Merge remote-tracking branch 'remotes/origin/2.4/dev' into reyesj2/kafka

salt/elasticsearch/defaults.yaml

@@ -11088,6 +11088,117 @@ elasticsearch:
               set_priority:
                 priority: 50
             min_age: 30d
+    so-suricata_x_alerts:
+      index_sorting: false
+      index_template:
+        composed_of:
+        - agent-mappings
+        - dtc-agent-mappings
+        - base-mappings
+        - dtc-base-mappings
+        - client-mappings
+        - dtc-client-mappings
+        - cloud-mappings
+        - container-mappings
+        - data_stream-mappings
+        - destination-mappings
+        - dtc-destination-mappings
+        - pb-override-destination-mappings
+        - dll-mappings
+        - dns-mappings
+        - dtc-dns-mappings
+        - ecs-mappings
+        - dtc-ecs-mappings
+        - error-mappings
+        - event-mappings
+        - dtc-event-mappings
+        - file-mappings
+        - dtc-file-mappings
+        - group-mappings
+        - host-mappings
+        - dtc-host-mappings
+        - http-mappings
+        - dtc-http-mappings
+        - log-mappings
+        - network-mappings
+        - dtc-network-mappings
+        - observer-mappings
+        - dtc-observer-mappings
+        - orchestrator-mappings
+        - organization-mappings
+        - package-mappings
+        - process-mappings
+        - dtc-process-mappings
+        - registry-mappings
+        - related-mappings
+        - rule-mappings
+        - dtc-rule-mappings
+        - server-mappings
+        - service-mappings
+        - dtc-service-mappings
+        - source-mappings
+        - dtc-source-mappings
+        - pb-override-source-mappings
+        - suricata-mappings
+        - threat-mappings
+        - tls-mappings
+        - tracing-mappings
+        - url-mappings
+        - user_agent-mappings
+        - dtc-user_agent-mappings
+        - vulnerability-mappings
+        - common-settings
+        - common-dynamic-mappings
+        data_stream: {}
+        index_patterns:
+        - logs-suricata.alerts-*
+        priority: 500
+        template:
+          mappings:
+            date_detection: false
+            dynamic_templates:
+            - strings_as_keyword:
+                mapping:
+                  ignore_above: 1024
+                  type: keyword
+                match_mapping_type: string
+          settings:
+            index:
+              lifecycle:
+                name: so-suricata.alerts-logs
+              mapping:
+                total_fields:
+                  limit: 5000
+              number_of_replicas: 0
+              number_of_shards: 1
+              refresh_interval: 30s
+              sort:
+                field: '@timestamp'
+                order: desc
+      policy:
+        phases:
+          cold:
+            actions:
+              set_priority:
+                priority: 0
+            min_age: 60d
+          delete:
+            actions:
+              delete: {}
+            min_age: 365d
+          hot:
+            actions:
+              rollover:
+                max_age: 1d
+                max_primary_shard_size: 50gb
+              set_priority:
+                priority: 100
+            min_age: 0ms
+          warm:
+            actions:
+              set_priority:
+                priority: 50
+            min_age: 30d
     so-syslog:
       index_sorting: false
       index_template:

salt/elasticsearch/files/ingest/suricata.alert

@@ -1,6 +1,7 @@
 {
   "description" : "suricata.alert",
   "processors" : [
+    { "set":   { "field": "_index", "value": "logs-suricata.alerts-so" } },
     { "set":   { "field": "tags","value": "alert" }},
     { "rename":{ "field": "message2.alert",	"target_field": "rule",	"ignore_failure": true 	} },
     { "rename":{ "field": "rule.signature",     "target_field": "rule.name", "ignore_failure": true  } },

salt/elasticsearch/soc_elasticsearch.yaml

@@ -521,6 +521,7 @@ elasticsearch:
     so-endgame: *indexSettings
     so-idh: *indexSettings
     so-suricata: *indexSettings
+    so-suricata_x_alerts: *indexSettings
     so-import: *indexSettings
     so-kratos: *indexSettings
     so-kismet: *indexSettings

salt/manager/tools/sbin/soup

@@ -358,6 +358,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.40 ]] && up_to_2.4.50
     [[ "$INSTALLEDVERSION" == 2.4.50 ]] && up_to_2.4.60
     [[ "$INSTALLEDVERSION" == 2.4.60 ]] && up_to_2.4.70
+    [[ "$INSTALLEDVERSION" == 2.4.70 ]] && up_to_2.4.80
     true
 }
 
@@ -375,6 +376,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION"  == 2.4.40 ]] && post_to_2.4.50
     [[ "$POSTVERSION"  == 2.4.50 ]] && post_to_2.4.60
     [[ "$POSTVERSION"  == 2.4.60 ]] && post_to_2.4.70
+    [[ "$POSTVERSION"  == 2.4.70 ]] && post_to_2.4.80
     true
 }
 
@@ -448,6 +450,11 @@ post_to_2.4.70() {
   POSTVERSION=2.4.70
 }
 
+post_to_2.4.80() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.80
+}
+
 repo_sync() {
   echo "Sync the local repo."
   su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -611,6 +618,11 @@ up_to_2.4.70() {
   INSTALLEDVERSION=2.4.70
 }
 
+up_to_2.4.80() {
+  echo "Nothing to do for 2.4.80"
+  INSTALLEDVERSION=2.4.80
+}
+
 add_detection_test_pillars() {
   if [[ -n "$SOUP_INTERNAL_TESTING" ]]; then
     echo "Adding detection pillar values for automated testing"

salt/salt/master.defaults.yaml

@@ -1,4 +1,4 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   master:
-    version: 3006.6
+    version: 3006.8

salt/salt/minion.defaults.yaml

@@ -1,6 +1,6 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   minion:
-    version: 3006.6
+    version: 3006.8
     check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
     service_start_delay: 30 # in seconds.

salt/soc/defaults.yaml

@@ -2253,3 +2253,36 @@ soc:
           severityTranslations:
             minor: low
             major: high
+          templateDetections:
+            suricata: |
+              alert tcp any any <> any any (msg:""; sid:[publicId];)
+            strelka: |
+              rule  {
+                meta:
+                  description = "";
+                strings:
+                  $x = \"string\";
+                condition:
+                  all of them;
+              }
+            elastalert: |
+              title:
+              id: [publicId]
+              status:
+              description:
+              references:
+                -
+              author:
+              date:
+              tags:
+                -
+              logsource:
+                product:
+                category:
+              detection:
+                selection:
+                condition: selection
+              falsepositives:
+                -
+              level:
+

salt/soc/soc_soc.yaml

@@ -319,6 +319,17 @@ soc:
         cases: *appSettings
         dashboards: *appSettings
         detections: *appSettings
+        detection:
+          templateDetections:
+            suricata:
+              description: The template used when creating a new Suricata detection. [publicId] will be replaced with an unused Public Id.
+              multiline: True
+            strelka:
+              description: The template used when creating a new Strelka detection.
+              multiline: True
+            elastalert:
+              description: The template used when creating a new ElastAlert detection. [publicId] will be replaced with an unused Public Id.
+              multiline: True
         grid:
           maxUploadSize:
             description: The maximum number of bytes for an uploaded PCAP import file.