From f144fa241fab4ddf67960e9f37f505172c3d2a72 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 18 May 2020 13:36:52 -0400 Subject: [PATCH 1/4] Change to URL base --- salt/soctopus/files/SOCtopus.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index f2415d010..4b0a34c2e 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,4 +1,4 @@ -{%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- set ip = salt['pillar.get']('master:url_base', '') %} {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} {%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %} From a56c776695a349dbee5ecc498c021ee95ea760a3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 18 May 2020 13:41:37 -0400 Subject: [PATCH 2/4] Update SOCtopus.conf --- salt/soctopus/files/SOCtopus.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index 4b0a34c2e..f2415d010 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,4 +1,4 @@ -{%- set ip = salt['pillar.get']('master:url_base', '') %} +{%- set ip = salt['pillar.get']('static:masterip', '') %} {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} {%- set CORTEXKEY = salt['pillar.get']('static:cortexorguserkey', '') %} From a10617c1824bcb78552586eaf74c9e2052736437 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 18 May 2020 13:43:25 -0400 Subject: [PATCH 3/4] Update nids2hive.yaml --- salt/elastalert/files/rules/so/nids2hive.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/files/rules/so/nids2hive.yaml b/salt/elastalert/files/rules/so/nids2hive.yaml index 0696d84d7..074fddb7f 100644 --- a/salt/elastalert/files/rules/so/nids2hive.yaml +++ b/salt/elastalert/files/rules/so/nids2hive.yaml @@ -1,5 +1,5 @@ {% set es = salt['pillar.get']('static:masterip', '') %} -{% set hivehost = salt['pillar.get']('static:masterip', '') %} +{% set hivehost = salt['pillar.get']('master:url_base', '') %} {% set hivekey = salt['pillar.get']('static:hivekey', '') %} # hive.yaml # Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance. From b291b242eec873d78949e4de08079114faf4fd6c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 18 May 2020 13:47:21 -0400 Subject: [PATCH 4/4] temporarily hardcode radius user.name to user.name.keyword --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 28ab2175e..fdead6459 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -126,7 +126,7 @@ { "name": "NOTICE", "description": "Zeek notice logs grouped by message", "query": "event.module:zeek AND event.dataset:notice | groupby notice.message"}, { "name": "NTLM", "description": "NTLM grouped by computer name", "query": "event.module:zeek AND event.dataset:ntlm | groupby ntlm.server.dns.name"}, { "name": "PE", "description": "PE files list", "query": "event.module:zeek AND event.dataset:pe | groupby file.machine file.os file.subsystem"}, - { "name": "RADIUS", "description": "RADIUS grouped by username", "query": "event.module:zeek AND event.dataset:radius | groupby user.name"}, + { "name": "RADIUS", "description": "RADIUS grouped by username", "query": "event.module:zeek AND event.dataset:radius | groupby user.name.keyword"}, { "name": "RDP", "description": "RDP grouped by client name", "query": "event.module:zeek AND event.dataset:rdp | groupby client.name"}, { "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.module:zeek AND event.dataset:rfb | groupby rfb.desktop.name"}, { "name": "Signatures", "description": "Zeek signatures grouped by signature id", "query": "event.module:zeek AND event.dataset:signatures | groupby signature_id"},