From c571b2c49948df77cb38424d3f60d5d39e62a2da Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Dec 2021 13:17:14 -0500 Subject: [PATCH 01/13] handle redirect if more than 1 match from compgen --- salt/common/tools/sbin/soup | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 2aefc67bb..9c7f5356f 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -599,9 +599,14 @@ up_to_2.3.80() { up_to_2.3.90() { for i in manager managersearch eval standalone; do - if compgen -G "/opt/so/saltstack/local/pillar/minions/*_$i.sls" > /dev/null; then - echo "soc:" >> /opt/so/saltstack/local/pillar/minions/*_$i.sls - sed -i "/^soc:/a \\ es_index_patterns: '*:so-*,*:endgame-*'" /opt/so/saltstack/local/pillar/minions/*_$i.sls + echo "Checking for compgen match of /opt/so/saltstack/local/pillar/minions/*_$i.sls" + if compgen -G "/opt/so/saltstack/local/pillar/minions/*_$i.sls"; then + echo "Found compgen match for /opt/so/saltstack/local/pillar/minions/*_$i.sls" + for f in $(compgen -G "/opt/so/saltstack/local/pillar/minions/*_$i.sls"); do + echo "Appending soc pillar data to $f" + echo "soc:" >> "$f" + sed -i "/^soc:/a \\ es_index_patterns: '*:so-*,*:endgame-*'" "$f" + done fi done @@ -609,8 +614,8 @@ up_to_2.3.90() { so-firewall addhostgroup endgame # Force influx to generate a new cert - mv /etc/pki/influxdb.crt /etc/pki/influxdb.crt.2390upgrade - mv /etc/pki/influxdb.key /etc/pki/influxdb.key.2390upgrade + mv -v /etc/pki/influxdb.crt /etc/pki/influxdb.crt.2390upgrade + mv -v /etc/pki/influxdb.key /etc/pki/influxdb.key.2390upgrade # remove old common ingest pipeline in default rm -vf /opt/so/saltstack/default/salt/elasticsearch/files/ingest/common From 7a664ab8f7459e0e990d6cdb9a2d7650042eeeb8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 2 Dec 2021 10:02:26 -0500 Subject: [PATCH 02/13] more error proof up_to_2.3.90 function --- salt/common/tools/sbin/soup | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 62168fa94..e26cf2de7 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -611,11 +611,17 @@ up_to_2.3.90() { done # Create Endgame Hostgroup - so-firewall addhostgroup endgame + echo "Adding endgame hostgroup with so-firewall" + if so-firewall addhostgroup endgame 2>&1 | grep -q 'Already exists'; then + echo 'endgame hostgroup already exists' + else + echo 'endgame hostgroup added' + fi # Force influx to generate a new cert - mv -v /etc/pki/influxdb.crt /etc/pki/influxdb.crt.2390upgrade - mv -v /etc/pki/influxdb.key /etc/pki/influxdb.key.2390upgrade + echo "Moving influxdb.crt and influxdb.key to generate new certs" + mv -vf /etc/pki/influxdb.crt /etc/pki/influxdb.crt.2390upgrade + mv -vf /etc/pki/influxdb.key /etc/pki/influxdb.key.2390upgrade # remove old common ingest pipeline in default rm -vf /opt/so/saltstack/default/salt/elasticsearch/files/ingest/common From 8d667795a74838a9749508d0b17c085a4ec4b3fc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 2 Dec 2021 10:28:17 -0500 Subject: [PATCH 03/13] only add soc:es_index_patterns to pillar if not already present --- salt/common/tools/sbin/soup | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e26cf2de7..1695ac0c2 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -603,9 +603,13 @@ up_to_2.3.90() { if compgen -G "/opt/so/saltstack/local/pillar/minions/*_$i.sls"; then echo "Found compgen match for /opt/so/saltstack/local/pillar/minions/*_$i.sls" for f in $(compgen -G "/opt/so/saltstack/local/pillar/minions/*_$i.sls"); do - echo "Appending soc pillar data to $f" - echo "soc:" >> "$f" - sed -i "/^soc:/a \\ es_index_patterns: '*:so-*,*:endgame-*'" "$f" + if grep -qozP "^soc:\n.*es_index_patterns: '\*:so-\*,\*:endgame-\*'" "$f"; then + echo "soc:es_index_patterns already present in $f" + else + echo "Appending soc pillar data to $f" + echo "soc:" >> "$f" + sed -i "/^soc:/a \\ es_index_patterns: '*:so-*,*:endgame-*'" "$f" + fi done fi done From f5761c73a5ceddceaf0b043c3b6e740dc889b897 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 2 Dec 2021 15:30:35 -0500 Subject: [PATCH 04/13] Fix for the clustername used in wrong context --- salt/elasticsearch/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index f31e224a3..84ce545b8 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -327,7 +327,7 @@ so-elasticsearch-pipelines-file: so-elasticsearch-pipelines: cmd.run: - - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }} + - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ grains.host }} - onchanges: - file: esingestconf - file: esingestdynamicconf From ff2d2c7c0450f58d16eda87249e0c041d3972bd8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 2 Dec 2021 16:39:32 -0500 Subject: [PATCH 05/13] export LC_CTYPE="en_US.UTF-8" - https://github.com/Security-Onion-Solutions/securityonion/discussions/6431 --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 1695ac0c2..e5563cddb 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -16,6 +16,7 @@ # along with this program. If not, see . . /usr/sbin/so-common +export LC_CTYPE="en_US.UTF-8" UPDATE_DIR=/tmp/sogh/securityonion DEFAULT_SALT_DIR=/opt/so/saltstack/default From c6773a0bbcf679becb87def2bc2916bdc819c6ad Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 3 Dec 2021 10:26:22 -0500 Subject: [PATCH 06/13] move "Preparing soup" to main so shows in soup.log --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e5563cddb..86d48e2d1 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -873,6 +873,7 @@ apply_hotfix() { main() { trap 'check_err $?' EXIT + echo "### Preparing soup at $(date) ###" check_pillar_items echo "Checking to see if this is an airgap install." @@ -1184,5 +1185,4 @@ EOF read -r input fi -echo "### Preparing soup at $(date) ###" main "$@" | tee -a $SOUP_LOG From 65b1ab833ddb8b3e1ab8ee75552d2ba362af956e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 3 Dec 2021 12:00:29 -0500 Subject: [PATCH 07/13] run salt-call locally as if no Salt master were present during reinstall - https://github.com/Security-Onion-Solutions/securityonion/discussions/6435 --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index daf609f67..3d88a7fdb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2016,10 +2016,10 @@ reinstall_init() { { if command -v salt-call &> /dev/null && grep -q "master:" /etc/salt/minion 2> /dev/null; then # Disable schedule so highstate doesn't start running during the install - salt-call -l info schedule.disable + salt-call -l info schedule.disable --local # Kill any currently running salt jobs, also to prevent issues with highstate. - salt-call -l info saltutil.kill_all_jobs + salt-call -l info saltutil.kill_all_jobs --local fi # Kill any salt processes (safely) From 780daf8aa7dffed1b230bd6e2376aaf7d66c67fd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 3 Dec 2021 15:15:45 -0500 Subject: [PATCH 08/13] Apply hotfix to all 2.3.90 installs --- salt/common/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 86d48e2d1..30c9cb5a5 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -854,7 +854,7 @@ verify_latest_update_script() { } apply_hotfix() { - if [[ "$INSTALLEDVERSION" == "2.3.90" && "$HOTFIXVERSION" == "WAZUH" ]] ; then + if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then FILE="/nsm/wazuh/etc/ossec.conf" echo "Detecting if ossec.conf needs corrected..." if head -1 $FILE | grep -q "xml version"; then @@ -865,7 +865,7 @@ apply_hotfix() { echo "$FILE does not have an XML header, so no changes are necessary." fi else - echo "Skipping ossec.conf check ($INSTALLEDVERSION/$HOTFIXVERSION)" + echo "No Actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" fi } From f82d204c0e2be6ebcba44413c3cc1c449eb79c47 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 3 Dec 2021 15:20:33 -0500 Subject: [PATCH 09/13] Update soup --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 30c9cb5a5..50c925d22 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -865,7 +865,7 @@ apply_hotfix() { echo "$FILE does not have an XML header, so no changes are necessary." fi else - echo "No Actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" + echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" fi } From f697d88090bb0055e3bfc4002d89b7114d9c30bb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 3 Dec 2021 15:36:16 -0500 Subject: [PATCH 10/13] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 8f9b6cfec..a5609cf48 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -WAZUH AIRGAPFIX +WAZUH AIRGAPFIX SOUP From 0571612ea119335585a89c7940640b0460eba6e6 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Fri, 3 Dec 2021 22:38:30 +0000 Subject: [PATCH 11/13] Add initial EG dashes --- salt/kibana/files/saved_objects.ndjson | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/salt/kibana/files/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson index 624168af7..919a56f62 100644 --- a/salt/kibana/files/saved_objects.ndjson +++ b/salt/kibana/files/saved_objects.ndjson @@ -729,4 +729,13 @@ {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Severity (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.severity.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.severity.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Syslog - Severity (Donut)\"}"},"id":"fc8d41a0-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwNDExLDRd"} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"fd8b4640-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwNDEyLDRd"} {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:strelka\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\"},\"panelIndex\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":21,\"h\":7,\"i\":\"566a9d04-f2dc-4868-9625-97a19d985703\"},\"panelIndex\":\"566a9d04-f2dc-4868-9625-97a19d985703\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":7,\"i\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\"},\"panelIndex\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":20,\"i\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\"},\"panelIndex\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":7,\"w\":11,\"h\":20,\"i\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\"},\"panelIndex\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":7,\"w\":14,\"h\":20,\"i\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\"},\"panelIndex\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":20,\"i\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\"},\"panelIndex\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":8,\"h\":20,\"i\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\"},\"panelIndex\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":27,\"w\":15,\"h\":20,\"i\":\"0e8800a9-a6f5-4a79-8370-61713f584886\"},\"panelIndex\":\"0e8800a9-a6f5-4a79-8370-61713f584886\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":27,\"w\":25,\"h\":20,\"i\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\"},\"panelIndex\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":27,\"i\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\"},\"panelIndex\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - Strelka","version":1},"id":"ff689c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_4","type":"visualization"},{"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"type":"dashboard","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwNDEzLDRd"} -{"exportedCount":732,"missingRefCount":0,"missingReferences":[]} +{"attributes":{"fieldAttrs":"{\"event.action\":{\"count\":3},\"host.user.name\":{\"count\":2},\"endgame.event_type_full\":{\"count\":3},\"host.name\":{\"count\":2},\"host.os.name\":{\"count\":2},\"host.os.name.text\":{\"count\":1},\"endgame.event_subtype_full\":{\"count\":2},\"event.category\":{\"count\":3},\"process.name\":{\"count\":2},\"process.parent.name\":{\"count\":1},\"agent.id\":{\"count\":1},\"process.executable\":{\"count\":1},\"type\":{\"count\":1}}","fields":"[]","runtimeFieldMap":"{}","timeFieldName":"@timestamp","title":"endgame-*","typeMeta":"{}"},"coreMigrationVersion":"7.15.2","id":"endgame-*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"type":"index-pattern","updated_at":"2021-12-03T21:06:49.237Z","version":"WzMwMzUsM10="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - All Logs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - All Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"},"coreMigrationVersion":"7.15.2","id":"e2da1340-53a3-11ec-b3ef-6bcc33056a36","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-12-03T21:06:49.237Z","version":"WzMwMzYsM10="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - Log Count Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30m\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":3}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"labels\":{},\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"coreMigrationVersion":"7.15.2","id":"2f7966b0-53a4-11ec-b3ef-6bcc33056a36","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-12-03T21:06:49.237Z","version":"WzMwMzcsM10="} +{"attributes":{"color":"#fd000d","description":"","name":"Endgame"},"coreMigrationVersion":"7.15.2","id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","references":[],"type":"tag","updated_at":"2021-12-03T21:06:49.237Z","version":"WzMwMzgsM10="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":11,\"i\":\"34d19006-1715-4a2f-aa73-a69f531944cf\"},\"panelIndex\":\"34d19006-1715-4a2f-aa73-a69f531944cf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_34d19006-1715-4a2f-aa73-a69f531944cf\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":14,\"y\":0,\"w\":34,\"h\":11,\"i\":\"cdc395cf-13e2-487b-bc26-d8228652b651\"},\"panelIndex\":\"cdc395cf-13e2-487b-bc26-d8228652b651\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cdc395cf-13e2-487b-bc26-d8228652b651\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":11,\"w\":14,\"h\":15,\"i\":\"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\"},\"panelIndex\":\"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-909005b3-b986-4bf6-9504-f4a9c877a966\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"909005b3-b986-4bf6-9504-f4a9c877a966\",\"groups\":[\"b65c177b-364a-4656-854a-69e6b07f05ff\"],\"metric\":\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"909005b3-b986-4bf6-9504-f4a9c877a966\":{\"columns\":{\"b65c177b-364a-4656-854a-69e6b07f05ff\":{\"label\":\"Top values of network.transport\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"network.transport\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"b65c177b-364a-4656-854a-69e6b07f05ff\",\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Network Transport\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":14,\"y\":11,\"w\":17,\"h\":15,\"i\":\"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\"},\"panelIndex\":\"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-d76872f3-61fb-4b26-8440-0ca886e33224\"}],\"state\":{\"visualization\":{\"layerId\":\"d76872f3-61fb-4b26-8440-0ca886e33224\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"822af2db-f82f-4f05-a4c3-8c6b7808d79a\"},{\"columnId\":\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d76872f3-61fb-4b26-8440-0ca886e33224\":{\"columns\":{\"822af2db-f82f-4f05-a4c3-8c6b7808d79a\":{\"label\":\"Top values of destination.ip\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"822af2db-f82f-4f05-a4c3-8c6b7808d79a\",\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Destination IP\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":31,\"y\":11,\"w\":17,\"h\":15,\"i\":\"55ac1386-6ccb-4926-813d-1dc397a60036\"},\"panelIndex\":\"55ac1386-6ccb-4926-813d-1dc397a60036\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-f2b4871a-9aca-4016-848c-331b8c221cf7\"}],\"state\":{\"visualization\":{\"layerId\":\"f2b4871a-9aca-4016-848c-331b8c221cf7\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"a06965e8-9258-490d-9765-54afc2fb5073\"},{\"columnId\":\"e81257d5-bbe1-406d-b8b7-01db30a05390\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f2b4871a-9aca-4016-848c-331b8c221cf7\":{\"columns\":{\"a06965e8-9258-490d-9765-54afc2fb5073\":{\"label\":\"Top values of source.ip\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e81257d5-bbe1-406d-b8b7-01db30a05390\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"e81257d5-bbe1-406d-b8b7-01db30a05390\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"a06965e8-9258-490d-9765-54afc2fb5073\",\"e81257d5-bbe1-406d-b8b7-01db30a05390\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Source IP\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":26,\"w\":24,\"h\":15,\"i\":\"1d174f74-9575-4827-8ae0-d5db7d53777b\"},\"panelIndex\":\"1d174f74-9575-4827-8ae0-d5db7d53777b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-89c7faa8-15c2-4772-95a6-8049a683be1a\"}],\"state\":{\"visualization\":{\"layerId\":\"89c7faa8-15c2-4772-95a6-8049a683be1a\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"0cf6d6cf-9585-4e5f-8729-af8484507670\"},{\"isTransposed\":false,\"columnId\":\"e520b985-a9b8-4183-b29c-61373ed817c8\"},{\"isTransposed\":false,\"columnId\":\"fa5a503a-c448-4dc7-8b1e-5679822218ae\"},{\"isTransposed\":false,\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"89c7faa8-15c2-4772-95a6-8049a683be1a\":{\"columns\":{\"0cf6d6cf-9585-4e5f-8729-af8484507670\":{\"label\":\"Top values of dns.question.type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"dns.question.type\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"e520b985-a9b8-4183-b29c-61373ed817c8\":{\"label\":\"Top values of dns.question.registered_domain\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"dns.question.registered_domain\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"fa5a503a-c448-4dc7-8b1e-5679822218ae\":{\"label\":\"Top values of dns.question.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"9079d4df-8e60-4749-bc38-b3b52782f71d\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"0cf6d6cf-9585-4e5f-8729-af8484507670\",\"e520b985-a9b8-4183-b29c-61373ed817c8\",\"fa5a503a-c448-4dc7-8b1e-5679822218ae\",\"9079d4df-8e60-4749-bc38-b3b52782f71d\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - DNS Query\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":26,\"w\":24,\"h\":15,\"i\":\"0fd77215-f380-4e05-8e8d-7eff24e7eb10\"},\"panelIndex\":\"0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-7d4edcbb-fca9-47d9-93df-acba6aaf6f58\"}],\"state\":{\"visualization\":{\"layerId\":\"7d4edcbb-fca9-47d9-93df-acba6aaf6f58\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"0cbe5805-5e69-4a7e-a5ef-21dfabd592f5\"},{\"columnId\":\"92a4b279-4a18-4513-a75c-52dcf79a6801\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7d4edcbb-fca9-47d9-93df-acba6aaf6f58\":{\"columns\":{\"0cbe5805-5e69-4a7e-a5ef-21dfabd592f5\":{\"label\":\"Top values of event.category\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.category\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"92a4b279-4a18-4513-a75c-52dcf79a6801\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"92a4b279-4a18-4513-a75c-52dcf79a6801\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"0cbe5805-5e69-4a7e-a5ef-21dfabd592f5\",\"92a4b279-4a18-4513-a75c-52dcf79a6801\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Network Events\"}]","timeRestore":false,"title":"Endgame - Network","version":1},"coreMigrationVersion":"7.15.2","id":"49d34770-53b2-11ec-b3ef-6bcc33056a36","migrationVersion":{"dashboard":"7.15.0"},"references":[{"id":"e2da1340-53a3-11ec-b3ef-6bcc33056a36","name":"34d19006-1715-4a2f-aa73-a69f531944cf:panel_34d19006-1715-4a2f-aa73-a69f531944cf","type":"visualization"},{"id":"2f7966b0-53a4-11ec-b3ef-6bcc33056a36","name":"cdc395cf-13e2-487b-bc26-d8228652b651:panel_cdc395cf-13e2-487b-bc26-d8228652b651","type":"visualization"},{"id":"endgame-*","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:indexpattern-datasource-layer-909005b3-b986-4bf6-9504-f4a9c877a966","type":"index-pattern"},{"id":"endgame-*","name":"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:indexpattern-datasource-layer-d76872f3-61fb-4b26-8440-0ca886e33224","type":"index-pattern"},{"id":"endgame-*","name":"55ac1386-6ccb-4926-813d-1dc397a60036:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"55ac1386-6ccb-4926-813d-1dc397a60036:indexpattern-datasource-layer-f2b4871a-9aca-4016-848c-331b8c221cf7","type":"index-pattern"},{"id":"endgame-*","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:indexpattern-datasource-layer-89c7faa8-15c2-4772-95a6-8049a683be1a","type":"index-pattern"},{"id":"endgame-*","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:indexpattern-datasource-layer-7d4edcbb-fca9-47d9-93df-acba6aaf6f58","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"type":"dashboard","updated_at":"2021-12-03T21:06:49.237Z","version":"WzMwNDAsM10="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - Hosts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - Hosts\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"showToolbar\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"coreMigrationVersion":"7.15.2","id":"3b50b220-53ab-11ec-b3ef-6bcc33056a36","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-12-03T21:06:49.237Z","version":"WzMwNDEsM10="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - Categories with Full Event Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - Categories with Full Event Type\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"endgame.event_type_full\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"showToolbar\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true}}"},"coreMigrationVersion":"7.15.2","id":"af1768b0-53ac-11ec-b3ef-6bcc33056a36","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-12-03T21:06:49.237Z","version":"WzMwNDIsM10="} +{"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Endgame","version":1},"coreMigrationVersion":"7.15.2","id":"20c85b70-53aa-11ec-b3ef-6bcc33056a36","migrationVersion":{"search":"7.9.3"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"search","updated_at":"2021-12-03T21:06:49.237Z","version":"WzMwNDMsM10="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"fe254730-eee5-4aff-b672-a83e54b49c12\"},\"panelIndex\":\"fe254730-eee5-4aff-b672-a83e54b49c12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_fe254730-eee5-4aff-b672-a83e54b49c12\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":13,\"y\":0,\"w\":25,\"h\":9,\"i\":\"5e96a8cf-1dab-4df2-a4be-baf960448da4\"},\"panelIndex\":\"5e96a8cf-1dab-4df2-a4be-baf960448da4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5e96a8cf-1dab-4df2-a4be-baf960448da4\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":38,\"y\":0,\"w\":10,\"h\":9,\"i\":\"38c65a86-724b-4c25-818b-1564fbb3793f\"},\"panelIndex\":\"38c65a86-724b-4c25-818b-1564fbb3793f\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Alert Count\",\"description\":\"\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"uiState\":{},\"data\":{\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"searchSource\":{\"index\":\"endgame-*\",\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"endgame-*\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"detection\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"detection\"}}}]}}},\"enhancements\":{}}},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":9,\"w\":13,\"h\":16,\"i\":\"680adbf3-9347-4c45-87b8-d87587e38b09\"},\"panelIndex\":\"680adbf3-9347-4c45-87b8-d87587e38b09\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_680adbf3-9347-4c45-87b8-d87587e38b09\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":13,\"y\":9,\"w\":25,\"h\":16,\"i\":\"6569d104-bb49-4de6-8d2d-9dc49739b291\"},\"panelIndex\":\"6569d104-bb49-4de6-8d2d-9dc49739b291\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6569d104-bb49-4de6-8d2d-9dc49739b291\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":25,\"w\":48,\"h\":13,\"i\":\"4a354630-93fd-4370-b10f-80386aee6d00\"},\"panelIndex\":\"4a354630-93fd-4370-b10f-80386aee6d00\",\"embeddableConfig\":{\"columns\":[],\"enhancements\":{}},\"panelRefName\":\"panel_4a354630-93fd-4370-b10f-80386aee6d00\"}]","timeRestore":false,"title":"Endgame - Host","version":1},"coreMigrationVersion":"7.15.2","id":"5d8f04d0-53b6-11ec-b3ef-6bcc33056a36","migrationVersion":{"dashboard":"7.15.0"},"references":[{"id":"e2da1340-53a3-11ec-b3ef-6bcc33056a36","name":"fe254730-eee5-4aff-b672-a83e54b49c12:panel_fe254730-eee5-4aff-b672-a83e54b49c12","type":"visualization"},{"id":"2f7966b0-53a4-11ec-b3ef-6bcc33056a36","name":"5e96a8cf-1dab-4df2-a4be-baf960448da4:panel_5e96a8cf-1dab-4df2-a4be-baf960448da4","type":"visualization"},{"id":"endgame-*","name":"38c65a86-724b-4c25-818b-1564fbb3793f:kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"endgame-*","name":"38c65a86-724b-4c25-818b-1564fbb3793f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"3b50b220-53ab-11ec-b3ef-6bcc33056a36","name":"680adbf3-9347-4c45-87b8-d87587e38b09:panel_680adbf3-9347-4c45-87b8-d87587e38b09","type":"visualization"},{"id":"af1768b0-53ac-11ec-b3ef-6bcc33056a36","name":"6569d104-bb49-4de6-8d2d-9dc49739b291:panel_6569d104-bb49-4de6-8d2d-9dc49739b291","type":"visualization"},{"id":"20c85b70-53aa-11ec-b3ef-6bcc33056a36","name":"4a354630-93fd-4370-b10f-80386aee6d00:panel_4a354630-93fd-4370-b10f-80386aee6d00","type":"search"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"type":"dashboard","updated_at":"2021-12-03T21:06:49.237Z","version":"WzMwNDQsM10="} +{"exportedCount":741,"missingRefCount":0,"missingReferences":[]} From 73a1a3878fc52b5483c8e29768d1284b19956089 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Dec 2021 09:37:07 -0500 Subject: [PATCH 12/13] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index a5609cf48..c8afc65ee 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -WAZUH AIRGAPFIX SOUP +WAZUH AIRGAPFIX 20211206 From 4188282724e9cb97d219a9213b9e166932fcbacf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 6 Dec 2021 11:03:49 -0500 Subject: [PATCH 13/13] 2.3.90 hotfix 20211206 --- README.md | 4 ++-- VERIFY_ISO.md | 22 ++++++++++----------- sigs/securityonion-2.3.90-20211206.iso.sig | Bin 0 -> 543 bytes 3 files changed, 13 insertions(+), 13 deletions(-) create mode 100644 sigs/securityonion-2.3.90-20211206.iso.sig diff --git a/README.md b/README.md index 0732601d7..0739efec5 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -## Security Onion 2.3.90-WAZUH +## Security Onion 2.3.90-20211206 -Security Onion 2.3.90-AIRGAPFIX is here! +Security Onion 2.3.90-20211206 is here! ## Screenshots diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 218a703d6..7dfb372cf 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.90-AIRGAPFIX ISO image built on 2021/12/01 +### 2.3.90-20211206 ISO image built on 2021/12/06 ### Download and Verify -2.3.90-AIRGAPFIX ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.90-AIRGAPFIX.iso +2.3.90-20211206 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.90-20211206.iso -MD5: A87EEF66FEB2ED6E20ABD4ADDA4899C6 -SHA1: D1AD74D1481E9FF6F1A79D27DC569DA6749EC54B -SHA256: E4FC40340357B098E881F13BC4960AA8CB5F5AC73C05E077C993078ED7F46D59 +MD5: 8A5FDF731D548E27D123E5B711890AEC +SHA1: B4AF33FE1D64592D46C780AF0C5E7FBD21A22BDE +SHA256: 091DA2D06C82447639D324EE32DBC385AE407078B3A55F4E0704B22DB6B29A7E Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-AIRGAPFIX.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-20211206.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-AIRGAPFIX.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.90-20211206.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.90-AIRGAPFIX.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.90-20211206.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.90-AIRGAPFIX.iso.sig securityonion-2.3.90-AIRGAPFIX.iso +gpg --verify securityonion-2.3.90-20211206.iso.sig securityonion-2.3.90-20211206.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Wed 01 Dec 2021 11:07:16 AM EST using RSA key ID FE507013 +gpg: Signature made Mon 06 Dec 2021 10:14:29 AM EST using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.90-20211206.iso.sig b/sigs/securityonion-2.3.90-20211206.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..5afc243ddb1542bdefb6b8d48bbbc48fd7896b50 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;BNDAfQ82@re`V7LBIa1(tf5B@QT9rkQxv>A(xn+E!9 z-}zIlb9D=ZwoyDh=wlErUh4r$6;isx#0E?yT-A_L;-M5SOea(hLR zk5xM{@11Cxt~&+M)?(y#B^xH0?)131FdaL!Y;V3Yb^#zwO@}(P>U*WOO>4a9K>}tn zQp9XnT|jGaW{=cJ(t{Ldp)<=TVPP{P@^XuM7|Cr!jUf479$WMcK&5RO#XtQgeM`(= zS1$`q5(Kfoe|y}jI3K%nzF&3P|4qm;7@nFr^!UBrY$hCg3IA^Q0`y=t(mR)v2-=?z!}?t#+-du-FIvc`(3rU(k59p~(PaxBE?< zh5c}BB6#`L(Z9b5-R}nKE5v|J9@2Yul|lzG{@BDk zQJl6+q7iRz3l%GBE%O7&i;YbD_4GmS9+?o9OUJ|B#KEj=@91#z%b@RiDw@W+Ln2`2 z!|*8EKm0=>$`nn=cGE8z{gDO`!NbF|Ho(#E|NuXu!@tP%~9FRR@hl*6Y zxQw5E hA#7Ps#-J{hf#jz>w^!|Gfr+KfIRkyMN