Merge remote-tracking branch 'origin/2.4/dev' into 2.4/heavyrc2

2025-12-06 17:22:49 +01:00 · 2023-08-01 08:53:07 -04:00
parent 64bad0a9cf ba3660d0da
commit 63b4bdcebe
17 changed files with 18 additions and 17 deletions
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-ELASTIC_AGENT_TARBALL_VERSION="8.7.1"
+ELASTIC_AGENT_TARBALL_VERSION="8.8.2"
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 DOC_BASE_URL="https://docs.securityonion.net/en/2.4"

--- a/salt/elasticfleet/defaults.yaml
+++ b/salt/elasticfleet/defaults.yaml
@@ -32,4 +32,5 @@ elasticfleet:
    - fim
    - github
    - google_workspace
+    - log
    - 1password
--- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json
+++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json
@@ -13,7 +13,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json
+++ b/salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json
@@ -14,7 +14,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json
@@ -12,7 +12,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json
+++ b/salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json
@@ -11,7 +11,7 @@
    "logs-logfile": {
      "enabled": true,
      "streams": {
-        "log.log": {
+        "log.logs": {
          "enabled": true,
          "vars": {
            "paths": [
--- a/salt/kibana/files/config_saved_objects.ndjson
+++ b/salt/kibana/files/config_saved_objects.ndjson
@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.7.1","id": "8.7.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.8.2","id": "8.8.2","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
--- a/salt/kibana/tools/sbin_jinja/so-kibana-config-load
+++ b/salt/kibana/tools/sbin_jinja/so-kibana-config-load
@@ -63,7 +63,7 @@ update() {

    IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
    for i in "${LINES[@]}"; do
-      RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.7.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.8.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
      echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
    done
 
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1140,7 +1140,7 @@ soc:
              showSubtitle: true
            - name: SOC - Auth
              description: Users authenticated to SOC grouped by IP address and identity
-              query: 'event.dataset:kratos.audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id'
+              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip identity_id'
              showSubtitle: true
            - name: SOC - App
              description: Logs generated by the Security Onion Console (SOC) server and modules
@@ -1405,7 +1405,7 @@ soc:
              query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
            - name: SOC Auth
              description: SOC (Security Onion Console) authentication logs
-              query: 'event.dataset:kratos.audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
+              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
            - name: Elastalerts
              description: Elastalert logs
              query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'