From 6b0b7245f0c90c9c6b9dd3c593a511dd5b0057ee Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 13 Jan 2022 17:10:08 -0500
Subject: [PATCH 1/3] Add default queries for cases to show user's assigned
 cases

---
 salt/soc/files/soc/cases.queries.json | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/salt/soc/files/soc/cases.queries.json b/salt/soc/files/soc/cases.queries.json
index a3021ad0b..e08ca51ac 100644
--- a/salt/soc/files/soc/cases.queries.json
+++ b/salt/soc/files/soc/cases.queries.json
@@ -1,5 +1,7 @@
 [
   { "name": "Open Cases", "query": "NOT case.status:closed AND NOT case.category:template" },
   { "name": "Closed Cases", "query": "case.status:closed AND NOT case.category:template" },
+  { "name": "My Open Cases", "query": "NOT case.status:closed AND NOT case.category:template AND case.assigneeId:{myId}" },
+  { "name": "My Closed Cases", "query": "case.status:closed AND NOT case.category:template AND case.assigneeId:{myId}" },  
   { "name": "Templates", "query": "case.category:template" }
 ]
\ No newline at end of file

From a90bc9dba9befbceb1d371f3c97e6f5c11b183d5 Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Fri, 14 Jan 2022 16:58:53 -0500
Subject: [PATCH 2/3] Add mapping for scan.pe.sections.entropy

---
 .../templates/so/so-common-template.json.jinja      | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/salt/elasticsearch/templates/so/so-common-template.json.jinja b/salt/elasticsearch/templates/so/so-common-template.json.jinja
index b61f3764d..b5f196243 100644
--- a/salt/elasticsearch/templates/so/so-common-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-common-template.json.jinja
@@ -734,7 +734,18 @@
 	  "properties":{
             "exiftool":{
               "type":"text"
-             }
+             },
+	     "pe":{
+	       "properties":{
+	         "sections":{
+		   "properties":{
+		     "entropy":{
+		       "type": "float"
+		     }
+		   }
+		 }
+	       }
+	     }
           }
         },
         "server":{

From c512351dd6cdbde6239141de16adebe3d90d1155 Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Fri, 14 Jan 2022 17:01:13 -0500
Subject: [PATCH 3/3] Add mapping for scan.exiftool and
 scan.pe.sections.entropy

---
 .../templates/so/so-case-template.json.jinja  | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/salt/elasticsearch/templates/so/so-case-template.json.jinja b/salt/elasticsearch/templates/so/so-case-template.json.jinja
index e85367113..d05cc9852 100644
--- a/salt/elasticsearch/templates/so/so-case-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-case-template.json.jinja
@@ -244,6 +244,26 @@
               "message": {
                 "type": "text"
               },
+              "scan":{
+                "type":"object",
+                "dynamic": true,
+                "properties":{
+                  "exiftool":{
+                    "type":"text"
+                   },
+                   "pe":{
+                     "properties":{
+                       "sections":{
+                         "properties":{
+                           "entropy":{
+                             "type": "float"
+                           }
+                         }
+                       }
+                     }
+                   }
+                }
+              },
               "tags": {
                 "type": "keyword",
                 "ignore_above": 1024