Merge remote-tracking branch 'origin/2.4/dev' into 2.4/navigator

2026-01-12 19:21:23 +01:00 · 2025-01-02 16:13:34 -05:00
parent 9475211417 5969e9accc
commit 8408a53b82
14 changed files with 174 additions and 38 deletions
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -82,6 +82,7 @@ docker:
        - 443:443
        - 8443:8443
        - 7788:7788
+        - 7789:7789
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
--- a/salt/elasticfleet/defaults.yaml
+++ b/salt/elasticfleet/defaults.yaml
@@ -108,6 +108,7 @@ elasticfleet:
    - ti_anomali
    - ti_cybersixgill
    - ti_misp
+    - ti_opencti
    - ti_otx
    - ti_rapid7_threat_command
    - ti_recordedfuture
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -10353,6 +10353,52 @@ elasticsearch:
              set_priority:
                priority: 50
            min_age: 30d
+    so-logs-ti_opencti_x_indicator:
+      index_sorting: False
+      index_template:
+        composed_of:
+          - "logs-ti_opencti.indicator@package"
+          - "logs-ti_opencti.indicator@custom"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+        ignore_missing_component_templates:
+          - "logs-ti_opencti.indicator@custom"
+        index_patterns:
+          - "logs-ti_opencti.indicator-*"
+        priority: 501
+        template:
+          settings:
+            index:
+              lifecycle:
+                name: so-logs-ti_opencti.indicator-logs
+              number_of_replicas: 0
+      policy:
+        phases:
+          cold:
+            actions:
+              set_priority:
+                priority: 0
+            min_age: 60d
+          delete:
+            actions:
+              delete: {}
+            min_age: 365d
+          hot:
+            actions:
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+              set_priority:
+                priority: 100
+            min_age: 0ms
+          warm:
+            actions:
+              set_priority:
+                priority: 50
+            min_age: 30d
    so-logs-ti_otx_x_pulses_subscribed:
      index_sorting: false
      index_template:
--- a/salt/elasticsearch/files/ingest/zeek.quic
+++ b/salt/elasticsearch/files/ingest/zeek.quic
@@ -0,0 +1,18 @@
+{
+  "description" : "zeek.quic",
+  "processors" : [
+    { "set":      { "field": "event.dataset",                           "value": "quic" } },
+    { "set":      { "field": "network.transport",                       "value": "udp"  } },
+    { "json":     { "field": "message",                                 "target_field": "message2",                       "ignore_failure": true    } },
+    { "rename": 	{ "field": "message2.version",	                    "target_field": "quic.version",		              "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_initial_dcid",	        "target_field": "quic.client_initial_dcid",		  "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_scid",	                "target_field": "quic.client_scid",		          "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.server_scid",	                "target_field": "quic.server_scid",		          "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.server_name",	                "target_field": "quic.server_name",		          "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_protocol",	            "target_field": "quic.client_protocol",		      "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.history",	                    "target_field": "quic.history",                   "ignore_missing": true 	} },
+    { "remove":		{ "field": "message2.tags",		                                                                      "ignore_failure": true    } },
+    { "remove":   { "field": ["host"],                                                                                    "ignore_failure": true    } },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -491,6 +491,7 @@ elasticsearch:
    so-logs-ti_cybersixgill_x_threat: *indexSettings
    so-logs-ti_misp_x_threat: *indexSettings
    so-logs-ti_misp_x_threat_attributes: *indexSettings
+    so-logs-ti_opencti_x_indicator: *indexSettings
    so-logs-ti_otx_x_pulses_subscribed: *indexSettings  
    so-logs-ti_otx_x_threat: *indexSettings
    so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings
--- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json
@@ -0,0 +1,36 @@
+{
+  "template": {
+    "mappings": {
+      "properties": {
+        "host": {
+	  "properties":{
+            "ip": {
+              "type": "ip"
+            }
+	  }
+	},
+	"related": {
+          "properties":{
+            "ip": {
+              "type": "ip"
+            }
+          }
+        },
+	"destination": {
+          "properties":{
+            "ip": {
+              "type": "ip"
+            }
+          }
+        },
+	"source": {
+          "properties":{
+            "ip": {
+              "type": "ip"
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -404,7 +404,8 @@ preupgrade_changes() {
    [[ "$INSTALLEDVERSION" == 2.4.80 ]] && up_to_2.4.90
    [[ "$INSTALLEDVERSION" == 2.4.90 ]] && up_to_2.4.100
    [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110
-    [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.120
+    [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.111
+    [[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120
    true
 }

@@ -519,6 +520,11 @@ post_to_2.4.110() {
  POSTVERSION=2.4.110
 }

+post_to_2.4.111() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.111
+}
+
 post_to_2.4.120() {
  update_elasticsearch_index_settings
  POSTVERSION=2.4.120
@@ -714,6 +720,12 @@ up_to_2.4.110() {
  INSTALLEDVERSION=2.4.110
 }

+up_to_2.4.111() {
+  echo "Nothing to do for 2.4.111"
+
+  INSTALLEDVERSION=2.4.111
+}
+
 up_to_2.4.120() {
  add_hydra_pillars

@@ -944,7 +956,7 @@ update_airgap_rules() {
  rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
  rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
  # Copy the securityonion-resorces repo over for SOC Detection Summaries and checkout the published summaries branch
-  rsync -av --chown=socore:socore $UPDATE_DIR/agrules/securityonion-resources /opt/so/conf/soc/ai_summary_repos
+  rsync -av --delete --chown=socore:socore $UPDATE_DIR/agrules/securityonion-resources /opt/so/conf/soc/ai_summary_repos
  git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources
  git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published
  # Copy the securityonion-resorces repo over to nsm
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -339,6 +339,16 @@ soc:
        - file.os
        - file.subsystem
        - log.id.fuid
+      '::quic':
+        - soc_timestamp
+        - event.dataset
+        - source.ip
+        - source.port
+        - destination.ip
+        - destination.port
+        - quic.server_name
+        - log.id.uid
+        - network.community_id
      '::radius':
        - soc_timestamp
        - event.dataset
@@ -1732,6 +1742,10 @@ soc:
              description: PE files list
              query: 'tags:pe | groupby file.machine file.os file.subsystem'
              showSubtitle: true
+            - name: QUIC
+              description: QUIC connections
+              query: 'tags:quic | groupby quic.server_name | groupby source.ip quic.server_name destination.ip'
+              showSubtitle: true
            - name: RADIUS
              description: RADIUS grouped by username
              query: 'tags:radius | groupby user.name'
@@ -1950,6 +1964,9 @@ soc:
            - name: PE
              description: PE (Portable Executable) files transferred via network traffic
              query: 'tags:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby -sankey file.os file.subsystem | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
+            - name: QUIC
+              description: QUIC network metadata
+              query: 'tags:quic | groupby quic.server_name | groupby -sankey quic.server_name source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby quic.server_scid | groupby quic.version | groupby quic.client_protocol'
            - name: RADIUS
              description: RADIUS (Remote Authentication Dial-In User Service) network metadata
              query: 'tags:radius | groupby user.name | groupby -sankey user.name source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -45,24 +45,25 @@ transformations:
      rule_conditions:
      - type: logsource
        category: antivirus
-    # Drops the Hashes field which is specific to Sysmon logs
-    # Ingested sysmon logs will have the Hashes field mapped to ECS specific fields
-    - id: hashes_drop_sysmon-specific-field
-      type: drop_detection_item
+    # Transforms the `Hashes` field to ECS fields
+    # ECS fields are used by the hash fields emitted by Elastic Defend
+    # If shipped with Elastic Agent, sysmon logs will also have hashes mapped to ECS fields    
+    - id: hashes_break_out_field
+      type: hashes_fields
+      valid_hash_algos: ["MD5", "SHA1", "SHA256", "SHA512", "IMPHASH"]
+      field_prefix: "file"
+      drop_algo_prefix: False
      field_name_conditions:
        - type: include_fields
          fields:
-          - winlog.event_data.Hashes
-      rule_conditions:
-      - type: logsource
-        product: windows
+            - winlog.event_data.Hashes
    - id: hashes_process-creation
      type: field_name_mapping
      mapping:
-        winlog.event_data.sha256: process.hash.sha256
-        winlog.event_data.sha1: process.hash.sha1
-        winlog.event_data.md5: process.hash.md5
-        winlog.event_data.Imphash: process.pe.imphash
+        fileSHA256: process.hash.sha256
+        fileSHA1: process.hash.sha1
+        fileMD5: process.hash.md5
+        fileIMPHASH: process.pe.imphash
      rule_conditions:
      - type: logsource
        product: windows
@@ -70,10 +71,10 @@ transformations:
    - id: hashes_image-load
      type: field_name_mapping
      mapping:
-        winlog.event_data.sha256: dll.hash.sha256
-        winlog.event_data.sha1: dll.hash.sha1
-        winlog.event_data.md5: dll.hash.md5
-        winlog.event_data.Imphash: dll.pe.imphash
+        fileSHA256: dll.hash.sha256
+        fileSHA1: dll.hash.sha1
+        fileMD5: dll.hash.md5
+        fileIMPHASH: dll.pe.imphash
      rule_conditions:
      - type: logsource
        product: windows
@@ -81,10 +82,10 @@ transformations:
    - id: hashes_driver-load
      type: field_name_mapping
      mapping:
-        winlog.event_data.sha256: dll.hash.sha256
-        winlog.event_data.sha1: dll.hash.sha1
-        winlog.event_data.md5: dll.hash.md5
-        winlog.event_data.Imphash: dll.pe.imphash
+        fileSHA256: dll.hash.sha256
+        fileSHA1: dll.hash.sha1
+        fileMD5: dll.hash.md5
+        fileIMPHASH: dll.pe.imphash
      rule_conditions:
      - type: logsource
        product: windows