Merge pull request #523 from Security-Onion-Solutions/fix/elastic_improvements

Fix/elastic improvements

salt/elasticsearch/files/ingest/ossec.alert

@@ -33,6 +33,7 @@
     { "rename":         { "field": "data.win.eventdata.user",                   "target_field": "user.name",            "ignore_missing": true  } },
     { "rename":         { "field": "data.win.system.eventID",                   "target_field": "event.code",           "ignore_missing": true  } },
     { "rename":         { "field": "predecoder.program_name",                   "target_field": "process.name",         "ignore_missing": true  } },
+    { "rename":         { "field": "rule.description",                   "target_field": "rule.name",         "ignore_missing": true  } },
     { "set":            { "if": "ctx.rule.level == 1",          "field": "rule.category", "value": "None"                               } },
     { "set":            { "if": "ctx.rule.level == 2",          "field": "rule.category", "value": "System low priority notification"   } },
     { "set":            { "if": "ctx.rule.level == 3",          "field": "rule.category", "value": "Successful/authorized event"        } },

salt/elasticsearch/files/ingest/strelka.file

@@ -5,7 +5,7 @@
     { "rename":         { "field": "message2.file",        "target_field": "file",          "ignore_missing": true  } },
     { "rename":         { "field": "message2.scan",        "target_field": "scan",          "ignore_missing": true  } },
     { "rename":         { "field": "message2.request",        "target_field": "request",          "ignore_missing": true  } },
-    { "rename":         { "field": "scan.hash",        "target_field": "file.hash",          "ignore_missing": true  } },
+    { "rename":         { "field": "scan.hash",        "target_field": "hash",          "ignore_missing": true  } },
     { "remove":         { "field": ["host", "path"],                                         "ignore_missing": true  } },
     { "pipeline":       { "name": "common"                                                                                   } }
   ]

salt/elasticsearch/files/ingest/zeek.dnp3

@@ -3,9 +3,9 @@
   "processors" : [
     { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
-    { "rename": 	{ "field": "message2.fc_request",	"target_field": "fc_request",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fc_request",	"target_field": "dnp3.fc_request",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.fc_reply", 	"target_field": "fc_reply",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.fc_reply", 	"target_field": "dnp3.fc_reply",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.iin", 		"target_field": "iin",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.iin", 		"target_field": "dnp3.iin",			"ignore_missing": true 	} },
     { "pipeline":       { "name": "zeek.common"                                                                                   } }
   ]
 }

salt/elasticsearch/files/ingest/zeek.files

@@ -4,8 +4,8 @@
     { "remove":         { "field": ["host"],     "ignore_failure": true                                                                  } },
     { "json":		{ "field": "message",			"target_field": "message2",		"ignore_failure": true	} },
     { "rename": 	{ "field": "message2.fuid", 	 	"target_field": "log.id.fuid",			"ignore_missing": true 	} },
-    { "rename":         { "field": "message2.rx_hosts",         "target_field": "file.receive_ip",            "ignore_missing": true  } },
+    { "rename":         { "field": "message2.rx_hosts",         "target_field": "destination.ip",            "ignore_missing": true  } },
-    { "rename": 	{ "field": "message2.tx_hosts", 	"target_field": "file.transmit_ip",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.tx_hosts", 	"target_field": "source.ip",		"ignore_missing": true 	} },
     { "set":         { "field": "server.ip",         "value": "{{source.ip}}",            "ignore_failure": true  } },
     { "set":         { "field": "client.ip",         "value": "{{destination.ip}}",            "ignore_failure": true  } },
     { "rename": 	{ "field": "message2.conn_uids", 	"target_field": "log.id.uids",			"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/zeek.notice

@@ -7,20 +7,20 @@
     { "rename": 	{ "field": "message2.mime", 		"target_field": "file.mimetype",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.desc", 		"target_field": "file.description",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.note", 		"target_field": "note",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.note", 		"target_field": "notice.note",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.msg", 		"target_field": "msg",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.msg", 		"target_field": "notice.message",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.sub", 		"target_field": "sub_msg",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.sub", 		"target_field": "notice.sub_message",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.p", 		"target_field": "p",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.p", 		"target_field": "notice.p",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.n", 		"target_field": "n",			"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.n", 		"target_field": "notice.n",			"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.peer_descr",	"target_field": "peer_description",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.peer_descr",	"target_field": "notice.peer_description",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.actions", 		"target_field": "action",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.actions", 		"target_field": "notice.action",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.suppress_for", 	"target_field": "suppress_for",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.suppress_for", 	"target_field": "notice.suppress_for",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.dropped", 		"target_field": "dropped",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.dropped", 		"target_field": "notice.dropped",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_country_code",	"target_field": "destination_country_code",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_country_code",	"target_field": "geo.destination_country_code",	"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_region", 	"target_field": "destination_region",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_region", 	"target_field": "geo.destination_region",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_city", 	"target_field": "destination_city",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_city", 	"target_field": "geo.destination_city",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_latitude", 	"target_field": "destination_latitude",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_latitude", 	"target_field": "geo.destination_latitude",		"ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.destination_longitude", 	"target_field": "destination_longitude",	"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.destination_longitude", 	"target_field": "geo.destination_longitude",	"ignore_missing": true 	} },
     { "pipeline":       { "name": "zeek.common"                                                                                   } }
   ]
 }

salt/elasticsearch/files/ingest/zeek.rfb

@@ -8,7 +8,7 @@
     { "rename": 	{ "field": "message2.server_major_version",	"target_field": "rfb.server_major_version",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.server_minor_version",	"target_field": "rfb.server_minor_version",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.authentication_method",	"target_field": "rfb.authentication.method","ignore_missing": true 	} },
-    { "rename": 	{ "field": "message2.auth", 			"target_field": "rfb.authenticaiton.success",		"ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.auth", 			"target_field": "rfb.authentication.success",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.share_flag", 	"target_field": "rfb.share_flag",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.desktop_name", 	"target_field": "rfb.desktop.name",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.width", 		"target_field": "rfb.desktop.width",		"ignore_missing": true 	} },

salt/kibana/bin/so-kibana-config-load

@@ -31,8 +31,8 @@ curl -X PUT "localhost:5601/api/saved_objects/config/$KIBANA_VERSION" -H 'kbn-xs
 }'
 
 # Sub our IP for placholders
-for i in FLEETPLACEHOLDER PCAPPLACEHOLDER SOCTOPUSPLACEHOLDER; do
+for i in PLACEHOLDER FLEETPLACEHOLDER PCAPPLACEHOLDER SOCTOPUSPLACEHOLDER; do
-        sed -i "s/$i/{{ MASTER }}/" /opt/so/saltstack/salt/kibana/saved_objects.ndjson
+        sed -i "s/$i/{{ MASTER }}/g" /opt/so/saltstack/salt/kibana/saved_objects.ndjson
 done
 
 # Load saved objects

salt/logstash/pipelines/templates/so/so-common-template.json

@@ -184,6 +184,10 @@
           "type":"object",
           "dynamic": true
         },
+	"irc":{
+          "type":"object",
+          "dynamic": true
+        },
         "kerberos":{
           "type":"object",
           "dynamic": true
@@ -208,10 +212,18 @@
           "type":"object",
           "dynamic": true
         },
+	"mysql":{
+          "type":"object",
+          "dynamic": true
+        },
         "network":{
           "type":"object",
           "dynamic": true
         },
+	"notice":{
+          "type":"object",
+          "dynamic": true
+        },
         "ntlm":{
           "type":"object",
           "dynamic": true
@@ -316,6 +328,10 @@
           "type":"object",
           "dynamic": true
         },
+	"syslog":{
+          "type":"object",
+          "dynamic": true
+        },
         "tags":{
           "type":"text",
           "fields":{