CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-13 03:31:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' into jertel/pcap

Browse Source
This commit is contained in:
Jason Ertel
2023-06-09 11:51:37 -04:00
parent 884a7041af 81dd951064
commit 8a4f5d6dcb
44 changed files with 96 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/curator/files/action/logs-elastic_agent-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-import-so-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-strelka-so-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-suricata-so-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-syslog-so-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-system-application-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-system-auth-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-system-security-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-system-syslog-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-system-system-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-windows-powershell-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/logs-zeek-so-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-beats-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-elasticsearch-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-firewall-close.yml
View File

@@ -13,7 +13,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-ids-close.yml
View File

@@ -13,7 +13,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-import-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-kibana-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-kratos-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-logstash-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-netflow-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-osquery-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-ossec-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-redis-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-strelka-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-syslog-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

2
salt/curator/files/action/so-zeek-close.yml
View File

@@ -12,7 +12,7 @@ actions:
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern

1
salt/elastalert/defaults.yaml
View File

@@ -13,7 +13,6 @@ elastalert:
es_port: 9200
es_conn_timeout: 55
max_query_size: 5000
eql: true
use_ssl: true
verify_certs: false
writeback_index: elastalert

2
salt/elastalert/files/modules/so/playbook-es.py
View File

@@ -31,7 +31,7 @@ class PlaybookESAlerter(Alerter):
creds = (self.rule['es_username'], self.rule['es_password'])
payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp}
url = f"{self.rule['es_hosts']}/so-playbook-alerts-{today}/_doc/"
url = f"https://{self.rule['es_host']}:{self.rule['es_port']}/logs-playbook.alerts-so/_doc/"
requests.post(url, data=json.dumps(payload), headers=headers, verify=False, auth=creds)
def get_info(self):

2
salt/elastalert/map.jinja
View File

@@ -8,7 +8,7 @@
{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_hosts': 'https://' + GLOBALS.manager + ':' + ELASTALERTDEFAULTS.elastalert.config.es_port|string}) %}
{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_host': GLOBALS.manager}) %}
{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}

4
salt/elasticsearch/files/ingest/suricata.fileinfo
View File

@@ -1,7 +1,7 @@
{
"description" : "suricata.fileinfo",
"processors" : [
{ "set": { "field": "dataset", "value": "file" } },
{ "set": { "field": "event.dataset", "value": "file" } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.fileinfo.filename", "target_field": "file.name", "ignore_missing": true } },
@@ -13,7 +13,7 @@
{ "rename": { "field": "message2.fileinfo.size", "target_field": "file.size", "ignore_missing": true } },
{ "rename": { "field": "message2.fileinfo.state", "target_field": "file.state", "ignore_missing": true } },
{ "rename": { "field": "message2.fileinfo.stored", "target_field": "file.saved", "ignore_missing": true } },
{ "rename": { "field": "message2.fileinfo.sha256", "target_field": "hash.sha256", "ignore_missing": true } },
{ "rename": { "field": "message2.fileinfo.sha256", "target_field": "hash.sha256", "ignore_missing": true } },
{ "set": { "if": "ctx.network?.protocol != null", "field": "file.source", "value": "{{network.protocol}}" } },
{ "pipeline": { "name": "common" } }
]

8
salt/elasticsearch/files/ingest/suricata.flow
View File

@@ -1,12 +1,12 @@
{
"description" : "suricata.flow",
"processors" : [
{ "set": { "field": "dataset", "value": "conn" } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "set": { "field": "event.dataset", "value": "conn" } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.flow.state", "target_field": "connection.state", "ignore_missing": true } },
{ "rename": { "field": "message2.flow.bytes_toclient", "target_field": "server.ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.flow.bytes_toserver", "target_field": "client.ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.flow.bytes_toclient", "target_field": "server.ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.flow.bytes_toserver", "target_field": "client.ip_bytes", "ignore_missing": true } },
{ "rename": { "field": "message2.flow.start", "target_field": "connection.start", "ignore_missing": true } },
{ "rename": { "field": "message2.flow.end", "target_field": "connection.end", "ignore_missing": true } },
{ "pipeline": { "name": "common" } }

20
salt/elasticsearch/files/ingest/suricata.krb5
View File

@@ -1,15 +1,15 @@
{
"description" : "suricata.krb5",
"processors" : [
{ "set": { "field": "dataset", "value": "kerberos" } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.krb5.msg_type", "target_field": "kerberos.request_type", "ignore_missing": true } },
{ "rename": { "field": "message2.krb5.cname", "target_field": "kerberos.client", "ignore_missing": true } },
{ "rename": { "field": "message2.krb5.realm", "target_field": "kerberos.realm", "ignore_missing": true } },
{ "rename": { "field": "message2.krb5.sname", "target_field": "kerberos.service", "ignore_missing": true } },
{ "rename": { "field": "message2.krb5.encryption", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.krb.weak_encryption", "target_field": "kerberos.weak_encryption", "ignore_missing": true } },
{ "set": { "field": "event.dataset", "value": "kerberos" } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.krb5.msg_type", "target_field": "kerberos.request_type", "ignore_missing": true } },
{ "rename": { "field": "message2.krb5.cname", "target_field": "kerberos.client", "ignore_missing": true } },
{ "rename": { "field": "message2.krb5.realm", "target_field": "kerberos.realm", "ignore_missing": true } },
{ "rename": { "field": "message2.krb5.sname", "target_field": "kerberos.service", "ignore_missing": true } },
{ "rename": { "field": "message2.krb5.encryption", "target_field": "kerberos.ticket.cipher", "ignore_missing": true } },
{ "rename": { "field": "message2.krb.weak_encryption", "target_field": "kerberos.weak_encryption", "ignore_missing": true } },
{ "pipeline": { "name": "common" } }
]
}
}

2
salt/elasticsearch/files/ingest/suricata.tls
View File

@@ -1,7 +1,7 @@
{
"description" : "suricata.tls",
"processors" : [
{ "set": { "field": "dataset", "value": "ssl" } },
{ "set": { "field": "event.dataset", "value": "ssl" } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } },
{ "rename": { "field": "message2.tls.subject", "target_field": "ssl.certificate.subject", "ignore_missing": true } },

33
salt/elasticsearch/files/ingest/zeek.files
View File

@@ -1,36 +1,35 @@
{
"description" : "zeek.files",
"processors" : [
{ "set": { "field": "event.dataset", "value": "file" } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "set": { "field": "event.dataset", "value": "file" } },
{ "remove": { "field": ["host"], "ignore_failure": true } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } },
{ "remove": { "field": "source", "ignore_missing": true } },
{ "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.tx_hosts.0", "target_field": "source.ip", "ignore_missing": true } },
{ "remove": { "field": "message2.rx_hosts", "ignore_missing": true } },
{ "remove": { "field": "message2.tx_hosts", "ignore_missing": true } },
{ "remove": { "field": "source", "ignore_missing": true } },
{ "rename": { "field": "message2.rx_hosts.0", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "message2.tx_hosts.0", "target_field": "source.ip", "ignore_missing": true } },
{ "remove": { "field": "message2.rx_hosts", "ignore_missing": true } },
{ "remove": { "field": "message2.tx_hosts", "ignore_missing": true } },
{ "rename": { "field": "message2.conn_uids", "target_field": "log.id.uid", "ignore_missing": true } },
{ "rename": { "field": "message2.source", "target_field": "file.source", "ignore_missing": true } },
{ "rename": { "field": "message2.depth", "target_field": "file.depth", "ignore_missing": true } },
{ "rename": { "field": "message2.source", "target_field": "file.source", "ignore_missing": true } },
{ "rename": { "field": "message2.depth", "target_field": "file.depth", "ignore_missing": true } },
{ "rename": { "field": "message2.analyzers", "target_field": "file.analyzer", "ignore_missing": true } },
{ "rename": { "field": "message2.mime_type", "target_field": "file.mime_type", "ignore_missing": true } },
{ "rename": { "field": "message2.filename", "target_field": "file.name", "ignore_missing": true } },
{ "rename": { "field": "message2.filename", "target_field": "file.name", "ignore_missing": true } },
{ "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } },
{ "rename": { "field": "message2.local_orig", "target_field": "file.local_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "file.is_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.is_orig", "target_field": "file.is_orig", "ignore_missing": true } },
{ "rename": { "field": "message2.seen_bytes", "target_field": "file.bytes.seen", "ignore_missing": true } },
{ "rename": { "field": "message2.total_bytes", "target_field": "file.bytes.total", "ignore_missing": true } },
{ "rename": { "field": "message2.missing_bytes", "target_field": "file.bytes.missing", "ignore_missing": true } },
{ "rename": { "field": "message2.overflow_bytes", "target_field": "file.bytes.overflow", "ignore_missing": true } },
{ "rename": { "field": "message2.missing_bytes", "target_field": "file.bytes.missing", "ignore_missing": true } },
{ "rename": { "field": "message2.overflow_bytes", "target_field": "file.bytes.overflow", "ignore_missing": true } },
{ "rename": { "field": "message2.timedout", "target_field": "file.timed_out", "ignore_missing": true } },
{ "rename": { "field": "message2.parent_fuid", "target_field": "log.id.parent_fuid", "ignore_missing": true } },
{ "rename": { "field": "message2.md5", "target_field": "hash.md5", "ignore_missing": true } },
{ "rename": { "field": "message2.sha1", "target_field": "hash.sha1", "ignore_missing": true } },
{ "rename": { "field": "message2.extracted", "target_field": "file.extracted.filename", "ignore_missing": true } },
{ "rename": { "field": "message2.extracted", "target_field": "file.extracted.filename", "ignore_missing": true } },
{ "rename": { "field": "message2.extracted_cutoff", "target_field": "file.extracted.cutoff", "ignore_missing": true } },
{ "rename": { "field": "message2.extracted_size", "target_field": "file.extracted.size", "ignore_missing": true } },
{ "set": { "field": "dataset", "value": "file" } },
{ "rename": { "field": "message2.extracted_size", "target_field": "file.extracted.size", "ignore_missing": true } },
{ "pipeline": { "name": "zeek.common" } }
]
}

13
salt/elasticsearch/templates/component/so/dtc-event-mappings.json
View File

@@ -137,6 +137,19 @@
}
}
},
"severity_label": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
}
}
},
"timezone": {
"ignore_above": 1024,
"type": "keyword",

2
salt/soctopus/files/templates/generic.template
View File

@@ -20,5 +20,3 @@ realert:
minutes: 0
type: any
filter:
- query:
query_string: