directory: diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index fc206e3cb..3406b63d4 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -9,6 +9,8 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} include: + - ca + - redis.ssl - redis.config - redis.sostatus @@ -31,11 +33,7 @@ so-redis: - /nsm/redis/data:/data:rw - /etc/pki/redis.crt:/certs/redis.crt:ro - /etc/pki/redis.key:/certs/redis.key:ro - {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - - /etc/pki/ca.crt:/certs/ca.crt:ro - {% else %} - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro - {% endif %} {% if DOCKER.containers['so-redis'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %} - {{ BIND }} @@ -55,16 +53,14 @@ so-redis: {% endif %} - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - watch: - - file: /opt/so/conf/redis/etc - - require: - - file: redisconf + - file: trusttheca + - x509: redis_crt + - x509: redis_key + - file: /opt/so/conf/redis/etc + - require: + - file: trusttheca - x509: redis_crt - x509: redis_key - {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - - x509: pki_public_ca_crt - {% else %} - - x509: trusttheca - {% endif %} delete_so-redis_so-status.disabled: file.uncomment: diff --git a/salt/redis/ssl.sls b/salt/redis/ssl.sls new file mode 100644 index 000000000..cd68d900f --- /dev/null +++ b/salt/redis/ssl.sls @@ -0,0 +1,54 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'ca/map.jinja' import CA %} + +redis_key: + x509.private_key_managed: + - name: /etc/pki/redis.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/redis.key') -%} + - prereq: + - x509: /etc/pki/redis.crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +redis_crt: + x509.certificate_managed: + - name: /etc/pki/redis.crt + - ca_server: {{ CA.server }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - signing_policy: registry + - private_key: /etc/pki/redis.key + - CN: {{ GLOBALS.hostname }} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +rediskeyperms: + file.managed: + - replace: False + - name: /etc/pki/redis.key + - mode: 640 + - group: 939 + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/registry/config.sls b/salt/registry/config.sls index 098633829..299d80437 100644 --- a/salt/registry/config.sls +++ b/salt/registry/config.sls @@ -6,9 +6,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -include: - - ssl - # Create the config directory for the docker registry dockerregistryconfdir: file.directory: diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index ed5b180cd..7009f135e 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -9,6 +9,7 @@ {% from 'docker/docker.map.jinja' import DOCKER %} include: + - registry.ssl - registry.config - registry.sostatus @@ -53,6 +54,9 @@ so-dockerregistry: - retry: attempts: 5 interval: 30 + - watch: + - x509: registry_crt + - x509: registry_key - require: - file: dockerregistryconf - x509: registry_crt diff --git a/salt/registry/ssl.sls b/salt/registry/ssl.sls new file mode 100644 index 000000000..b739e9cc4 --- /dev/null +++ b/salt/registry/ssl.sls @@ -0,0 +1,77 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'ca/map.jinja' import CA %} + +include: + - ca + +# Delete directory if it exists at the key path +registry_key_cleanup: + file.absent: + - name: /etc/pki/registry.key + - onlyif: + - test -d /etc/pki/registry.key + +registry_key: + x509.private_key_managed: + - name: /etc/pki/registry.key + - keysize: 4096 + - backup: True + - new: True + - require: + - file: registry_key_cleanup + {% if salt['file.file_exists']('/etc/pki/registry.key') -%} + - prereq: + - x509: /etc/pki/registry.crt + {%- endif %} + - retry: + attempts: 15 + interval: 10 + +# Delete directory if it exists at the crt path +registry_crt_cleanup: + file.absent: + - name: /etc/pki/registry.crt + - onlyif: + - test -d /etc/pki/registry.crt + +# Create a cert for the docker registry +registry_crt: + x509.certificate_managed: + - name: /etc/pki/registry.crt + - ca_server: {{ CA.server }} + - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} + - signing_policy: registry + - private_key: /etc/pki/registry.key + - CN: {{ GLOBALS.manager }} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - require: + - file: registry_crt_cleanup + - timeout: 30 + - retry: + attempts: 15 + interval: 10 + + +regkeyperms: + file.managed: + - replace: False + - name: /etc/pki/registry.key + - mode: 640 + - group: 939 + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/salt/engines/master/checkmine.py b/salt/salt/engines/master/checkmine.py index f33392575..68127bacb 100644 --- a/salt/salt/engines/master/checkmine.py +++ b/salt/salt/engines/master/checkmine.py @@ -46,33 +46,6 @@ def start(interval=60): mine_update(minion) continue - # if a manager check that the ca in in the mine and it is correct - if minion.split('_')[-1] in ['manager', 'managersearch', 'eval', 'standalone', 'import']: - x509 = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='x509.get_pem_entries') - try: - ca_crt = x509[minion]['/etc/pki/ca.crt'] - log.debug('checkmine engine: found minion %s has ca_crt: %s' % (minion, ca_crt)) - # since the cert is defined, make sure it is valid - import salt.modules.x509_v2 as x509_v2 - if not x509_v2.verify_private_key('/etc/pki/ca.key', '/etc/pki/ca.crt'): - log.error('checkmine engine: found minion %s does\'t have a valid ca_crt in the mine' % (minion)) - log.error('checkmine engine: %s: ca_crt: %s' % (minion, ca_crt)) - mine_delete(minion, 'x509.get_pem_entries') - mine_update(minion) - continue - else: - log.debug('checkmine engine: found minion %s has a valid ca_crt in the mine' % (minion)) - except IndexError: - log.error('checkmine engine: found minion %s does\'t have a ca_crt in the mine' % (minion)) - mine_delete(minion, 'x509.get_pem_entries') - mine_update(minion) - continue - except KeyError: - log.error('checkmine engine: found minion %s is not in the mine' % (minion)) - mine_flush(minion) - mine_update(minion) - continue - # Update the mine if the ip in the mine doesn't match returned from manage.alived network_ip_addrs = __salt__['saltutil.runner']('mine.get', tgt=minion, fun='network.ip_addrs') try: diff --git a/salt/salt/engines/master/minimum_auth_version.py b/salt/salt/engines/master/minimum_auth_version.py new file mode 100644 index 000000000..1213cb5e1 --- /dev/null +++ b/salt/salt/engines/master/minimum_auth_version.py @@ -0,0 +1,73 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +# -*- coding: utf-8 -*- + +import logging +import os +import time +from datetime import datetime, timedelta +import salt.client + +log = logging.getLogger(__name__) + +TIMESTAMP_FILE = '/opt/so/state/mav_engine_start_time' + +def _get_start_time(): + """Read persisted start time from file, or create one if it doesn't exist.""" + if os.path.exists(TIMESTAMP_FILE): + with open(TIMESTAMP_FILE, 'r') as f: + timestamp = f.read().strip() + start_time = datetime.fromisoformat(timestamp) + log.info("Loaded existing start time from %s: %s", TIMESTAMP_FILE, start_time) + return start_time + + start_time = datetime.now() + with open(TIMESTAMP_FILE, 'w') as f: + f.write(start_time.isoformat()) + log.info("No existing start time found. Persisted new start time: %s", start_time) + return start_time + + +def _clear_start_time(): + """Remove the persisted timestamp file after successful completion.""" + if os.path.exists(TIMESTAMP_FILE): + os.remove(TIMESTAMP_FILE) + log.info("Removed timestamp file %s", TIMESTAMP_FILE) + + +def start(wait_days=7): + """ + This engine waits for the specified number of days, then changes minimum_auth_version. + + Args: + wait_days: Days to wait before taking action (default: 7) + """ + log.info( + "Starting minimum_auth_version engine - Wait time: %d days", + wait_days + ) + + start_time = _get_start_time() + wait_delta = timedelta(days=wait_days) + mav_removed = False + caller = salt.client.Caller() + + while True: + if not mav_removed: + elapsed = datetime.now() - start_time + + if elapsed >= wait_delta: + log.info("Changing minimum_auth_version") + _clear_start_time() + result = caller.cmd('state.apply', 'salt.master.remove_minimum_auth_version', queue=True) + # We shouldn't reach this line since the above line should remove the engine and restart salt-master + log.info("State apply result: %s", result) + mav_removed = True + else: + target_time = start_time + wait_delta + log.info("minimum_auth_version will be changed within an hour of %s", target_time.strftime('%m-%d-%Y %H:%M')) + + time.sleep(3600) # Check hourly diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 9dfe8587f..a54c33014 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -1,4 +1,4 @@ # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched salt: master: - version: '3006.16' + version: '3006.19' diff --git a/salt/salt/master/add_minimum_auth_version.sls b/salt/salt/master/add_minimum_auth_version.sls new file mode 100644 index 000000000..768065a25 --- /dev/null +++ b/salt/salt/master/add_minimum_auth_version.sls @@ -0,0 +1,23 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +# This state is to be used during soup preupgrade_changes, and run when the salt-master has been stopped. Soup will later start the salt-master. +# This state is used to deal with the breaking change introduced in 3006.17 - https://docs.saltproject.io/en/3006/topics/releases/3006.17.html + + +set_minimum_auth_version_0: + file.managed: + - name: /etc/salt/master.d/minimum_auth_version.conf + - source: salt://salt/master/files/minimum_auth_version.conf + +add_minimum_auth_version_engine_config: + file.managed: + - name: /etc/salt/master.d/minimum_auth_version_engine.conf + - source: salt://salt/master/files/minimum_auth_version_engine.conf + +add_minimum_auth_version_engine: + file.managed: + - name: /etc/salt/engines/minimum_auth_version.py + - source: salt://salt/engines/master/minimum_auth_version.py diff --git a/salt/salt/master/files/minimum_auth_version.conf b/salt/salt/master/files/minimum_auth_version.conf new file mode 100644 index 000000000..29fd0c99d --- /dev/null +++ b/salt/salt/master/files/minimum_auth_version.conf @@ -0,0 +1 @@ +minimum_auth_version: 0 diff --git a/salt/salt/master/files/minimum_auth_version_engine.conf b/salt/salt/master/files/minimum_auth_version_engine.conf new file mode 100644 index 000000000..67e9ac654 --- /dev/null +++ b/salt/salt/master/files/minimum_auth_version_engine.conf @@ -0,0 +1,3 @@ +engines: + - minimum_auth_version: + wait_days: 7 diff --git a/salt/salt/master/remove_minimum_auth_version.sls b/salt/salt/master/remove_minimum_auth_version.sls new file mode 100644 index 000000000..2578e12fc --- /dev/null +++ b/salt/salt/master/remove_minimum_auth_version.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +include: + - salt.master + +unset_minimum_auth_version_0: + file.absent: + - name: /etc/salt/master.d/minimum_auth_version.conf + +remove_minimum_auth_version_engine_config: + file.absent: + - name: /etc/salt/master.d/minimum_auth_version_engine.conf + +remove_minimum_auth_version_engine: + file.absent: + - name: /etc/salt/engines/minimum_auth_version.py + - watch_in: + - service: salt_master_service diff --git a/salt/salt/mine_functions.sls b/salt/salt/mine_functions.sls index ae3df1ce9..dd164503b 100644 --- a/salt/salt/mine_functions.sls +++ b/salt/salt/mine_functions.sls @@ -18,10 +18,6 @@ mine_functions: mine_functions: network.ip_addrs: - interface: {{ interface }} - {%- if role in ['so-eval','so-import','so-manager','so-managerhype','so-managersearch','so-standalone'] %} - x509.get_pem_entries: - - glob_path: '/etc/pki/ca.crt' - {% endif %} mine_update_mine_functions: module.run: diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index e897313d2..11f3dab41 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -1,5 +1,5 @@ # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched salt: minion: - version: '3006.16' + version: '3006.19' check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default diff --git a/salt/salt/minion/init.sls b/salt/salt/minion/init.sls index 374e6954c..2f59e0029 100644 --- a/salt/salt/minion/init.sls +++ b/salt/salt/minion/init.sls @@ -17,8 +17,8 @@ include: - repo.client - salt.mine_functions - salt.minion.service_file -{% if GLOBALS.role in GLOBALS.manager_roles %} - - ca +{% if GLOBALS.is_manager %} + - ca.signing_policy {% endif %} {% if INSTALLEDSALTVERSION|string != SALTVERSION|string %} @@ -111,7 +111,7 @@ salt_minion_service: {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %} - file: set_log_levels {% endif %} -{% if GLOBALS.role in GLOBALS.manager_roles %} - - file: /etc/salt/minion.d/signing_policies.conf +{% if GLOBALS.is_manager %} + - file: signing_policy {% endif %} - order: last diff --git a/salt/salt/scripts/bootstrap-salt.sh b/salt/salt/scripts/bootstrap-salt.sh index 861f22de5..9324a0170 100644 --- a/salt/salt/scripts/bootstrap-salt.sh +++ b/salt/salt/scripts/bootstrap-salt.sh @@ -26,7 +26,7 @@ #====================================================================================================================== set -o nounset # Treat unset variables as an error -__ScriptVersion="2025.09.03" +__ScriptVersion="2026.01.22" __ScriptName="bootstrap-salt.sh" __ScriptFullName="$0" @@ -369,7 +369,7 @@ __usage() { also be specified. Salt installation will be ommitted, but some of the dependencies could be installed to write configuration with -j or -J. -d Disables checking if Salt services are enabled to start on system boot. - You can also do this by touching ${BS_TMP_DIR}/disable_salt_checks on the target + You can also do this by touching ${_TMP_DIR}/disable_salt_checks on the target host. Default: \${BS_FALSE} -D Show debug output -f Force shallow cloning for git installations. @@ -2819,14 +2819,25 @@ __install_salt_from_repo() { ${_pip_cmd} install --force-reinstall --break-system-packages "${_arch_dep}" fi - echodebug "Running '${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl'" + _PIP_VERSION_STRING=$(${_pip_cmd} --version) + echodebug "Installed pip version: $_PIP_VERSION_STRING" + _PIP_MAJOR_VERSION=$(echo "$_PIP_VERSION_STRING" | sed -E 's/^pip ([0-9]+)\..*/\1/') - echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl" - - ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall \ - ${_PIP_INSTALL_ARGS} \ - --global-option="--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" \ - ${_TMP_DIR}/git/deps/salt*.whl || return 1 + # The following branching can be removed once we no longer support distros that still ship with + # versions of `pip` earlier than v22.1 such as Debian 11 + if [ "$_PIP_MAJOR_VERSION" -lt 23 ]; then + echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl" + ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall \ + ${_PIP_INSTALL_ARGS} \ + --global-option="--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" \ + ${_TMP_DIR}/git/deps/salt*.whl || return 1 + else + echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --config-settings=--global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl" + ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall \ + ${_PIP_INSTALL_ARGS} \ + --config-settings="--global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" \ + ${_TMP_DIR}/git/deps/salt*.whl || return 1 + fi echoinfo "Checking if Salt can be imported using ${_py_exe}" CHECK_SALT_SCRIPT=$(cat << EOM @@ -6096,7 +6107,14 @@ install_arch_linux_git_deps() { } install_arch_linux_onedir_deps() { + echodebug "install_arch_linux_onedir_deps() entry" + + # Basic tooling for download/verify/extract + pacman -Sy --noconfirm --needed wget tar gzip gnupg ca-certificates || return 1 + + # Reuse stable deps for python-yaml etc. if you want config_salt() parity install_arch_linux_stable_deps || return 1 + return 0 } install_arch_linux_stable() { @@ -6111,7 +6129,73 @@ install_arch_linux_stable() { pacman -S --noconfirm --needed bash || return 1 pacman -Su --noconfirm || return 1 # We can now resume regular salt update - pacman -Syu --noconfirm salt || return 1 + # Except that this hasn't been in arch repos for years; + # so we have to build from AUR + # We use "buildgirl" because Eve demanded it. + build_user=${build_user:-buildgirl} + userdel "$build_user" || true + useradd -M -r -s /usr/bin/nologin "$build_user" + echo "$build_user ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/"$build_user" + rm -rf /tmp/yay-bin || true + + git clone https://aur.archlinux.org/salt.git /tmp/yay-bin + chown -R "$build_user":"$build_user" /tmp/yay-bin + sudo -u "$build_user" env -i \ + HOME=/tmp \ + PATH=/usr/bin:/bin:/usr/sbin:/sbin \ + MAKEFLAGS="-j$(nproc)" \ + LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 \ + makepkg -CcsiD /tmp/yay-bin \ + --noconfirm --needed \ + --noprogressbar || return 1 + + rm -f /etc/sudoers.d/"$build_user" + rm -rf /tmp/yay-bin + userdel "$build_user" + return 0 +} + +install_arch_linux_onedir() { + echodebug "install_arch_linux_onedir() entry" + + version="${ONEDIR_REV:-latest}" + arch="x86_64" + [ "$(uname -m)" = "aarch64" ] && arch="aarch64" + + # Resolve "latest" to actual version + if [ "$version" = "latest" ]; then + version=$(wget -qO- https://api.github.com/repos/saltstack/salt/releases/latest \ + | grep -Eo '"tag_name": *"v[0-9.]+"' \ + | sed 's/"tag_name": *"v//;s/"//') || return 1 + fi + + tarball="salt-${version}-onedir-linux-${arch}.tar.xz" + url="https://github.com/saltstack/salt/releases/download/v${version}/${tarball}" + extractdir="/tmp/salt-${version}-onedir-linux-${arch}" + + echoinfo "Downloading Salt onedir: $url" + wget -q "$url" -O "/tmp/${tarball}" || return 1 + + # Validate tarball + if ! tar -tf "/tmp/${tarball}" >/dev/null 2>&1; then + echoerror "Invalid or corrupt onedir tarball" + return 1 + fi + + # Prepare extraction + rm -rf "$extractdir" || true + rm -rf /opt/saltstack/salt || true + mkdir -p "$extractdir" + + # Extract and flatten (remove leading 'salt/' directory) + # /tmp/salt-${version}-onedir-linux-${arch} + tar --strip-components=1 -xf "/tmp/${tarball}" -C "$extractdir" + + # Place into /opt + mkdir -p /opt/saltstack/salt + mv "$extractdir"/* /opt/saltstack/salt/ || return 1 + chmod -R 755 /opt/saltstack/salt + return 0 } @@ -6249,17 +6333,48 @@ install_arch_check_services() { return 0 } -install_arch_linux_onedir() { - install_arch_linux_stable || return 1 - return 0 -} install_arch_linux_onedir_post() { - install_arch_linux_post || return 1 + echodebug "install_arch_linux_onedir_post() entry" - return 0 + # Disable any distro/AUR salt units + systemctl disable --now salt-minion.service 2>/dev/null || true + systemctl disable --now salt-master.service 2>/dev/null || true + + # Drop a clean unit, same pattern as Debian/Ubuntu onedir + cat >/etc/systemd/system/salt-minion.service <<'EOF' +[Unit] +Description=Salt Minion (onedir) +After=network-online.target +Wants=network-online.target + +[Service] +Type=simple +ExecStart=/opt/saltstack/salt/salt-minion -c /etc/salt +Restart=always +LimitNOFILE=100000 + +[Install] +WantedBy=multi-user.target +EOF + + systemctl daemon-reload + + # Add onedir paths system-wide + cat >/etc/profile.d/saltstack.sh <<'EOF' +export PATH=/opt/saltstack/salt:/opt/saltstack/salt/bin:$PATH +EOF + + chmod 644 /etc/profile.d/saltstack.sh + + if [ "$_START_DAEMONS" -eq $BS_TRUE ]; then + systemctl enable --now salt-minion.service + fi + + return 0 } + # # Ended Arch Install Functions # diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index 4b0b6b317..67c79f5f8 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -8,6 +8,9 @@ include: +{% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %} + - pcap.ca +{% endif %} - sensoroni.config - sensoroni.sostatus @@ -16,7 +19,9 @@ so-sensoroni: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }} - network_mode: host - binds: + {% if GLOBALS.is_sensor or GLOBALS.role == 'so-import' %} - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw + {% endif %} - /nsm/pcap:/nsm/pcap:rw - /nsm/import:/nsm/import:rw - /nsm/pcapout:/nsm/pcapout:rw diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/elasticsearch/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/emailrep/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/greynoise/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/localfile/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarebazaar/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_whois-0.9.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_whois-0.9.5-py3-none-any.whl deleted file mode 100644 index d92bc8729..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_whois-0.9.5-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_whois-0.9.6-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_whois-0.9.6-py3-none-any.whl new file mode 100644 index 000000000..c588b3c19 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_whois-0.9.6-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/otx/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/otx/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/pulsedive/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/spamhaus/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.7.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.7.0-py3-none-any.whl deleted file mode 100644 index ebbf41c69..000000000 Binary files a/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.7.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.8.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.8.0-py3-none-any.whl new file mode 100644 index 000000000..d618ba05d Binary files /dev/null and b/salt/sensoroni/files/analyzers/spamhaus/source-packages/dnspython-2.8.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/spamhaus/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/spamhaus/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/spamhaus/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/threatfox/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/threatfox/threatfox.json b/salt/sensoroni/files/analyzers/threatfox/threatfox.json index 2ae3ca909..e9640e7d5 100644 --- a/salt/sensoroni/files/analyzers/threatfox/threatfox.json +++ b/salt/sensoroni/files/analyzers/threatfox/threatfox.json @@ -1,6 +1,6 @@ { "name": "Threatfox", - "version": "0.2", + "version": "0.3", "author": "Security Onion Solutions", "description": "This analyzer queries Threatfox to see if a domain, hash, or IP is considered malicious.", "supportedTypes" : ["domain","hash","ip"], diff --git a/salt/sensoroni/files/analyzers/threatfox/threatfox.py b/salt/sensoroni/files/analyzers/threatfox/threatfox.py index a20f072ed..02311bfab 100644 --- a/salt/sensoroni/files/analyzers/threatfox/threatfox.py +++ b/salt/sensoroni/files/analyzers/threatfox/threatfox.py @@ -51,7 +51,7 @@ def prepareResults(raw): status = 'info' else: status = 'ok' - elif raw != {} and raw['query_status'] in ['no_result', 'illegal_search_term', 'illegl_hash']: + elif raw != {} and raw['query_status'] in ['no_result', 'illegal_search_term', 'illegal_hash']: status = 'info' summary = 'no result' else: diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlhaus/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/urlscan/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl deleted file mode 100644 index e7e59e816..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/PyYAML-6.0.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..b09e5032a Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/pyyaml-6.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/virustotal/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/anyio-4.10.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/anyio-4.10.0-py3-none-any.whl deleted file mode 100644 index ba752083e..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/anyio-4.10.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/anyio-4.12.1-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/anyio-4.12.1-py3-none-any.whl new file mode 100644 index 000000000..328780949 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/anyio-4.12.1-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2025.8.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2025.8.3-py3-none-any.whl deleted file mode 100644 index b4158ec67..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2025.8.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2026.1.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2026.1.4-py3-none-any.whl new file mode 100644 index 000000000..e46125399 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/certifi-2026.1.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl deleted file mode 100644 index a8f2bd0c4..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl new file mode 100644 index 000000000..1e7041677 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/exceptiongroup-1.3.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/exceptiongroup-1.3.0-py3-none-any.whl deleted file mode 100644 index 50bf3af10..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/exceptiongroup-1.3.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/exceptiongroup-1.3.1-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/exceptiongroup-1.3.1-py3-none-any.whl new file mode 100644 index 000000000..2a627a3ee Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/exceptiongroup-1.3.1-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.10-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.10-py3-none-any.whl deleted file mode 100644 index 52759bdd2..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.10-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.11-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.11-py3-none-any.whl new file mode 100644 index 000000000..28f2c109e Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/idna-3.11-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/sniffio-1.3.1-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/sniffio-1.3.1-py3-none-any.whl deleted file mode 100644 index 04f44e47d..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/sniffio-1.3.1-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.14.1-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.14.1-py3-none-any.whl deleted file mode 100644 index d2aef8cf2..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.14.1-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.15.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.15.0-py3-none-any.whl new file mode 100644 index 000000000..5fec9ca64 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/typing_extensions-4.15.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.5.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.5.0-py3-none-any.whl deleted file mode 100644 index 81b580f1c..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.5.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.6.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.6.3-py3-none-any.whl new file mode 100644 index 000000000..69e9ea57b Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/urllib3-2.6.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-3.1.1.tar.gz b/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-3.1.1.tar.gz deleted file mode 100644 index e46573efd..000000000 Binary files a/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-3.1.1.tar.gz and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-4.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-4.0.3-py3-none-any.whl new file mode 100644 index 000000000..8107b57f6 Binary files /dev/null and b/salt/sensoroni/files/analyzers/whoislookup/source-packages/whoisit-4.0.3-py3-none-any.whl differ diff --git a/salt/sensoroni/files/templates/reports/standard/assistant_session_report.md b/salt/sensoroni/files/templates/reports/standard/assistant_session_report.md new file mode 100644 index 000000000..7879a7db0 --- /dev/null +++ b/salt/sensoroni/files/templates/reports/standard/assistant_session_report.md @@ -0,0 +1,91 @@ +Onion AI Session Report +========================== + +## Session Details + +**Session ID:** {{.Session.SessionId}} + +**Title:** {{.Session.Title}} + +**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Session.CreateTime}} + +**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Session.UpdateTime}} + +{{ if .Session.DeleteTime }} +**Deleted:** {{ formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Session.DeleteTime}} +{{ end }} + +**User ID:** {{getUserDetail "email" .Session.UserId}} + +## Session Usage + +**Total Input Tokens** {{.Session.Usage.TotalInputTokens}} + +**Total Output Tokens** {{.Session.Usage.TotalOutputTokens}} + +**Total Credits:** {{.Session.Usage.TotalCredits}} + +**Total Messages:** {{.Session.Usage.TotalMessages}} + +## Messages + +{{ range $index, $msg := sortAssistantMessages "CreateTime" "asc" .History }} +#### Message {{ add $index 1 }} + +**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $msg.CreateTime}} + +**User ID:** {{getUserDetail "email" $msg.UserId}} + +**Role:** {{$msg.Message.Role}} + +{{ range $i, $block := $msg.Message.ContentBlocks }} + +--- + +{{ if eq $block.Type "text" }} +**Text:** {{ stripEmoji $block.Text }} +{{ else if eq $block.Type "tool_use" }} +**Tool:** {{ $block.Name }} +{{ if $block.Input }} +**Parameters:** +{{ range $key, $value := parseJSON $block.Input }} +{{ if eq $key "limit" }}- {{ $key }}: {{ $value }} +{{ else }}- {{ $key }}: "{{ $value }}" +{{ end }}{{ end }}{{ end }} +{{ else if $block.ToolResult }} +**Tool Result:** +{{ if $block.ToolResult.Content }} +{{ range $j, $contentBlock := $block.ToolResult.Content }} +{{ if gt $j 0 }} + +--- + +{{ end }} +{{ if $contentBlock.Text }} +{{ if $block.ToolResult.IsError }} +**Error:** {{ $contentBlock.Text }} +{{ else }} +{{ $contentBlock.Text }} +{{ end }} +{{ else if $contentBlock.Json }} +```json +{{ toJSON $contentBlock.Json }} +``` +{{ end }}{{ end }} +{{ end }}{{ end }}{{ end }} + +{{ if eq $msg.Message.Role "assistant" }}{{ if $msg.Message.Usage }} + +--- + +**Message Usage:** + +- Input Tokens: {{$msg.Message.Usage.InputTokens}} +- Output Tokens: {{$msg.Message.Usage.OutputTokens}} +- Credits: {{$msg.Message.Usage.Credits}} + +{{end}}{{end}} + +--- + +{{end}} \ No newline at end of file diff --git a/salt/sensoroni/files/templates/reports/standard/case_report.md b/salt/sensoroni/files/templates/reports/standard/case_report.md index 49f18e7c6..76a166f3f 100644 --- a/salt/sensoroni/files/templates/reports/standard/case_report.md +++ b/salt/sensoroni/files/templates/reports/standard/case_report.md @@ -130,4 +130,42 @@ Security Onion Case Report | ---- | ---- | ------ | --------- | {{ range sortHistory "CreateTime" "asc" .History -}} | {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}} | {{getUserDetail "email" .UserId}} | {{.Kind}} | {{.Operation}} | +{{end}} + +## Attached Onion AI Sessions + +{{ range $idx, $session := sortAssistantSessionDetails "CreateTime" "desc" .AssistantSessions }} + +#### Session {{ add $idx 1 }} + +**Session ID:** {{$session.Session.SessionId}} + +**Title:** {{$session.Session.Title}} + +**User ID:** {{getUserDetail "email" $session.Session.UserId}} + +**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.CreateTime}} + +**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.UpdateTime}} + +{{ if $session.Session.DeleteTime }} +**Deleted:** {{ formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $session.Session.DeleteTime}} +{{ end }} + +#### Messages + +{{ range $index, $msg := sortAssistantMessages "CreateTime" "asc" $session.History }} +{{ range $i, $block := $msg.Message.ContentBlocks }} + +{{ if eq $block.Type "text" }} + +**Role:** {{$msg.Message.Role}} + +{{ stripEmoji $block.Text }} + +--- + +{{ end }}{{ end }} + +{{end}} {{end}} \ No newline at end of file diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index cf69ec52a..aca6c8e3f 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -357,7 +357,7 @@ sensoroni: reports: standard: case_report__md: - title: Case report Template + title: Case Report Template description: The template used when generating a case report. Supports markdown format. file: True global: True @@ -370,6 +370,13 @@ sensoroni: global: True syntax: md helpLink: reports.html + assistant_session_report__md: + title: Assistant Session Report Template + description: The template used when generating an assistant session report. Supports markdown format. + file: True + global: True + syntax: md + helplink: reports.html custom: generic_report1__md: title: Custom Report 1 diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 28db2ef5f..bb59198c1 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -115,16 +115,16 @@ soc: ':kratos:': - soc_timestamp - event.dataset - - http_request.headers.x-real-ip + - http.request.headers.x-real-ip - user.name - - http_request.headers.user-agent + - http.useragent - msg ':hydra:': - soc_timestamp - event.dataset - - http_request.headers.x-real-ip + - http.request.headers.x-real-ip - user.name - - http_request.headers.user-agent + - http.useragent - msg '::conn': - soc_timestamp @@ -1494,10 +1494,19 @@ soc: branch: main folder: securityonion-normalized assistant: - apiUrl: https://onionai.securityonion.net - healthTimeoutSeconds: 3 systemPromptAddendum: "" systemPromptAddendumMaxLength: 50000 + adapters: + - name: SOAI + protocol: securityonion_ai_cloud + apiUrl: https://onionai.securityonion.net + healthTimeoutSeconds: 5 + - name: Gemini + protocol: gemini + apiKey: "" + serviceAccountJSON: "" + serviceAccountLocation: "" + healthTimeoutSeconds: 5 salt: queueDir: /opt/sensoroni/queue timeoutMs: 45000 @@ -1509,6 +1518,7 @@ soc: anonymousCidr: apiKey: staticrbac: + defaultRole: "" roleFiles: - rbac/permissions - rbac/roles @@ -1622,7 +1632,7 @@ soc: sourceType: directory airgap: - name: Emerging-Threats - description: "Emerging Threats ruleset - To enable ET Pro on Airgap, review the documentation at https://docs.securityonion.net/suricata" + description: "Emerging Threats ruleset - To enable ET Pro on Airgap, review the documentation at https://securityonion.net/docs/suricata" licenseKey: "" enabled: true sourceType: directory @@ -1747,7 +1757,7 @@ soc: showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity - query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip user.name' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip user.name' showSubtitle: true - name: SOC - App description: Logs generated by the Security Onion Console (SOC) server and modules @@ -2027,10 +2037,10 @@ soc: query: '* | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SOC Logins description: SOC (Security Onion Console) logins - query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip user.name | groupby user.name | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip user.name | groupby user.name | groupby http.useragent' - name: SOC Login Failures description: SOC (Security Onion Console) login failures - query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip http_request.headers.user-agent | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip http.useragent | groupby http.useragent' - name: Alerts description: Overview of all alerts query: 'tags:alert | groupby event.module* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby rule.name | groupby event.severity | groupby destination.as.organization.name' @@ -2370,6 +2380,10 @@ soc: exclusive: true enablesToggles: - acknowledged + - name: investigated + filter: event.investigated:true + enabled: false + exclusive: false queries: - name: 'Group By Name, Module' query: '* | groupby rule.name event.module* event.severity_label rule.uuid' @@ -2652,17 +2666,12 @@ soc: thresholdColorRatioMed: 0.75 thresholdColorRatioMax: 1 availableModels: - - id: sonnet-4.5 - displayName: Claude Sonnet 4.5 ($$$) + - id: sonnet + displayName: Claude Sonnet origin: USA contextLimitSmall: 200000 contextLimitLarge: 1000000 lowBalanceColorAlert: 500000 enabled: true - - id: qwen-235b - displayName: QWEN 235B ($) - origin: China - contextLimitSmall: 256000 - contextLimitLarge: 256000 - lowBalanceColorAlert: 500000 - enabled: true + adapter: SOAI + diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 62e673ffc..5efb18fa5 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -11,6 +11,7 @@ {% from 'soc/merged.map.jinja' import SOCMERGED %} include: + - ca - soc.config - soc.sostatus @@ -55,7 +56,7 @@ so-soc: - /opt/so/conf/soc/migrations:/opt/so/conf/soc/migrations:rw - /nsm/backup/detections-migration:/nsm/backup/detections-migration:ro - /opt/so/state:/opt/so/state:rw - - /etc/pki/ca.crt:/opt/sensoroni/html/so-ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/opt/sensoroni/html/so-ca.crt:ro - extra_hosts: {% for node in DOCKER_EXTRA_HOSTS %} {% for hostname, ip in node.items() %} @@ -78,8 +79,10 @@ so-soc: {% endfor %} {% endif %} - watch: + - file: trusttheca - file: /opt/so/conf/soc/* - require: + - file: trusttheca - file: socdatadir - file: soclogdir - file: socconfig diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 11442afba..596ba4bd0 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -455,6 +455,11 @@ soc: global: True advanced: True forcedType: int + staticrbac: + defaultRole: + description: "Default role for new users that have not been assigned a role. When a role is specified, an attempt will be made to permanently assign the role to the user once the user accesses SOC. The role name must match exactly the name of an existing RBAC role. Standard system roles include: limited-auditor, limited-analyst, auditor, analyst, superuser" + global: True + advanced: False strelkaengine: aiRepoUrl: description: URL to the AI repository. This is used to pull in AI models for use in Strelka rules. @@ -552,10 +557,11 @@ soc: global: True advanced: True customRulesets: - description: 'URLs and/or Local File configurations for Suricata custom rulesets. Refer to the linked documentation for important specification and file placement information' + description: 'This setting is no longer used. Use Ruleset Sources setting instead.' global: True advanced: True forcedType: "[]{}" + readonly: True helpLink: suricata.html ignoredSidRanges: description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.' @@ -650,14 +656,6 @@ soc: label: Folder airgap: *pbRepos assistant: - apiUrl: - description: The URL of the AI gateway. - advanced: True - global: True - healthTimeoutSeconds: - description: Timeout in seconds for the Onion AI health check. - global: True - advanced: True systemPromptAddendum: description: Additional context to provide to the AI assistant about this SOC deployment. This can include information about your environment, policies, or any other relevant details that can help the AI provide more accurate and tailored assistance. Long prompts may be shortened. global: True @@ -667,6 +665,44 @@ soc: description: Maximum length of the system prompt addendum. Longer prompts will be truncated. global: True advanced: True + adapters: + description: Configuration for AI adapters used by the Onion AI assistant. Please see documentation for help on which fields are required for which protocols. + global: True + advanced: True + forcedType: "[]{}" + helpLink: assistant.html + syntax: json + uiElements: + - field: name + label: Adapter Name + regex: "^(?!.*@).+$" + regexFailureMessage: Adapter name cannot contain the '@' character + required: True + - field: protocol + label: Protocol + required: True + options: + - securityonion_ai_cloud + - gemini + - openai_responses + - openai_chat + - field: apiUrl + label: API URL + required: False + - field: apiKey + label: API Key + required: False + - field: serviceAccountJSON + label: Service Account JSON + required: False + multiline: True + - field: serviceAccountLocation + label: Service Account Location + required: False + - field: healthTimeoutSeconds + label: Health Timeout Seconds + required: False + forcedType: int client: assistant: enabled: @@ -705,6 +741,8 @@ soc: - field: id label: Model ID required: True + regex: "^(?!.*@).+$" + regexFailureMessage: Model ID cannot contain the '@' character - field: displayName label: Display Name required: True @@ -722,6 +760,8 @@ soc: - field: lowBalanceColorAlert label: Low Balance Color Alert forcedType: int + - field: adapter + label: Adapter required: True - field: enabled label: Enabled diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls deleted file mode 100644 index 0cef8c1e3..000000000 --- a/salt/ssl/init.sls +++ /dev/null @@ -1,720 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'vars/globals.map.jinja' import GLOBALS %} - -{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} - -{% set global_ca_text = [] %} -{% set global_ca_server = [] %} -{% if grains.role in ['so-heavynode'] %} - {% set COMMONNAME = GLOBALS.hostname %} -{% else %} - {% set COMMONNAME = GLOBALS.manager %} -{% endif %} - -{% if GLOBALS.is_manager %} -include: - - ca - {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %} - {% set ca_server = grains.id %} -{% else %} -include: - - ca.dirs - {% set x509dict = salt['mine.get'](GLOBALS.manager | lower~'*', 'x509.get_pem_entries') %} - {% for host in x509dict %} - {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %} - {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} - {% do global_ca_server.append(host) %} - {% endif %} - {% endfor %} - {% set trusttheca_text = global_ca_text[0] %} - {% set ca_server = global_ca_server[0] %} -{% endif %} - -cacertdir: - file.directory: - - name: /etc/pki/tls/certs - - makedirs: True - -# Trust the CA -trusttheca: - x509.pem_managed: - - name: /etc/pki/tls/certs/intca.crt - - text: {{ trusttheca_text }} - -{% if GLOBALS.os_family == 'Debian' %} -symlinkca: - file.symlink: - - target: /etc/pki/tls/certs/intca.crt - - name: /etc/ssl/certs/intca.crt -{% endif %} - -# Install packages needed for the sensor -m2cryptopkgs: - pkg.installed: - - skip_suggestions: False - - pkgs: - - python3-m2crypto - -influxdb_key: - x509.private_key_managed: - - name: /etc/pki/influxdb.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%} - - prereq: - - x509: /etc/pki/influxdb.crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -# Create a cert for the talking to influxdb -influxdb_crt: - x509.certificate_managed: - - name: /etc/pki/influxdb.crt - - ca_server: {{ ca_server }} - - signing_policy: influxdb - - private_key: /etc/pki/influxdb.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -influxkeyperms: - file.managed: - - replace: False - - name: /etc/pki/influxdb.key - - mode: 640 - - group: 939 - -{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %} -# Create a cert for Redis encryption -redis_key: - x509.private_key_managed: - - name: /etc/pki/redis.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/redis.key') -%} - - prereq: - - x509: /etc/pki/redis.crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -redis_crt: - x509.certificate_managed: - - name: /etc/pki/redis.crt - - ca_server: {{ ca_server }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - signing_policy: registry - - private_key: /etc/pki/redis.key - - CN: {{ GLOBALS.hostname }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -rediskeyperms: - file.managed: - - replace: False - - name: /etc/pki/redis.key - - mode: 640 - - group: 939 -{% endif %} - -{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-fleet', 'so-receiver'] %} - -{% if grains['role'] not in [ 'so-heavynode', 'so-receiver'] %} -# Start -- Elastic Fleet Host Cert -etc_elasticfleet_key: - x509.private_key_managed: - - name: /etc/pki/elasticfleet-server.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/elasticfleet-server.key') -%} - - prereq: - - x509: etc_elasticfleet_crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -etc_elasticfleet_crt: - x509.certificate_managed: - - name: /etc/pki/elasticfleet-server.crt - - ca_server: {{ ca_server }} - - signing_policy: elasticfleet - - private_key: /etc/pki/elasticfleet-server.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -efperms: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-server.key - - mode: 640 - - group: 939 - -chownelasticfleetcrt: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-server.crt - - mode: 640 - - user: 947 - - group: 939 - -chownelasticfleetkey: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-server.key - - mode: 640 - - user: 947 - - group: 939 -# End -- Elastic Fleet Host Cert -{% endif %} # endif is for not including HeavyNodes & Receivers - -{% if grains['role'] not in [ 'so-heavynode'] %} -# Start -- Elastic Fleet Logstash Input Cert -etc_elasticfleet_logstash_key: - x509.private_key_managed: - - name: /etc/pki/elasticfleet-logstash.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%} - - prereq: - - x509: etc_elasticfleet_logstash_crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -etc_elasticfleet_logstash_crt: - x509.certificate_managed: - - name: /etc/pki/elasticfleet-logstash.crt - - ca_server: {{ ca_server }} - - signing_policy: elasticfleet - - private_key: /etc/pki/elasticfleet-logstash.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - cmd.run: - - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-logstash.key -topk8 -out /etc/pki/elasticfleet-logstash.p8 -nocrypt" - - onchanges: - - x509: etc_elasticfleet_logstash_key - -eflogstashperms: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-logstash.key - - mode: 640 - - group: 939 - -chownelasticfleetlogstashcrt: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-logstash.crt - - mode: 640 - - user: 931 - - group: 939 - -chownelasticfleetlogstashkey: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-logstash.key - - mode: 640 - - user: 931 - - group: 939 -# End -- Elastic Fleet Logstash Input Cert -{% endif %} # endif is for not including HeavyNodes - -# Start -- Elastic Fleet Node - Logstash Lumberjack Input / Output -# Cert needed on: Managers, Receivers -etc_elasticfleetlumberjack_key: - x509.private_key_managed: - - name: /etc/pki/elasticfleet-lumberjack.key - - bits: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%} - - prereq: - - x509: etc_elasticfleetlumberjack_crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -etc_elasticfleetlumberjack_crt: - x509.certificate_managed: - - name: /etc/pki/elasticfleet-lumberjack.crt - - ca_server: {{ ca_server }} - - signing_policy: elasticfleet - - private_key: /etc/pki/elasticfleet-lumberjack.key - - CN: {{ GLOBALS.node_ip }} - - subjectAltName: DNS:{{ GLOBALS.hostname }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - cmd.run: - - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt" - - onchanges: - - x509: etc_elasticfleetlumberjack_key - -eflogstashlumberjackperms: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-lumberjack.key - - mode: 640 - - group: 939 - -chownilogstashelasticfleetlumberjackp8: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-lumberjack.p8 - - mode: 640 - - user: 931 - - group: 939 - -chownilogstashelasticfleetlogstashlumberjackcrt: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-lumberjack.crt - - mode: 640 - - user: 931 - - group: 939 - -chownilogstashelasticfleetlogstashlumberjackkey: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-lumberjack.key - - mode: 640 - - user: 931 - - group: 939 - -# End -- Elastic Fleet Node - Logstash Lumberjack Input / Output - -# Start -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output) -etc_elasticfleet_agent_key: - x509.private_key_managed: - - name: /etc/pki/elasticfleet-agent.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%} - - prereq: - - x509: etc_elasticfleet_agent_crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -etc_elasticfleet_agent_crt: - x509.certificate_managed: - - name: /etc/pki/elasticfleet-agent.crt - - ca_server: {{ ca_server }} - - signing_policy: elasticfleet - - private_key: /etc/pki/elasticfleet-agent.key - - CN: {{ GLOBALS.hostname }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - cmd.run: - - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt" - - onchanges: - - x509: etc_elasticfleet_agent_key - -efagentperms: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-agent.key - - mode: 640 - - group: 939 - -chownelasticfleetagentcrt: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-agent.crt - - mode: 640 - - user: 947 - - group: 939 - -chownelasticfleetagentkey: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-agent.key - - mode: 640 - - user: 947 - - group: 939 -# End -- Elastic Fleet Client Cert for Agent (Mutual Auth with Logstash Output) - -{% endif %} - -{% if GLOBALS.is_manager or GLOBALS.role in ['so-heavynode', 'so-receiver'] %} -etc_filebeat_key: - x509.private_key_managed: - - name: /etc/pki/filebeat.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%} - - prereq: - - x509: etc_filebeat_crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -# Request a cert and drop it where it needs to go to be distributed -etc_filebeat_crt: - x509.certificate_managed: - - name: /etc/pki/filebeat.crt - - ca_server: {{ ca_server }} - - signing_policy: filebeat - - private_key: /etc/pki/filebeat.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - cmd.run: - - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" - - onchanges: - - x509: etc_filebeat_key - -fbperms: - file.managed: - - replace: False - - name: /etc/pki/filebeat.key - - mode: 640 - - group: 939 - -chownilogstashfilebeatp8: - file.managed: - - replace: False - - name: /etc/pki/filebeat.p8 - - mode: 640 - - user: 931 - - group: 939 - - {% if grains.role not in ['so-heavynode', 'so-receiver'] %} -# Create Symlinks to the keys so I can distribute it to all the things -filebeatdir: - file.directory: - - name: /opt/so/saltstack/local/salt/filebeat/files - - makedirs: True - -fbkeylink: - file.symlink: - - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.p8 - - target: /etc/pki/filebeat.p8 - - user: socore - - group: socore - -fbcrtlink: - file.symlink: - - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt - - target: /etc/pki/filebeat.crt - - user: socore - - group: socore - -registry_key: - x509.private_key_managed: - - name: /etc/pki/registry.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/registry.key') -%} - - prereq: - - x509: /etc/pki/registry.crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -# Create a cert for the docker registry -registry_crt: - x509.certificate_managed: - - name: /etc/pki/registry.crt - - ca_server: {{ ca_server }} - - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} - - signing_policy: registry - - private_key: /etc/pki/registry.key - - CN: {{ GLOBALS.manager }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -regkeyperms: - file.managed: - - replace: False - - name: /etc/pki/registry.key - - mode: 640 - - group: 939 - - {% endif %} - {% if grains.role not in ['so-receiver'] %} -# Create a cert for elasticsearch -/etc/pki/elasticsearch.key: - x509.private_key_managed: - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%} - - prereq: - - x509: /etc/pki/elasticsearch.crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -/etc/pki/elasticsearch.crt: - x509.certificate_managed: - - ca_server: {{ ca_server }} - - signing_policy: registry - - private_key: /etc/pki/elasticsearch.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - cmd.run: - - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:" - - onchanges: - - x509: /etc/pki/elasticsearch.key - -elastickeyperms: - file.managed: - - replace: False - - name: /etc/pki/elasticsearch.key - - mode: 640 - - group: 930 - -elasticp12perms: - file.managed: - - replace: False - - name: /etc/pki/elasticsearch.p12 - - mode: 640 - - group: 930 - - {% endif %} - - -{% endif %} - -{% if GLOBALS.is_manager or GLOBALS.role in ['so-sensor', 'so-searchnode', 'so-heavynode', 'so-fleet', 'so-idh', 'so-receiver'] %} - -fbcertdir: - file.directory: - - name: /opt/so/conf/filebeat/etc/pki - - makedirs: True - -conf_filebeat_key: - x509.private_key_managed: - - name: /opt/so/conf/filebeat/etc/pki/filebeat.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%} - - prereq: - - x509: conf_filebeat_crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -# Request a cert and drop it where it needs to go to be distributed -conf_filebeat_crt: - x509.certificate_managed: - - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt - - ca_server: {{ ca_server }} - - signing_policy: filebeat - - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -# Convert the key to pkcs#8 so logstash will work correctly. -filebeatpkcs: - cmd.run: - - name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:" - - onchanges: - - x509: conf_filebeat_key - -filebeatkeyperms: - file.managed: - - replace: False - - name: /opt/so/conf/filebeat/etc/pki/filebeat.key - - mode: 640 - - group: 939 - -chownfilebeatp8: - file.managed: - - replace: False - - name: /opt/so/conf/filebeat/etc/pki/filebeat.p8 - - mode: 640 - - user: 931 - - group: 939 - -{% endif %} - -{% if grains['role'] == 'so-searchnode' %} -# Create a cert for elasticsearch -/etc/pki/elasticsearch.key: - x509.private_key_managed: - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%} - - prereq: - - x509: /etc/pki/elasticsearch.crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -/etc/pki/elasticsearch.crt: - x509.certificate_managed: - - ca_server: {{ ca_server }} - - signing_policy: registry - - private_key: /etc/pki/elasticsearch.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - cmd.run: - - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:" - - onchanges: - - x509: /etc/pki/elasticsearch.key - -elasticp12perms: - file.managed: - - replace: False - - name: /etc/pki/elasticsearch.p12 - - mode: 640 - - group: 930 - -elastickeyperms: - file.managed: - - replace: False - - name: /etc/pki/elasticsearch.key - - mode: 640 - - group: 930 -{%- endif %} - -{% if GLOBALS.role in ['so-manager', 'so-managerhype', 'so-managersearch', 'so-standalone'] %} -elasticfleet_kafka_key: - x509.private_key_managed: - - name: /etc/pki/elasticfleet-kafka.key - - keysize: 4096 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/elasticfleet-kafka.key') -%} - - prereq: - - x509: elasticfleet_kafka_crt - {%- endif %} - - retry: - attempts: 5 - interval: 30 - -elasticfleet_kafka_crt: - x509.certificate_managed: - - name: /etc/pki/elasticfleet-kafka.crt - - ca_server: {{ ca_server }} - - signing_policy: kafka - - private_key: /etc/pki/elasticfleet-kafka.key - - CN: {{ GLOBALS.hostname }} - - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -elasticfleet_kafka_cert_perms: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-kafka.crt - - mode: 640 - - user: 947 - - group: 939 - -elasticfleet_kafka_key_perms: - file.managed: - - replace: False - - name: /etc/pki/elasticfleet-kafka.key - - mode: 640 - - user: 947 - - group: 939 -{% endif %} - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/ssl/remove.sls b/salt/ssl/remove.sls index 28b860205..e91605551 100644 --- a/salt/ssl/remove.sls +++ b/salt/ssl/remove.sls @@ -1,10 +1,7 @@ -trusttheca: - file.absent: - - name: /etc/pki/tls/certs/intca.crt - -symlinkca: - file.absent: - - name: /etc/ssl/certs/intca.crt +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. influxdb_key: file.absent: @@ -14,6 +11,14 @@ influxdb_crt: file.absent: - name: /etc/pki/influxdb.crt +telegraf_key: + file.absent: + - name: /etc/pki/telegraf.key + +telegraf_crt: + file.absent: + - name: /etc/pki/telegraf.crt + redis_key: file.absent: - name: /etc/pki/redis.key @@ -30,6 +35,7 @@ etc_filebeat_crt: file.absent: - name: /etc/pki/filebeat.crt +# manager has symlink to /etc/pki/filebeat.crt and /etc/pki/filebeat.p8 filebeatdir: file.absent: - name: /opt/so/saltstack/local/salt/filebeat/files @@ -42,11 +48,13 @@ registry_crt: file.absent: - name: /etc/pki/registry.crt -/etc/pki/elasticsearch.key: - file.absent: [] +elasticsearch_key: + file.absent: + - name: /etc/pki/elasticsearch.key -/etc/pki/elasticsearch.crt: - file.absent: [] +elasticsearch_crt: + file.absent: + - name: /etc/pki/elasticsearch.crt remove_elasticsearch.p12: file.absent: @@ -75,6 +83,7 @@ fbcertdir: kafka_crt: file.absent: - name: /etc/pki/kafka.crt + kafka_key: file.absent: - name: /etc/pki/kafka.key @@ -82,9 +91,67 @@ kafka_key: kafka_logstash_crt: file.absent: - name: /etc/pki/kafka-logstash.crt + kafka_logstash_key: file.absent: - name: /etc/pki/kafka-logstash.key + kafka_logstash_keystore: file.absent: - name: /etc/pki/kafka-logstash.p12 + +elasticfleet_agent_crt: + file.absent: + - name: /etc/pki/elasticfleet-agent.crt + +elasticfleet_agent_key: + file.absent: + - name: /etc/pki/elasticfleet-agent.key + +elasticfleet_agent_p8: + file.absent: + - name: /etc/pki/elasticfleet-agent.p8 + +elasticfleet_kafka_crt: + file.absent: + - name: /etc/pki/elasticfleet-kafka.crt + +elasticfleet_kafka_key: + file.absent: + - name: /etc/pki/elasticfleet-kafka.key + +elasticfleet_logstash_crt: + file.absent: + - name: /etc/pki/elasticfleet-logstash.crt + +elasticfleet_logstash_key: + file.absent: + - name: /etc/pki/elasticfleet-logstash.key + +elasticfleet_logstash_p8: + file.absent: + - name: /etc/pki/elasticfleet-logstash.p8 + +elasticfleet_lumberjack_crt: + file.absent: + - name: /etc/pki/elasticfleet-lumberjack.crt + +elasticfleet_lumberjack_key: + file.absent: + - name: /etc/pki/elasticfleet-lumberjack.key + +elasticfleet_lumberjack_p8: + file.absent: + - name: /etc/pki/elasticfleet-lumberjack.p8 + +elasticfleet_server_crt: + file.absent: + - name: /etc/pki/elasticfleet-server.crt + +elasticfleet_server_key: + file.absent: + - name: /etc/pki/elasticfleet-server.key + +filebeat_p8: + file.absent: + - name: /etc/pki/filebeat.p8 diff --git a/salt/telegraf/config.sls b/salt/telegraf/config.sls index 171bd41f5..3873d1da0 100644 --- a/salt/telegraf/config.sls +++ b/salt/telegraf/config.sls @@ -7,9 +7,7 @@ {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'telegraf/map.jinja' import TELEGRAFMERGED %} - -include: - - ssl +{% from 'logstash/map.jinja' import LOGSTASH_MERGED %} # add Telegraf to monitor all the things tgraflogdir: @@ -92,6 +90,7 @@ tgrafconf: - defaults: GLOBALS: {{ GLOBALS }} TELEGRAFMERGED: {{ TELEGRAFMERGED }} + LOGSTASH_MERGED: {{ LOGSTASH_MERGED }} # this file will be read by telegraf to send node details (management interface, monitor interface, etc) # into influx diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 451c78dda..e77b04995 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -9,8 +9,9 @@ {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'telegraf/map.jinja' import TELEGRAFMERGED %} - include: + - ca + - telegraf.ssl - telegraf.config - telegraf.sostatus @@ -42,13 +43,9 @@ so-telegraf: - /proc:/host/proc:ro - /nsm:/host/nsm:ro - /etc:/host/etc:ro - {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %} - - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro - {% else %} - /etc/pki/tls/certs/intca.crt:/etc/telegraf/ca.crt:ro - {% endif %} - - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro - - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro + - /etc/pki/telegraf.crt:/etc/telegraf/telegraf.crt:ro + - /etc/pki/telegraf.key:/etc/telegraf/telegraf.key:ro - /opt/so/conf/telegraf/scripts:/scripts:ro - /opt/so/log/stenographer:/var/log/stenographer:ro - /opt/so/log/suricata:/var/log/suricata:ro @@ -71,21 +68,20 @@ so-telegraf: {% endfor %} {% endif %} - watch: + - file: trusttheca + - x509: telegraf_crt + - x509: telegraf_key - file: tgrafconf - file: node_config {% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %} - file: tgraf_sync_script_{{script}} {% endfor %} - - require: + - require: + - file: trusttheca + - x509: telegraf_crt + - x509: telegraf_key - file: tgrafconf - file: node_config - {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %} - - x509: pki_public_ca_crt - {% else %} - - x509: trusttheca - {% endif %} - - x509: influxdb_crt - - x509: influxdb_key delete_so-telegraf_so-status.disabled: file.uncomment: diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index d2cb87057..05ed70d68 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -7,6 +7,7 @@ {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %} {%- set MDENGINE = GLOBALS.md_engine %} +{%- set LOGSTASH_ENABLED = LOGSTASH_MERGED.enabled %} # Global tags can be specified here in key="value" format. [global_tags] role = "{{ GLOBALS.role.split('-') | last }}" @@ -241,12 +242,8 @@ # ## Use TLS but skip chain & host verification # # insecure_skip_verify = false -{%- set logstash_metrics_roles = ['so-searchnode','so-standalone','so-managersearch','so-heavynode'] %} -{%- if GLOBALS.pipeline != "KAFKA" %} -{%- set logstash_metrics_roles = logstash_metrics_roles + ['so-manager', 'so-receiver'] %} -{%- endif %} - -{%- if grains.role in logstash_metrics_roles %} +{#- Fleet nodes do not have pillar access to logstash credentials #} +{%- if LOGSTASH_ENABLED and grains.role != 'so-fleet' %} [[inputs.logstash]] url = "http://localhost:9600" collect = ["pipelines"] diff --git a/salt/telegraf/scripts/agentstatus.sh b/salt/telegraf/scripts/agentstatus.sh index 718f0e5ce..9a79e2237 100644 --- a/salt/telegraf/scripts/agentstatus.sh +++ b/salt/telegraf/scripts/agentstatus.sh @@ -20,13 +20,14 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then OFFLINE=$(cat $LOGFILE | grep -wF offline | awk '{print $2}' | tr -d ',') UPDATING=$(cat $LOGFILE | grep -wF updating | awk '{print $2}' | tr -d ',') UNENROLLED=$(cat $LOGFILE | grep -wF unenrolled | awk '{print $2}' | tr -d ',') - OTHER=$(cat $LOGFILE | grep -wF other | awk '{print $2}' | tr -d ',') - EVENTS=$(cat $LOGFILE | grep -wF events | awk '{print $2}' | tr -d ',') - TOTAL=$(cat $LOGFILE | grep -wF total | awk '{print $2}' | tr -d ',') + ORPHANED=$(cat $LOGFILE | grep -wF orphaned | awk '{print $2}' | tr -d ',') + UNINSTALLED=$(cat $LOGFILE | grep -wF uninstalled | awk '{print $2}' | tr -d ',') ALL=$(cat $LOGFILE | grep -wF all | awk '{print $2}' | tr -d ',') ACTIVE=$(cat $LOGFILE | grep -wF active | awk '{print $2}' | tr -d ',') + OTHER=$(cat $LOGFILE | grep -wF other | awk '{print $2}' | tr -d ',') + EVENTS=$(cat $LOGFILE | grep -wF events | awk '{print $2}' | tr -d ',') - echo "agentstatus online=$ONLINE,error=$ERROR,inactive=$INACTIVE,offline=$OFFLINE,updating=$UPDATING,unenrolled=$UNENROLLED,other=$OTHER,events=$EVENTS,total=$TOTAL,all=$ALL,active=$ACTIVE" + echo "agentstatus online=$ONLINE,error=$ERROR,inactive=$INACTIVE,offline=$OFFLINE,updating=$UPDATING,unenrolled=$UNENROLLED,orphaned=$ORPHANED,uninstalled=$UNINSTALLED,all=$ALL,active=$ACTIVE,other=$OTHER,events=$EVENTS" fi fi diff --git a/salt/telegraf/ssl.sls b/salt/telegraf/ssl.sls new file mode 100644 index 000000000..cd02cfe2b --- /dev/null +++ b/salt/telegraf/ssl.sls @@ -0,0 +1,66 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'ca/map.jinja' import CA %} + +telegraf_key: + x509.private_key_managed: + - name: /etc/pki/telegraf.key + - keysize: 4096 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/telegraf.key') -%} + - prereq: + - x509: /etc/pki/telegraf.crt + {%- endif %} + - retry: + attempts: 5 + interval: 30 + +# Create a cert for the talking to telegraf +telegraf_crt: + x509.certificate_managed: + - name: /etc/pki/telegraf.crt + - ca_server: {{ CA.server }} + - signing_policy: influxdb + - private_key: /etc/pki/telegraf.key + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} + - days_remaining: 7 + - days_valid: 820 + - backup: True + - timeout: 30 + - retry: + attempts: 5 + interval: 30 + +telegraf_key_perms: + file.managed: + - replace: False + - name: /etc/pki/telegraf.key + - mode: 640 + - group: 939 + +{% if not GLOBALS.is_manager %} +{# Prior to 2.4.220, minions used influxdb.crt and key for telegraf #} +remove_influxdb.crt: + file.absent: + - name: /etc/pki/influxdb.crt + +remove_influxdb.key: + file.absent: + - name: /etc/pki/influxdb.key +{% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/top.sls b/salt/top.sls index d80806564..007c62b59 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -37,6 +37,7 @@ base: 'not ( *_manager* or *_eval or *_import or *_standalone ) and G@saltversion:{{saltversion}}': - match: compound - salt.minion + - ca - patch.os.schedule - motd - salt.minion-check @@ -49,6 +50,7 @@ base: '( *_manager* or *_eval or *_import or *_standalone ) and G@saltversion:{{saltversion}} and not I@node_data:False': - match: compound - salt.minion + - ca - patch.os.schedule - motd - salt.minion-check @@ -61,8 +63,6 @@ base: - match: compound - salt.master - sensor - - ca - - ssl - registry - manager - backup.config_backup @@ -91,8 +91,6 @@ base: - match: compound - salt.master - sensor - - ca - - ssl - registry - manager - backup.config_backup @@ -124,8 +122,6 @@ base: '*_manager or *_managerhype and G@saltversion:{{saltversion}} and not I@node_data:False': - match: compound - salt.master - - ca - - ssl - registry - nginx - influxdb @@ -157,8 +153,6 @@ base: '*_managersearch and G@saltversion:{{saltversion}} and not I@node_data:False': - match: compound - salt.master - - ca - - ssl - registry - nginx - influxdb @@ -187,8 +181,6 @@ base: - match: compound - salt.master - sensor - - ca - - ssl - registry - manager - nginx @@ -212,7 +204,6 @@ base: '*_searchnode and G@saltversion:{{saltversion}}': - match: compound - firewall - - ssl - elasticsearch - logstash - sensoroni @@ -225,7 +216,6 @@ base: '*_sensor and G@saltversion:{{saltversion}}': - match: compound - sensor - - ssl - sensoroni - telegraf - firewall @@ -241,7 +231,6 @@ base: '*_heavynode and G@saltversion:{{saltversion}}': - match: compound - sensor - - ssl - sensoroni - telegraf - nginx @@ -259,7 +248,6 @@ base: '*_receiver and G@saltversion:{{saltversion}}': - match: compound - - ssl - sensoroni - telegraf - firewall @@ -271,7 +259,6 @@ base: '*_idh and G@saltversion:{{saltversion}}': - match: compound - - ssl - sensoroni - telegraf - firewall @@ -280,7 +267,6 @@ base: '*_fleet and G@saltversion:{{saltversion}}': - match: compound - - ssl - sensoroni - telegraf - firewall @@ -293,7 +279,6 @@ base: '*_hypervisor and I@features:vrt and G@saltversion:{{saltversion}}': - match: compound - - ssl - sensoroni - telegraf - firewall @@ -304,7 +289,6 @@ base: - stig '*_desktop and G@saltversion:{{saltversion}}': - - ssl - sensoroni - telegraf - elasticfleet.install_agent_grid diff --git a/setup/so-functions b/setup/so-functions index b93c01715..3959a3f9a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1121,16 +1121,6 @@ generate_ca() { logCmd "openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates" } -generate_ssl() { - # if the install type is a manager then we need to wait for the minion to be ready before trying - # to run the ssl state since we need the minion to sign the certs - if [[ $waitforstate ]]; then - (wait_for_salt_minion "$MINION_ID" "5" '/dev/stdout' || fail_setup) 2>&1 | tee -a "$setup_log" - fi - info "Applying SSL state" - logCmd "salt-call state.apply ssl -l info" -} - generate_passwords(){ title "Generate Random Passwords" INFLUXPASS=$(get_random_value) @@ -1644,7 +1634,7 @@ reinstall_init() { { # remove all of root's cronjobs - logCmd "crontab -r -u root" + crontab -r -u root if command -v salt-call &> /dev/null && grep -q "master:" /etc/salt/minion 2> /dev/null; then # Disable schedule so highstate doesn't start running during the install @@ -1654,8 +1644,7 @@ reinstall_init() { salt-call -l info saltutil.kill_all_jobs --local fi - logCmd "salt-call state.apply ca.remove -linfo --local --file-root=../salt" - logCmd "salt-call state.apply ssl.remove -linfo --local --file-root=../salt" + salt-call state.apply ca.remove -linfo --local --file-root=../salt # Kill any salt processes (safely) for service in "${salt_services[@]}"; do @@ -1668,7 +1657,7 @@ reinstall_init() { local count=0 while check_service_status "$service"; do if [[ $count -gt $service_retry_count ]]; then - info "Could not stop $service after 1 minute, exiting setup." + echo "Could not stop $service after 1 minute, exiting setup." # Stop the systemctl process trying to kill the service, show user a message, then exit setup kill -9 $pid @@ -1706,10 +1695,10 @@ reinstall_init() { backup_dir /nsm/influxdb "$date_string" # Uninstall local Elastic Agent, if installed - logCmd "elastic-agent uninstall -f" + elastic-agent uninstall -f if [[ $is_deb ]]; then - info "Unholding previously held packages." + echo "Unholding previously held packages." apt-mark unhold $(apt-mark showhold) fi diff --git a/setup/so-setup b/setup/so-setup index d09e8fc35..dbb06a3f7 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -773,12 +773,9 @@ if ! [[ -f $install_opt_file ]]; then # wait here until we get a response from the salt-master since it may have just restarted # exit setup after 5-6 minutes of trying check_salt_master_status || fail "Can't access salt master or it is not ready" - # apply the ca state to create the ca and put it in the mine early in the install + # apply the ca state to create the ca and symlink to local/salt/ca/files/ca.crt # the minion ip will already be in the mine from configure_minion function in so-functions generate_ca - # this will also call the ssl state since docker requires the intca - # the salt-minion service will need to be up on the manager to sign requests - generate_ssl logCmd "salt-call state.apply docker" firewall_generate_templates set_initial_firewall_policy @@ -802,14 +799,6 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.apply influxdb -l info" logCmd "salt-call state.highstate -l info" logCmd "salt-call schedule.disable -linfo --local" - if [[ ! $is_airgap ]]; then - title "Downloading IDS Rules" - logCmd "so-rule-update" - if [[ $monints || $is_import ]]; then - title "Applying the Suricata state to load the new rules" - logCmd "salt-call state.apply suricata -l info" - fi - fi if [[ $is_airgap ]]; then title "Syncing AI-Generated Detection Summaries" airgap_detection_summaries @@ -831,6 +820,11 @@ if ! [[ -f $install_opt_file ]]; then fi checkin_at_boot set_initial_firewall_access + initialize_elasticsearch_indices "so-case so-casehistory so-assistant-session so-assistant-chat" + # run a final highstate before enabling scheduled highstates. + # this will ensure so-elasticsearch-ilm-policy-load and so-elasticsearch-templates-load have a chance to run after elasticfleet is setup + info "Running final highstate for setup" + logCmd "salt-call state.highstate -l info" logCmd "salt-call schedule.enable -linfo --local" verify_setup else diff --git a/setup/so-verify b/setup/so-verify index f99c6e418..8d23275ea 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -69,6 +69,8 @@ log_has_errors() { grep -vE "Running scope as unit" | \ grep -vE "securityonion-resources/sigma/stable" | \ grep -vE "remove_failed_vm.sls" | \ + grep -vE "failed to copy: httpReadSeeker" | \ + grep -vE "Error response from daemon: failed to resolve reference" | \ grep -vE "log-.*-pipeline_failed_attempts" &> "$error_log" if [[ $? -eq 0 ]]; then diff --git a/setup/so-whiptail b/setup/so-whiptail index 6fc5cbba5..390d5f258 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -14,7 +14,7 @@ whiptail_airgap() { [[ $is_manager || $is_import ]] && node_str='manager' INTERWEBS=$(whiptail --title "$whiptail_title" --menu \ - "How should this $node_str be installed?\n\nFor more information, please see:\n$DOC_BASE_URL/airgap.html" 13 70 2 \ + "How should this $node_str be installed?\n\nFor more information, please see:\n$DOC_BASE_URL/airgap" 13 70 2 \ "Standard " "This $node_str has access to the Internet" \ "Airgap " "This $node_str does not have access to the Internet" 3>&1 1>&2 2>&3 ) @@ -156,7 +156,7 @@ whiptail_accept_telemetry() { Adjust this setting at anytime via the SOC Configuration screen. - Documentation: https://docs.securityonion.net/en/2.4/telemetry.html + Documentation: https://securityonion.net/docs/telemetry Enable SOC Telemetry to help improve future releases? EOM @@ -289,7 +289,7 @@ whiptail_storage_requirements() { You need ${needed_val} to meet minimum requirements. - Visit $DOC_BASE_URL/hardware.html for more information. + Visit $DOC_BASE_URL/hardware for more information. Select YES to continue anyway, or select NO to cancel. EOM @@ -588,7 +588,7 @@ whiptail_install_type() { # What kind of install are we doing? if [[ "$OSVER" != "focal" ]]; then install_type=$(whiptail --title "$whiptail_title" --menu \ - "What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture.html" 18 65 5 \ + "What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \ "IMPORT" "Import PCAP or log files " \ "EVAL" "Evaluation mode (not for production) " \ "STANDALONE" "Standalone production install " \ @@ -598,7 +598,7 @@ whiptail_install_type() { ) elif [[ "$OSVER" == "focal" ]]; then install_type=$(whiptail --title "$whiptail_title" --menu \ - "What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture.html" 18 65 5 \ + "What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \ "DISTRIBUTED" "Distributed install submenu " \ 3>&1 1>&2 2>&3 ) @@ -649,7 +649,7 @@ whiptail_install_type_dist_new() { read -r -d '' mngr_msg <<- EOM Choose a distributed manager type to start a new grid. - See $DOC_BASE_URL/architecture.html for details. + See $DOC_BASE_URL/architecture for details. Note: MANAGER is the recommended option for most users. MANAGERSEARCH should only be used in very specific situations. EOM @@ -670,7 +670,7 @@ whiptail_install_type_dist_existing() { local node_msg read -r -d '' node_msg <<- EOM - Choose a distributed node type to join to an existing grid. See $DOC_BASE_URL/architecture.html for details. + Choose a distributed node type to join to an existing grid. See $DOC_BASE_URL/architecture for details. Note: Heavy nodes (HEAVYNODE) are NOT recommended for most users. EOM @@ -1420,7 +1420,7 @@ whiptail_storage_requirements() { You need ${needed_val} to meet minimum requirements. - Visit $DOC_BASE_URL/hardware.html for more information. + Visit $DOC_BASE_URL/hardware for more information. Select YES to continue anyway, or select NO to cancel. EOM diff --git a/sigs/securityonion-2.4.210-20260302.iso.sig b/sigs/securityonion-2.4.210-20260302.iso.sig new file mode 100644 index 000000000..8c418340f Binary files /dev/null and b/sigs/securityonion-2.4.210-20260302.iso.sig differ