Merge branch 'dev' of github.com:Security-Onion-Solutions/securityonion-saltstack into dev

README.md

@@ -1,44 +1,44 @@
 ## Security Onion 2.0.0.rc1
 
-Security Onion 2.0.0 RC1 is here! This will require a fresh install but there is good news: From here on out you will be able to use soup on the manager to upgrade your environment to RC2 and beyond! The team here has been hard at work to bring you the following changes:
+Security Onion 2.0.0 RC1 is here! This version requires a fresh install, but there is good news - we have brought back soup! From now on, you should be able to run soup on the manager to upgrade your environment to RC2 and beyond! 
 
-- You will notice we have done a little re-branding to give 2.0 a fresh look.
+### Changes:
-- We have removed all references to "master" in the code and now call it a "manager".
+- Re-branded 2.0 to give it a fresh look
-- All documentation has moved to our docs site.
+- All documentation has moved to our [docs site](https://docs.securityonion.net/en/2.0)
-- soup is alive! This will only update the Security Onion components. Please use the build in OS update process to keep the OS up to date.
+- soup is alive! Note: This tool only updates Security Onion components. Please use the built-in OS update process to keep the OS and other components up to date.
-- so-features-enable should now properly work. 
+- so-import-pcap is back! See the docs [here](http://docs.securityonion.net/en/2.0/so-import-pcap).
-- so-import-pcap! See the docs here.
+- Fixed issue with so-features-enable 
-- You can now pivot to PCAP from Suricata alerts.
+- Users can now pivot to PCAP from Suricata alerts
-- ISO install now prompts you to create an admin user instead of using onion. This user has full sudo rights.
+- ISO install now prompts users to create an admin/sudo user instead of using a default account name
-- The disk should now more reliably clean itself up.
+- The web email & password set during setup is now used to create the initial accounts for TheHive, Cortex, and Fleet
-- Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files.
+- Fixed issue with disk cleanup
-- Locked down access to certain SSL keys.
+- Changed the default permissions for /opt/so to keep non-priviledged users from accessing salt and related files
-- Suricata logs will now compress after they roll over.
+- Locked down access to certain SSL keys
-- You can now customize shard counts per index.
+- Suricata logs now compress after they roll over
-- Elastic ingest parsing improvements.
+- Users can now easily customize shard counts per index
-- Elastic nodes are now "hot" by default. This will allow adding a warm node easier.
+- Improved Elastic ingest parsers including Windows event logs and Sysmon logs shipped with WinLogbeat and Osquery (ECS)
-- so-allow will now run at the end of an install so you can enable access right away.
+- Elastic nodes are now "hot" by default, making it easier to add a warm node later
-- Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardised and copied to `event.severity`:
+- so-allow now runs at the end of an install so users can enable access right away
+- Alert severities across Wazuh, Suricata and Playbook (Sigma) have been standardized and copied to `event.severity`:
   - 1-Low / 2-Medium / 3-High / 4-Critical
 - Initial implementation of alerting queues:
-  - Low & Medium alerts are accessible through Kibana & SOC Hunt
+  - Low & Medium alerts are accessible through Kibana & Hunt
-  - High & Critical alerts are accessible through Kibana, SOC Hunt and sent to TheHive for immediate analysis
+  - High & Critical alerts are accessible through Kibana, Hunt and sent to TheHive for immediate analysis
 - ATT&CK Navigator is now a statically-hosted site in the nginx container
 - Playbook
-  - All Sigma rules in the community repo are now imported & kept up to date (500+)
+  - All Sigma rules in the community repo (500+) are now imported and kept up to date
-  - Initial implementation of automated testing when a Play's detection logic has been edited (ie Unit Testing)
+  - Initial implementation of automated testing when a Play's detection logic has been edited (i.e., Unit Testing)
-  - UI Theme has been updated
+  - Updated UI Theme
-  - Once authenticated through SOC, you can now access Playbook with analyst permissions without login
+  - Once authenticated through SOC, users can now access Playbook with analyst permissions without login
-- Ingest parsing updates for Windows Eventlogs & Sysmon logs shipped with WinLogbeat & Osquery (ECS)
+- Kolide Launcher has been updated to include the ability to pass arbitrary flags - new functionality sponsored by SOS
-- Kolide Launcher update to include the ability to pass arbitrary flags - new functionality sponsored by SOS
 - Fixed issue with Wazuh authd registration service port not being correctly exposed
-- Added option for exposure of ES Rest API (port 9200) to so-allow for easier external querying/integration with other tools
+- Added option for exposure of Elasticsearch REST API (port 9200) to so-allow for easier external querying/integration with other tools
-- Added option to so-allow for external Strelka file uploads (ex. via `strelka-fileshot`)
+- Added option to so-allow for external Strelka file uploads (e.g., via `strelka-fileshot`)
 - Added default YARA rules for Strelka -- default rules are maintained by Florian Roth and pulled from https://github.com/Neo23x0/signature-base
 - Added the ability to use custom Zeek scripts
+- Renamed "master server" to "manager node"
 - Improved unification of Zeek and Strelka file data
 
-
 ## Hybrid Hunter Beta 1.4.1 - Beta 3
 
 - Fix install script to handle hostnames properly.

salt/logstash/init.sls

@@ -38,6 +38,9 @@
 {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %}
 {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %}
 
+include:
+  - elasticsearch
+
 # Create the logstash group
 logstashgroup:
   group.present:

salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja

@@ -4,7 +4,7 @@
 {%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%}
 {%- endif %}
 output {
-  if [event_type] =~ "strelka" {
+  if [module] =~ "strelka" {
     elasticsearch {
       pipeline => "%{module}.%{dataset}" 
       hosts => "{{ ES }}"

salt/top.sls

@@ -138,7 +138,6 @@ base:
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
-    - elasticsearch
     - logstash
     - kibana
     - elastalert
@@ -185,7 +184,6 @@ base:
     {%- if WAZUH != 0 %}
     - wazuh
     {%- endif %}
-    - elasticsearch
     - logstash
     - kibana
     - pcap
@@ -237,7 +235,6 @@ base:
     - common
     - firewall
     - logstash
-    - elasticsearch
     - curator
     {%- if FLEETMANAGER or FLEETNODE %}
     - fleet.install_package
@@ -265,7 +262,6 @@ base:
     - wazuh
     {%- endif %}
     - logstash
-    - elasticsearch
     - curator
     - filebeat
     {%- if FLEETMANAGER or FLEETNODE %}
@@ -309,7 +305,6 @@ base:
     - wazuh
     {%- endif %}
     - logstash
-    - elasticsearch
     - curator
     - kibana
     - elastalert
@@ -345,7 +340,6 @@ base:
     - wazuh
     {%- endif %}
     - logstash
-    - elasticsearch
     - curator
     - filebeat
     {%- if FLEETMANAGER or FLEETNODE %}