diff --git a/README.md b/README.md index fc302d2a8..72f2d34fe 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,26 @@ -## Security Onion 2.4 Beta 3 +## Security Onion 2.4 Release Candidate 1 (RC1) -Security Onion 2.4 Beta 3 is here! +Security Onion 2.4 Release Candidate 1 (RC1) is here! ## Screenshots Alerts -![Alerts](./assets/images/screenshots/alerts.png) +![Alerts](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/39_alerts.png) Dashboards -![Dashboards](./assets/images/screenshots/dashboards.png) +![Dashboards](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/40_dashboards.png) Hunt -![Hunt](./assets/images/screenshots/hunt.png) +![Hunt](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/41_hunt.png) -Cases -![Cases](./assets/images/screenshots/cases-comments.png) +PCAP +![PCAP](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/42_pcap.png) + +Grid +![Grid](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/46_grid.png) + +Config +![Config](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/50_config.png) ### Release Notes diff --git a/salt/curator/files/action/logs-elastic_agent-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-default-close.yaml index ef03e4ba2..03c1ea81d 100644 --- a/salt/curator/files/action/logs-elastic_agent-default-close.yaml +++ b/salt/curator/files/action/logs-elastic_agent-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml index 1157f94b2..2d7e897cf 100644 --- a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml +++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml index 6bc2026b9..0fd1d6129 100644 --- a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml +++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml index a4e38cd8e..cedf64eeb 100644 --- a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml +++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml index 9243d8cfb..e25b7f2b8 100644 --- a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml +++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-import-so-close.yml b/salt/curator/files/action/logs-import-so-close.yml index 52ddb5eb5..e2d28fd06 100644 --- a/salt/curator/files/action/logs-import-so-close.yml +++ b/salt/curator/files/action/logs-import-so-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-strelka-so-close.yml b/salt/curator/files/action/logs-strelka-so-close.yml index a5b31785f..c4b57995d 100644 --- a/salt/curator/files/action/logs-strelka-so-close.yml +++ b/salt/curator/files/action/logs-strelka-so-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-suricata-so-close.yml b/salt/curator/files/action/logs-suricata-so-close.yml index a25be9f3d..c99a85285 100644 --- a/salt/curator/files/action/logs-suricata-so-close.yml +++ b/salt/curator/files/action/logs-suricata-so-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-syslog-so-close.yml b/salt/curator/files/action/logs-syslog-so-close.yml index b9baf3c1a..3ccf7834b 100644 --- a/salt/curator/files/action/logs-syslog-so-close.yml +++ b/salt/curator/files/action/logs-syslog-so-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-system-application-default-close.yaml b/salt/curator/files/action/logs-system-application-default-close.yaml index 76d01ecb4..4a04ebbb7 100644 --- a/salt/curator/files/action/logs-system-application-default-close.yaml +++ b/salt/curator/files/action/logs-system-application-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-system-auth-default-close.yaml b/salt/curator/files/action/logs-system-auth-default-close.yaml index af9843b35..287997e87 100644 --- a/salt/curator/files/action/logs-system-auth-default-close.yaml +++ b/salt/curator/files/action/logs-system-auth-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-system-security-default-close.yaml b/salt/curator/files/action/logs-system-security-default-close.yaml index 9a8cab35c..2506ca357 100644 --- a/salt/curator/files/action/logs-system-security-default-close.yaml +++ b/salt/curator/files/action/logs-system-security-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-system-syslog-default-close.yaml b/salt/curator/files/action/logs-system-syslog-default-close.yaml index 3c9482b40..8da3afd45 100644 --- a/salt/curator/files/action/logs-system-syslog-default-close.yaml +++ b/salt/curator/files/action/logs-system-syslog-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-system-system-default-close.yaml b/salt/curator/files/action/logs-system-system-default-close.yaml index 284d6e219..401125e08 100644 --- a/salt/curator/files/action/logs-system-system-default-close.yaml +++ b/salt/curator/files/action/logs-system-system-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-windows-powershell-default-close.yaml b/salt/curator/files/action/logs-windows-powershell-default-close.yaml index 7c3cebab3..8f878f4c9 100644 --- a/salt/curator/files/action/logs-windows-powershell-default-close.yaml +++ b/salt/curator/files/action/logs-windows-powershell-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml index ae98b8939..8cd9c99f3 100644 --- a/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml +++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/logs-zeek-so-close.yml b/salt/curator/files/action/logs-zeek-so-close.yml index f8ad13ca0..020c89cbc 100644 --- a/salt/curator/files/action/logs-zeek-so-close.yml +++ b/salt/curator/files/action/logs-zeek-so-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-beats-close.yml b/salt/curator/files/action/so-beats-close.yml index 27985a50d..88c7ce91a 100644 --- a/salt/curator/files/action/so-beats-close.yml +++ b/salt/curator/files/action/so-beats-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-elasticsearch-close.yml b/salt/curator/files/action/so-elasticsearch-close.yml index 11e0b1e7b..e4d8824bd 100644 --- a/salt/curator/files/action/so-elasticsearch-close.yml +++ b/salt/curator/files/action/so-elasticsearch-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-firewall-close.yml b/salt/curator/files/action/so-firewall-close.yml index 9b2a619ef..18d30737d 100644 --- a/salt/curator/files/action/so-firewall-close.yml +++ b/salt/curator/files/action/so-firewall-close.yml @@ -13,7 +13,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-ids-close.yml b/salt/curator/files/action/so-ids-close.yml index 25b2650ab..359e0a4cc 100644 --- a/salt/curator/files/action/so-ids-close.yml +++ b/salt/curator/files/action/so-ids-close.yml @@ -13,7 +13,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-import-close.yml b/salt/curator/files/action/so-import-close.yml index 017c5f08e..7a60b9343 100644 --- a/salt/curator/files/action/so-import-close.yml +++ b/salt/curator/files/action/so-import-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-kibana-close.yml b/salt/curator/files/action/so-kibana-close.yml index 72a234d98..7c29ed294 100644 --- a/salt/curator/files/action/so-kibana-close.yml +++ b/salt/curator/files/action/so-kibana-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml index 7b99a508e..d5fc3385c 100644 --- a/salt/curator/files/action/so-kratos-close.yml +++ b/salt/curator/files/action/so-kratos-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-logstash-close.yml b/salt/curator/files/action/so-logstash-close.yml index bbd52c706..34402d95c 100644 --- a/salt/curator/files/action/so-logstash-close.yml +++ b/salt/curator/files/action/so-logstash-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-netflow-close.yml b/salt/curator/files/action/so-netflow-close.yml index 587d749d4..359d6f1f1 100644 --- a/salt/curator/files/action/so-netflow-close.yml +++ b/salt/curator/files/action/so-netflow-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-osquery-close.yml b/salt/curator/files/action/so-osquery-close.yml index d8bc54579..59b6a92b2 100644 --- a/salt/curator/files/action/so-osquery-close.yml +++ b/salt/curator/files/action/so-osquery-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-ossec-close.yml b/salt/curator/files/action/so-ossec-close.yml index 4de77abb1..ac0691ad8 100644 --- a/salt/curator/files/action/so-ossec-close.yml +++ b/salt/curator/files/action/so-ossec-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-redis-close.yml b/salt/curator/files/action/so-redis-close.yml index 36c1b9744..f7c5ef4c6 100644 --- a/salt/curator/files/action/so-redis-close.yml +++ b/salt/curator/files/action/so-redis-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-strelka-close.yml b/salt/curator/files/action/so-strelka-close.yml index e168e44fa..9d908d6d2 100644 --- a/salt/curator/files/action/so-strelka-close.yml +++ b/salt/curator/files/action/so-strelka-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-syslog-close.yml b/salt/curator/files/action/so-syslog-close.yml index 8fcf46f52..e5a58e437 100644 --- a/salt/curator/files/action/so-syslog-close.yml +++ b/salt/curator/files/action/so-syslog-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/curator/files/action/so-zeek-close.yml b/salt/curator/files/action/so-zeek-close.yml index 950f3e6b2..1e9ea59e4 100644 --- a/salt/curator/files/action/so-zeek-close.yml +++ b/salt/curator/files/action/so-zeek-close.yml @@ -12,7 +12,7 @@ actions: options: delete_aliases: False timeout_override: - continue_if_exception: False + ignore_empty_list: True disable_action: False filters: - filtertype: pattern diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index c073e4ee6..a01c80952 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -13,7 +13,6 @@ elastalert: es_port: 9200 es_conn_timeout: 55 max_query_size: 5000 - eql: true use_ssl: true verify_certs: false writeback_index: elastalert diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py index 680c81d53..3b38fcf57 100644 --- a/salt/elastalert/files/modules/so/playbook-es.py +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -31,7 +31,7 @@ class PlaybookESAlerter(Alerter): creds = (self.rule['es_username'], self.rule['es_password']) payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp} - url = f"{self.rule['es_hosts']}/so-playbook-alerts-{today}/_doc/" + url = f"https://{self.rule['es_host']}:{self.rule['es_port']}/logs-playbook.alerts-so/_doc/" requests.post(url, data=json.dumps(payload), headers=headers, verify=False, auth=creds) def get_info(self): diff --git a/salt/elastalert/map.jinja b/salt/elastalert/map.jinja index 7cec262d0..cc395d8ee 100644 --- a/salt/elastalert/map.jinja +++ b/salt/elastalert/map.jinja @@ -8,7 +8,7 @@ {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %} -{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_hosts': 'https://' + GLOBALS.manager + ':' + ELASTALERTDEFAULTS.elastalert.config.es_port|string}) %} +{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_host': GLOBALS.manager}) %} {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %} {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %} diff --git a/salt/elasticsearch/files/ingest/suricata.fileinfo b/salt/elasticsearch/files/ingest/suricata.fileinfo index fe9e4b109..4f6182139 100644 --- a/salt/elasticsearch/files/ingest/suricata.fileinfo +++ b/salt/elasticsearch/files/ingest/suricata.fileinfo @@ -1,7 +1,7 @@ { "description" : "suricata.fileinfo", "processors" : [ - { "set": { "field": "dataset", "value": "file" } }, + { "set": { "field": "event.dataset", "value": "file" } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.fileinfo.filename", "target_field": "file.name", "ignore_missing": true } }, @@ -13,7 +13,7 @@ { "rename": { "field": "message2.fileinfo.size", "target_field": "file.size", "ignore_missing": true } }, { "rename": { "field": "message2.fileinfo.state", "target_field": "file.state", "ignore_missing": true } }, { "rename": { "field": "message2.fileinfo.stored", "target_field": "file.saved", "ignore_missing": true } }, - { "rename": { "field": "message2.fileinfo.sha256", "target_field": "hash.sha256", "ignore_missing": true } }, + { "rename": { "field": "message2.fileinfo.sha256", "target_field": "hash.sha256", "ignore_missing": true } }, { "set": { "if": "ctx.network?.protocol != null", "field": "file.source", "value": "{{network.protocol}}" } }, { "pipeline": { "name": "common" } } ] diff --git a/salt/elasticsearch/files/ingest/suricata.flow b/salt/elasticsearch/files/ingest/suricata.flow index 47bec3a60..03fcc7277 100644 --- a/salt/elasticsearch/files/ingest/suricata.flow +++ b/salt/elasticsearch/files/ingest/suricata.flow @@ -1,12 +1,12 @@ { "description" : "suricata.flow", "processors" : [ - { "set": { "field": "dataset", "value": "conn" } }, - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, + { "set": { "field": "event.dataset", "value": "conn" } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.flow.state", "target_field": "connection.state", "ignore_missing": true } }, - { "rename": { "field": "message2.flow.bytes_toclient", "target_field": "server.ip_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.flow.bytes_toserver", "target_field": "client.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.flow.bytes_toclient", "target_field": "server.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.flow.bytes_toserver", "target_field": "client.ip_bytes", "ignore_missing": true } }, { "rename": { "field": "message2.flow.start", "target_field": "connection.start", "ignore_missing": true } }, { "rename": { "field": "message2.flow.end", "target_field": "connection.end", "ignore_missing": true } }, { "pipeline": { "name": "common" } } diff --git a/salt/elasticsearch/files/ingest/suricata.krb5 b/salt/elasticsearch/files/ingest/suricata.krb5 index 1e3039830..9f5a643db 100644 --- a/salt/elasticsearch/files/ingest/suricata.krb5 +++ b/salt/elasticsearch/files/ingest/suricata.krb5 @@ -1,15 +1,15 @@ { "description" : "suricata.krb5", "processors" : [ - { "set": { "field": "dataset", "value": "kerberos" } }, - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.krb5.msg_type", "target_field": "kerberos.request_type", "ignore_missing": true } }, - { "rename": { "field": "message2.krb5.cname", "target_field": "kerberos.client", "ignore_missing": true } }, - { "rename": { "field": "message2.krb5.realm", "target_field": "kerberos.realm", "ignore_missing": true } }, - { "rename": { "field": "message2.krb5.sname", "target_field": "kerberos.service", "ignore_missing": true } }, - { "rename": { "field": "message2.krb5.encryption", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } }, - { "rename": { "field": "message2.krb.weak_encryption", "target_field": "kerberos.weak_encryption", "ignore_missing": true } }, + { "set": { "field": "event.dataset", "value": "kerberos" } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.msg_type", "target_field": "kerberos.request_type", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.cname", "target_field": "kerberos.client", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.realm", "target_field": "kerberos.realm", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.sname", "target_field": "kerberos.service", "ignore_missing": true } }, + { "rename": { "field": "message2.krb5.encryption", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } }, + { "rename": { "field": "message2.krb.weak_encryption", "target_field": "kerberos.weak_encryption", "ignore_missing": true } }, { "pipeline": { "name": "common" } } ] -} \ No newline at end of file +} diff --git a/salt/elasticsearch/files/ingest/suricata.tls b/salt/elasticsearch/files/ingest/suricata.tls index 6fb0aa5ad..3d738c75e 100644 --- a/salt/elasticsearch/files/ingest/suricata.tls +++ b/salt/elasticsearch/files/ingest/suricata.tls @@ -1,7 +1,7 @@ { "description" : "suricata.tls", "processors" : [ - { "set": { "field": "dataset", "value": "ssl" } }, + { "set": { "field": "event.dataset", "value": "ssl" } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.tls.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } }, diff --git a/salt/elasticsearch/files/ingest/zeek.files b/salt/elasticsearch/files/ingest/zeek.files index 7ce7f9ed5..f95ff3d46 100644 --- a/salt/elasticsearch/files/ingest/zeek.files +++ b/salt/elasticsearch/files/ingest/zeek.files @@ -1,36 +1,35 @@ { "description" : "zeek.files", "processors" : [ - { "set": { "field": "event.dataset", "value": "file" } }, - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "set": { "field": "event.dataset", "value": "file" } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, - { "remove": { "field": "source", "ignore_missing": true } }, - { "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } }, - { "rename": { "field": "message2.tx_hosts.0", "target_field": "source.ip", "ignore_missing": true } }, - { "remove": { "field": "message2.rx_hosts", "ignore_missing": true } }, - { "remove": { "field": "message2.tx_hosts", "ignore_missing": true } }, + { "remove": { "field": "source", "ignore_missing": true } }, + { "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "message2.tx_hosts.0", "target_field": "source.ip", "ignore_missing": true } }, + { "remove": { "field": "message2.rx_hosts", "ignore_missing": true } }, + { "remove": { "field": "message2.tx_hosts", "ignore_missing": true } }, { "rename": { "field": "message2.conn_uids", "target_field": "log.id.uid", "ignore_missing": true } }, - { "rename": { "field": "message2.source", "target_field": "file.source", "ignore_missing": true } }, - { "rename": { "field": "message2.depth", "target_field": "file.depth", "ignore_missing": true } }, + { "rename": { "field": "message2.source", "target_field": "file.source", "ignore_missing": true } }, + { "rename": { "field": "message2.depth", "target_field": "file.depth", "ignore_missing": true } }, { "rename": { "field": "message2.analyzers", "target_field": "file.analyzer", "ignore_missing": true } }, { "rename": { "field": "message2.mime_type", "target_field": "file.mime_type", "ignore_missing": true } }, - { "rename": { "field": "message2.filename", "target_field": "file.name", "ignore_missing": true } }, + { "rename": { "field": "message2.filename", "target_field": "file.name", "ignore_missing": true } }, { "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } }, { "rename": { "field": "message2.local_orig", "target_field": "file.local_orig", "ignore_missing": true } }, - { "rename": { "field": "message2.is_orig", "target_field": "file.is_orig", "ignore_missing": true } }, + { "rename": { "field": "message2.is_orig", "target_field": "file.is_orig", "ignore_missing": true } }, { "rename": { "field": "message2.seen_bytes", "target_field": "file.bytes.seen", "ignore_missing": true } }, { "rename": { "field": "message2.total_bytes", "target_field": "file.bytes.total", "ignore_missing": true } }, - { "rename": { "field": "message2.missing_bytes", "target_field": "file.bytes.missing", "ignore_missing": true } }, - { "rename": { "field": "message2.overflow_bytes", "target_field": "file.bytes.overflow", "ignore_missing": true } }, + { "rename": { "field": "message2.missing_bytes", "target_field": "file.bytes.missing", "ignore_missing": true } }, + { "rename": { "field": "message2.overflow_bytes", "target_field": "file.bytes.overflow", "ignore_missing": true } }, { "rename": { "field": "message2.timedout", "target_field": "file.timed_out", "ignore_missing": true } }, { "rename": { "field": "message2.parent_fuid", "target_field": "log.id.parent_fuid", "ignore_missing": true } }, { "rename": { "field": "message2.md5", "target_field": "hash.md5", "ignore_missing": true } }, { "rename": { "field": "message2.sha1", "target_field": "hash.sha1", "ignore_missing": true } }, - { "rename": { "field": "message2.extracted", "target_field": "file.extracted.filename", "ignore_missing": true } }, + { "rename": { "field": "message2.extracted", "target_field": "file.extracted.filename", "ignore_missing": true } }, { "rename": { "field": "message2.extracted_cutoff", "target_field": "file.extracted.cutoff", "ignore_missing": true } }, - { "rename": { "field": "message2.extracted_size", "target_field": "file.extracted.size", "ignore_missing": true } }, - { "set": { "field": "dataset", "value": "file" } }, + { "rename": { "field": "message2.extracted_size", "target_field": "file.extracted.size", "ignore_missing": true } }, { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json index d17b832dc..5d647917b 100644 --- a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json @@ -137,6 +137,19 @@ } } }, + "severity_label": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, + "keyword": { + "type": "keyword" + } + } + }, "timezone": { "ignore_above": 1024, "type": "keyword", diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index 74b40bef9..df120fd81 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -20,5 +20,3 @@ realert: minutes: 0 type: any filter: -- query: - query_string: diff --git a/setup/so-setup b/setup/so-setup index e09646020..5f96106a5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -672,7 +672,7 @@ if ! [[ -f $install_opt_file ]]; then logCmd "so-soc-restart" title "Setting up Elastic Fleet" logCmd "salt-call state.apply elasticfleet.config" - logCmd "so-elastic-fleet-setup" + logCmd "so-elastic-fleet-setup" if [[ ! $is_import ]]; then title "Setting up Playbook" logCmd "so-playbook-reset" @@ -694,6 +694,8 @@ if ! [[ -f $install_opt_file ]]; then reserve_ports # Set the version mark_version + # Disable the setup from prompting at login + disable_auto_start info "Clearing the old manager" # Remove old manager if re-install clear_manager