Merge branch '2.4/dev' into jertel/pcap

README.md

@@ -1,20 +1,26 @@
-## Security Onion 2.4 Beta 3
+## Security Onion 2.4 Release Candidate 1 (RC1)
 
-Security Onion 2.4 Beta 3 is here!
+Security Onion 2.4 Release Candidate 1 (RC1) is here!
 
 ## Screenshots
 
 Alerts
-![Alerts](./assets/images/screenshots/alerts.png)
+![Alerts](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/39_alerts.png)
 
 Dashboards
-![Dashboards](./assets/images/screenshots/dashboards.png)
+![Dashboards](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/40_dashboards.png)
 
 Hunt
-![Hunt](./assets/images/screenshots/hunt.png)
+![Hunt](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/41_hunt.png)
 
-Cases
+PCAP
-![Cases](./assets/images/screenshots/cases-comments.png)
+![PCAP](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/42_pcap.png)
+
+Grid
+![Grid](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/46_grid.png)
+
+Config
+![Config](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/50_config.png)
 
 ### Release Notes
 

salt/curator/files/action/logs-elastic_agent-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-import-so-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-strelka-so-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-suricata-so-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-syslog-so-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-system-application-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-system-auth-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-system-security-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-system-syslog-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-system-system-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-windows-powershell-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/logs-zeek-so-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-beats-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-elasticsearch-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-firewall-close.yml

@@ -13,7 +13,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-ids-close.yml

@@ -13,7 +13,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-import-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-kibana-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-kratos-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-logstash-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-netflow-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-osquery-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-ossec-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-redis-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-strelka-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-syslog-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/curator/files/action/so-zeek-close.yml

@@ -12,7 +12,7 @@ actions:
     options:
       delete_aliases: False
       timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
       disable_action: False
     filters:
     - filtertype: pattern

salt/elastalert/defaults.yaml

@@ -13,7 +13,6 @@ elastalert:
     es_port: 9200
     es_conn_timeout: 55
     max_query_size: 5000
-    eql: true
     use_ssl: true
     verify_certs: false
     writeback_index: elastalert

salt/elastalert/files/modules/so/playbook-es.py

@@ -31,7 +31,7 @@ class PlaybookESAlerter(Alerter):
                 creds = (self.rule['es_username'], self.rule['es_password'])
 
             payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp}
-            url = f"{self.rule['es_hosts']}/so-playbook-alerts-{today}/_doc/"
+            url = f"https://{self.rule['es_host']}:{self.rule['es_port']}/logs-playbook.alerts-so/_doc/"
             requests.post(url, data=json.dumps(payload), headers=headers, verify=False, auth=creds)
                             
     def get_info(self):

salt/elastalert/map.jinja

@@ -8,7 +8,7 @@
 {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
 
 
-{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_hosts': 'https://' + GLOBALS.manager + ':' + ELASTALERTDEFAULTS.elastalert.config.es_port|string}) %}
+{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_host': GLOBALS.manager}) %}
 {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
 {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
 

salt/elasticsearch/files/ingest/suricata.fileinfo

@@ -1,7 +1,7 @@
 {
   "description" : "suricata.fileinfo",
   "processors" : [
-    { "set":      { "field": "dataset",        "value": "file"  } },
+    { "set":      	{ "field": "event.dataset",        		"value": "file"  						} },
     { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.fileinfo.filename", 	"target_field": "file.name",		"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/suricata.flow

@@ -1,7 +1,7 @@
 {
   "description" : "suricata.flow",
   "processors" : [
-    { "set":      { "field": "dataset",        "value": "conn"  } },
+    { "set":      	{ "field": "event.dataset",        		"value": "conn"  							} },
     { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.flow.state", 		"target_field": "connection.state",		"ignore_missing": true 	} },

salt/elasticsearch/files/ingest/suricata.krb5

@@ -1,7 +1,7 @@
 {
   "description" : "suricata.krb5",
   "processors" : [
-    { "set":      { "field": "dataset",        "value": "kerberos"  } },
+    { "set":      	{ "field": "event.dataset",        		"value": "kerberos"  							} },
     { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",		"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.app_proto",		"target_field": "network.protocol",		"ignore_missing": true 	} },
     { "rename":         { "field": "message2.krb5.msg_type",		"target_field": "kerberos.request_type",	"ignore_missing": true  } },

salt/elasticsearch/files/ingest/suricata.tls

@@ -1,7 +1,7 @@
 {
   "description" : "suricata.tls",
   "processors" : [
-    { "set":      	{ "field": "dataset",        			"value": "ssl"  								} },
+    { "set":      	{ "field": "event.dataset",			"value": "ssl"  								} },
     { "rename": 	{ "field": "message2.proto", 			"target_field": "network.transport",			"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",			"ignore_missing": true 	} },
     { "rename":         { "field": "message2.tls.subject",              "target_field": "ssl.certificate.subject",		"ignore_missing": true  } },

salt/elasticsearch/files/ingest/zeek.files

@@ -30,7 +30,6 @@
     { "rename": 	{ "field": "message2.extracted",	"target_field": "file.extracted.filename",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.extracted_cutoff",	"target_field": "file.extracted.cutoff",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.extracted_size",	"target_field": "file.extracted.size",		"ignore_missing": true 	} },
-    { "set":            { "field": "dataset",                   "value": "file"                                                 } },
     { "pipeline":       { "name": "zeek.common"                                                                                   } }
   ]
 }

salt/elasticsearch/templates/component/so/dtc-event-mappings.json

@@ -137,6 +137,19 @@
                 }
               }
             },
+            "severity_label": {
+              "ignore_above": 1024,
+              "type": "keyword",
+              "fields": {
+                "security": {
+                  "type": "text",
+                  "analyzer": "es_security_analyzer"
+                },
+                "keyword": {
+                  "type": "keyword"
+                }
+              }
+            },
             "timezone": {
               "ignore_above": 1024,
               "type": "keyword",

salt/soctopus/files/templates/generic.template

@@ -20,5 +20,3 @@ realert:
   minutes: 0
 type: any
 filter:
-- query:
-    query_string:

setup/so-setup

@@ -694,6 +694,8 @@ if ! [[ -f $install_opt_file ]]; then
 		reserve_ports
 		# Set the version
 		mark_version
+		# Disable the setup from prompting at login
+		disable_auto_start
 		info "Clearing the old manager"
 		# Remove old manager if re-install
 		clear_manager