CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' into kilo

Browse Source
This commit is contained in:
Jason Ertel
2023-07-18 10:49:12 -04:00
parent b24afac0f4 6816d06710
commit 83bff72cd4
25 changed files with 372 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@@ -1 +1 @@
2.4.3 2.4.4

10
salt/elasticagent/config.sls
View File

@@ -28,6 +28,15 @@ elasticagentconfdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
elasticagent_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://elasticagent/tools/sbin_jinja
- user: 949
- group: 939
- file_mode: 755
- template: jinja
# Create config # Create config
create-elastic-agent-config: create-elastic-agent-config:
file.managed: file.managed:
@@ -37,7 +46,6 @@ create-elastic-agent-config:
- group: 939 - group: 939
- template: jinja - template: jinja
{% else %} {% else %}
{{sls}}_state_not_allowed: {{sls}}_state_not_allowed:

16
salt/elasticagent/tools/sbin_jinja/so-elastic-agent-inspect Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent inspect
{% else %}
/bin/elastic-agent inspect
{% endif %}

9
salt/elasticagent/tools/sbin/so-elastic-agent-restart → salt/elasticagent/tools/sbin_jinja/so-elastic-agent-restart
View File

@@ -5,6 +5,13 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
. /usr/sbin/so-common . /usr/sbin/so-common
/usr/sbin/so-restart elastic-agent $1 {% if grains.role == 'so-heavynode' %}
/usr/sbin/so-stop elastic-agent $1
/usr/sbin/so-start elasticagent $1
{% else %}
service elastic-agent restart
{% endif %}

7
salt/elasticagent/tools/sbin/so-elastic-agent-start → salt/elasticagent/tools/sbin_jinja/so-elastic-agent-start
View File

@@ -9,4 +9,9 @@
. /usr/sbin/so-common . /usr/sbin/so-common
/usr/sbin/so-start elastic-agent $1 {% if grains.role == 'so-heavynode' %}
/usr/sbin/so-start elasticagent $1
{% else %}
service elastic-agent start
{% endif %}

17
salt/elasticagent/tools/sbin_jinja/so-elastic-agent-status Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent status
{% else %}
/bin/elastic-agent status
{% endif %}

5
salt/elasticagent/tools/sbin/so-elastic-agent-stop → salt/elasticagent/tools/sbin_jinja/so-elastic-agent-stop
View File

@@ -9,4 +9,9 @@
. /usr/sbin/so-common . /usr/sbin/so-common
{% if grains.role == 'so-heavynode' %}
/usr/sbin/so-stop elastic-agent $1 /usr/sbin/so-stop elastic-agent $1
{% else %}
service elastic-agent stop
{% endif %}

17
salt/elasticagent/tools/sbin_jinja/so-elastic-agent-version Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent version
{% else %}
/bin/elastic-agent version
{% endif %}

19
salt/elasticfleet/enabled.sls
View File

@@ -16,14 +16,25 @@ include:
- elasticfleet.config - elasticfleet.config
- elasticfleet.sostatus - elasticfleet.sostatus
{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval'] %} # If enabled, automatically update Fleet Logstash Outputs
{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %}
so-elastic-fleet-auto-configure-logstash-outputs: so-elastic-fleet-auto-configure-logstash-outputs:
cmd.run: cmd.run:
- name: /usr/sbin/so-elastic-fleet-outputs-update - name: /usr/sbin/so-elastic-fleet-outputs-update
{% endif %}
#so-elastic-fleet-auto-configure-server-urls: # If enabled, automatically update Fleet Server URLs & ES Connection
# cmd.run: {% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-fleet'] %}
# - name: /usr/sbin/so-elastic-fleet-urls-update so-elastic-fleet-auto-configure-server-urls:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-urls-update
{% endif %}
# Automatically update Fleet Server Elasticsearch URLs
{% if grains.role not in ['so-fleet'] %}
so-elastic-fleet-auto-configure-elasticsearch-urls:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-es-url-update
{% endif %} {% endif %}
{% if SERVICETOKEN != '' %} {% if SERVICETOKEN != '' %}

38
salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json
View File

@@ -13,9 +13,14 @@
"system.auth": { "system.auth": {
"enabled": true, "enabled": true,
"vars": { "vars": {
"ignore_older": "72h",
"paths": [ "paths": [
"/var/log/auth.log*", "/var/log/auth.log*",
"/var/log/secure*" "/var/log/secure*"
],
"preserve_original_event": false,
"tags": [
"system-auth"
] ]
} }
}, },
@@ -24,34 +29,49 @@
"vars": { "vars": {
"paths": [ "paths": [
"/var/log/messages*", "/var/log/messages*",
"/var/log/syslog*" "/var/log/syslog*",
] "/var/log/system*"
],
"tags": [],
"ignore_older": "72h"
} }
} }
} }
}, },
"system-winlog": { "system-winlog": {
"enabled": true, "enabled": true,
"vars": {
"preserve_original_event": false
},
"streams": { "streams": {
"system.application": { "system.application": {
"enabled": true, "enabled": true,
"vars": { "vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": [] "tags": []
} }
}, },
"system.security": { "system.security": {
"enabled": true, "enabled": true,
"vars": { "vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": []
}
},
"system.system": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": [] "tags": []
} }
} }
} }
}, },
"system-system/metrics": { "system-system/metrics": {
"enabled": false "enabled": false
} }
} }
} }

2
salt/elasticfleet/install_agent_grid.sls
View File

@@ -14,12 +14,14 @@ run_installer:
- name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64 - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
- cwd: /opt/so - cwd: /opt/so
- args: -token={{ GRIDNODETOKENGENERAL }} - args: -token={{ GRIDNODETOKENGENERAL }}
- retry: True
{% else %} {% else %}
run_installer: run_installer:
cmd.script: cmd.script:
- name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64 - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
- cwd: /opt/so - cwd: /opt/so
- args: -token={{ GRIDNODETOKENHEAVY }} - args: -token={{ GRIDNODETOKENHEAVY }}
- retry: True
{% endif %} {% endif %}
{% endif %} {% endif %}

4
salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
View File

@@ -35,9 +35,7 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
else else
printf "\n\nIntegration does not exist - Creating integration\n" printf "\n\nIntegration does not exist - Creating integration\n"
if [ "$NAME" != "elasticsearch-logs" ]; then elastic_fleet_integration_create "@$INTEGRATION"
elastic_fleet_integration_create "@$INTEGRATION"
fi
fi fi
done done
if [[ "$RETURN_CODE" != "1" ]]; then if [[ "$RETURN_CODE" != "1" ]]; then

16
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-inspect Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent inspect
{% else %}
/bin/elastic-agent inspect
{% endif %}

16
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-restart Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent service elastic-agent restart
{% else %}
service elastic-agent restart
{% endif %}

17
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-start Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent service elastic-agent start
{% else %}
service elastic-agent start
{% endif %}

17
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-status Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent status
{% else %}
/bin/elastic-agent status
{% endif %}

17
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-stop Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent service elastic-agent stop
{% else %}
service elastic-agent stop
{% endif %}

17
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-version Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent version
{% else %}
/bin/elastic-agent version
{% endif %}

53
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update Normal file
View File

@@ -0,0 +1,53 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
. /usr/sbin/so-common
# Only run on Managers
if ! is_manager_node; then
printf "Not a Manager Node... Exiting"
exit 0
fi
function update_es_urls() {
# Generate updated JSON payload
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":false,"is_default_monitoring":false,"config_yaml":""}')
# Update Fleet Elasticsearch URLs
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
}
# Get current list of Fleet Elasticsearch URLs
RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_elasticsearch')
# Check to make sure that the server responded with good data - else, bail from script
CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")
if [ "$CHECKSUM" != "so-manager_elasticsearch" ]; then
printf "Failed to query for current Fleet Server Elasticsearch URLs..."
exit 1
fi
# Get the current list of Fleet Server Elasticsearch & hash them
CURRENT_LIST=$(jq -c -r '.item.hosts' <<< "$RAW_JSON")
CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
# Create array & add initial elements
NEW_LIST=("https://{{ GLOBALS.hostname }}:9200")
# Sort & hash the new list of Fleet Elasticsearch URLs
NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
# Compare the current & new list of URLs - if different, update the Fleet Elasticsearch URLs
if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
printf "\nHashes match - no update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
exit 0
else
printf "\nHashes don't match - update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
update_es_urls
fi

12
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
View File

@@ -4,6 +4,14 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %} {% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %}
. /usr/sbin/so-common
# Only run on Managers
if ! is_manager_node; then
printf "Not a Manager Node... Exiting"
exit 0
fi
function update_logstash_outputs() { function update_logstash_outputs() {
# Generate updated JSON payload # Generate updated JSON payload
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":""}') JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":""}')
@@ -27,10 +35,10 @@ CURRENT_LIST=$(jq -c -r '.item.hosts' <<< "$RAW_JSON")
CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}') CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
# Create array & add initial elements # Create array & add initial elements
if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
NEW_LIST=("{{ GLOBALS.url_base }}:5055") NEW_LIST=("{{ GLOBALS.url_base }}:5055")
else else
NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.manager_ip }}:5055") NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055")
fi fi
{% if CUSTOMFQDN != "" %} {% if CUSTOMFQDN != "" %}

6
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
View File

@@ -35,12 +35,12 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fl
printf "\n\n" printf "\n\n"
{%- endif %} {%- endif %}
# Add Manager IP & URL Base to Fleet Host URLs # Add Manager Hostname & URL Base to Fleet Host URLs
printf "\nAdd SO-Manager Fleet URL\n" printf "\nAdd SO-Manager Fleet URL\n"
if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220"]}') JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220"]}')
else else
JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.manager_ip }}:8220"]}') JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.hostname }}:8220"]}')
fi fi
## This array replaces whatever URLs are currently configured ## This array replaces whatever URLs are currently configured

74
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update Normal file
View File

@@ -0,0 +1,74 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %}
. /usr/sbin/so-common
# Only run on Managers
if ! is_manager_node; then
printf "Not a Manager Node... Exiting"
exit 0
fi
function update_fleet_urls() {
# Generate updated JSON payload
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"grid-default","is_default":true,"host_urls": $UPDATEDLIST}')
# Update Fleet Server URLs
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/fleet_server_hosts/grid-default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
}
# Get current list of Fleet Server URLs
RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default')
# Check to make sure that the server responded with good data - else, bail from script
CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")
if [ "$CHECKSUM" != "grid-default" ]; then
printf "Failed to query for current Fleet Server URLs..."
exit 1
fi
# Get the current list of Fleet Server URLs & hash them
CURRENT_LIST=$(jq -c -r '.item.host_urls' <<< "$RAW_JSON")
CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
# Create array & add initial elements
if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
NEW_LIST=("https://{{ GLOBALS.url_base }}:8220")
else
NEW_LIST=("https://{{ GLOBALS.url_base }}:8220" "https://{{ GLOBALS.hostname }}:8220")
fi
{% if CUSTOMFQDN != "" %}
# Add Custom Hostname to list
NEW_LIST+=("https://{{ CUSTOMFQDN }}:8220")
{% endif %}
# Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes)
LOGSTASHNODES=$(salt-call --out=json pillar.get logstash:nodes | jq '.local')
# Query for Fleet Nodes & add them to the list (Hostname)
if grep -q "fleet" <<< $LOGSTASHNODES; then
readarray -t FLEETNODES < <(jq -r ' .fleet | keys_unsorted[]' <<< $LOGSTASHNODES)
for NODE in "${FLEETNODES[@]}"
do
NEW_LIST+=("https://$NODE:8220")
done
fi
# Sort & hash the new list of Fleet Server URLs
NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
# Compare the current & new list of URLs - if different, update the Fleet Server URLs
if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
printf "\nHashes match - no update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
exit 0
else
printf "\nHashes don't match - update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
update_fleet_urls
fi

3
salt/elasticsearch/files/ingest/strelka.file
View File

@@ -63,7 +63,8 @@
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69", "field": "event.severity", "value": 2, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69", "field": "event.severity", "value": 2, "override": true } },
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89", "field": "event.severity", "value": 3, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89", "field": "event.severity", "value": 3, "override": true } },
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90", "field": "event.severity", "value": 4, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90", "field": "event.severity", "value": 4, "override": true } },
{ "set": { "if": "ctx.scan?.entropy?.entropy == 0", "field": "scan.entropy.entropy", "value": 0.0, "override": true } }, { "set": { "if": "ctx.scan?.entropy?.entropy == 0", "field": "scan.entropy.entropy", "value": "0.0", "override": true } },
{ "set": { "if": "ctx.scan?.pe?.image_version == 0", "field": "scan.pe.image_version", "value": "0.0", "override": true } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" }}, { "set": { "field": "observer.name", "value": "{{agent.name}}" }},
{ "convert" : { "field" : "scan.exiftool","type": "string", "ignore_missing":true }}, { "convert" : { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
{ "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } }, { "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } },

6
salt/logstash/defaults.yaml
View File

@@ -21,16 +21,16 @@ logstash:
- fleet - fleet
defined_pipelines: defined_pipelines:
fleet: fleet:
- so/0012_input_elastic_agent.conf - so/0012_input_elastic_agent.conf.jinja
- so/9806_output_lumberjack_fleet.conf.jinja - so/9806_output_lumberjack_fleet.conf.jinja
manager: manager:
- so/0011_input_endgame.conf - so/0011_input_endgame.conf
- so/0012_input_elastic_agent.conf - so/0012_input_elastic_agent.conf.jinja
- so/0013_input_lumberjack_fleet.conf - so/0013_input_lumberjack_fleet.conf
- so/9999_output_redis.conf.jinja - so/9999_output_redis.conf.jinja
receiver: receiver:
- so/0011_input_endgame.conf - so/0011_input_endgame.conf
- so/0012_input_elastic_agent.conf - so/0012_input_elastic_agent.conf.jinja
- so/0013_input_lumberjack_fleet.conf - so/0013_input_lumberjack_fleet.conf
- so/9999_output_redis.conf.jinja - so/9999_output_redis.conf.jinja
search: search:

2
salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf → salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf.jinja
View File

@@ -1,7 +1,7 @@
input { input {
elastic_agent { elastic_agent {
port => 5055 port => 5055
tags => [ "elastic-agent" ] tags => [ "elastic-agent", "input-{{ GLOBALS.hostname }}" ]
ssl => true ssl => true
ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"] ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
ssl_certificate => "/usr/share/logstash/elasticfleet-logstash.crt" ssl_certificate => "/usr/share/logstash/elasticfleet-logstash.crt"