From 6af030848246048f60b75c3b6f3216b184388402 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 15 May 2024 16:26:44 -0400
Subject: [PATCH 1/6] add a newline

---
 .../tools/sbin_jinja/so-elastic-agent-gen-installers            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
index ff46a3e07..1e4222cae 100755
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
@@ -72,5 +72,5 @@ do
     printf "\n### $GOOS/$GOARCH Installer Generated...\n"
 done
 
-printf "\n### Cleaning up temp files in /nsm/elastic-agent-workspace"
+printf "\n### Cleaning up temp files in /nsm/elastic-agent-workspace\n"
 rm -rf /nsm/elastic-agent-workspace

From b4aec9a9d02543338959b79120cd18f941371db2 Mon Sep 17 00:00:00 2001
From: DefensiveDepth <Josh@defensivedepth.com>
Date: Wed, 15 May 2024 16:29:21 -0400
Subject: [PATCH 2/6] alphabetical order

---
 salt/soc/defaults.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index ca64c6b7b..1f9fe686b 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2182,9 +2182,9 @@ soc:
             manualSync:
               customEnabled: false
               labels:
-              - Suricata
-              - Strelka
               - ElastAlert
+              - Strelka
+              - Suricata
           eventFields:
             default:
               - so_detection.title

From 8076ea0e0aae1562f31b7d50c7a44f0665e53090 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 15 May 2024 16:34:05 -0400
Subject: [PATCH 3/6] add another space

---
 salt/manager/tools/sbin/soup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 14d914df8..d9d8c298f 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -438,7 +438,7 @@ post_to_2.4.60() {
 }
 
 post_to_2.4.70() {
-  echo "Removing idh.services from any existing IDH node pillar files"
+  printf "\nRemoving idh.services from any existing IDH node pillar files\n"
   for file in /opt/so/saltstack/local/pillar/minions/*.sls; do
     if [[ $file =~ "_idh.sls" && ! $file =~ "/opt/so/saltstack/local/pillar/minions/adv_" ]]; then
       echo "Removing idh.services from: $file"

From ab9ec2ec6b0002da76c671dfc8e2202aa64d01b2 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 15 May 2024 18:04:01 -0400
Subject: [PATCH 4/6] Update soup

---
 salt/manager/tools/sbin/soup | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index d9d8c298f..525fce3f6 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -663,6 +663,7 @@ suricata_idstools_migration() {
   #Tell SOC to migrate
   mkdir -p /opt/so/conf/soc/migrations
   echo "0" > /opt/so/conf/soc/migrations/suricata-migration-2.4.70
+  chown -R socore:socore /opt/so/conf/soc/migrations
 }
 
 playbook_migration() {

From 477181036112e7d8929e8cf0f5b4a835c2d4cad1 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 15 May 2024 19:10:50 -0400
Subject: [PATCH 5/6] exclude detect-parse errors

---
 salt/common/tools/sbin/so-log-check | 1 +
 salt/suricata/soc_suricata.yaml     | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check
index 67eff6d54..5bee4d254 100755
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -202,6 +202,7 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|parsing_exception"            # Elastalert EQL parsing issue. Temp.
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded"
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Error running query:"         # Specific issues with detection rules
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|detect-parse"                 # Suricata encountering a malformed rule
 fi
 
 RESULT=0
diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 75ad1e476..e157ff852 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -12,7 +12,7 @@ suricata:
       title: SIDS
       helpLink: suricata.html
       readonlyUi: True
-      advanced: true
+      advanced: True
   classification:
     classification__config:
       description: Classifications config file.

From 9d4668f4d32205ffabd7fc0d96708decdea6ff21 Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Thu, 16 May 2024 15:45:55 -0400
Subject: [PATCH 6/6] Revert "dont merge policy from global_overrides if not
 defined in default index_settings"

---
 salt/elasticsearch/template.map.jinja | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/salt/elasticsearch/template.map.jinja b/salt/elasticsearch/template.map.jinja
index 8d40d9e4d..f5a124a9a 100644
--- a/salt/elasticsearch/template.map.jinja
+++ b/salt/elasticsearch/template.map.jinja
@@ -19,12 +19,6 @@
 {% set ES_INDEX_SETTINGS = {} %}
 {% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update(salt['defaults.merge'](ES_INDEX_SETTINGS_GLOBAL_OVERRIDES, ES_INDEX_PILLAR, in_place=False)) %}
 {% for index, settings in ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.items() %}
-{#   if policy isn't defined in the original index settings, then dont merge policy from the global_overrides #}
-{#   this will prevent so-elasticsearch-ilm-policy-load from trying to load policy on non ILM manged indices #}
-{%   if not ES_INDEX_SETTINGS_ORIG[index].policy is defined %}
-{%     do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES[index].pop('policy') %}
-{%   endif %}
-
 {%   if settings.index_template is defined %}
 {%     if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
 {%       do settings.index_template.template.settings.index.pop('sort') %}