diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 031343d5d..d59f91035 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -63,7 +63,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config-X PUT "localhost:5601/api/saved_objects/config/8.4.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config-X PUT "localhost:5601/api/saved_objects/config/8.4.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index b3494b118..f6bf17e7e 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -34,6 +34,8 @@ kibana: packages: - name: fleet_server version: latest + - name: log + version: latest - name: osquery_manager version: latest - name: system @@ -89,4 +91,4 @@ kibana: name: windows inputs: - type: windows/metrics - enabled: false \ No newline at end of file + enabled: false diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 68beb2dab..29bbfd84e 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.1","id": "8.4.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.3","id": "8.4.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 73c397104..278a02342 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1556,9 +1556,24 @@ soc: - name: Wazuh/OSSEC description: Wazuh/OSSEC HIDS alerts and logs query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full' - - name: Sysmon - description: Sysmon logs - query: 'event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line' + - name: Sysmon Overview + description: Overview of all Sysmon data types + query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Sysmon Registry + description: Registry changes captured by Sysmon + query: '(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject' + - name: Sysmon DNS + description: DNS queries captured by Sysmon + query: 'event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name' + - name: Sysmon Process + description: Process activity captured by Sysmon + query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' + - name: Sysmon File + description: File activity captured by Sysmon + query: '(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable' + - name: Sysmon Network + description: Network activity captured by Sysmon + query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Strelka description: Strelka logs query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source' diff --git a/setup/so-functions b/setup/so-functions index 76fcca2ed..56d2a0394 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -946,17 +946,17 @@ installer_prereq_packages() { logCmd "systemctl start NetworkManager" elif [ "$OS" == ubuntu ]; then # Print message to stdout so the user knows setup is doing something - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 + retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 # Install network manager so we can do interface stuff if ! command -v nmcli > /dev/null 2>&1; then - retry 50 10 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || exit 1 + retry 150 10 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || exit 1 { systemctl enable NetworkManager systemctl start NetworkManager } >> "$setup_log" 2<&1 fi if ! command -v curl > /dev/null 2>&1; then - retry 50 10 "apt-get -y install curl" >> "$setup_log" 2>&1 || exit 1 + retry 150 10 "apt-get -y install curl" >> "$setup_log" 2>&1 || exit 1 fi fi } @@ -1826,7 +1826,7 @@ remove_package() { fi else if dpkg -l | grep -q "$package_name"; then - retry 50 10 "apt purge -y \"$package_name\"" + retry 150 10 "apt purge -y \"$package_name\"" fi fi } @@ -2259,8 +2259,8 @@ update_packages() { logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" logCmd "yum -y install yum-utils" else - retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 + retry 150 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 + retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 fi } diff --git a/setup/so-preflight b/setup/so-preflight index 59c78c70b..151651077 100755 --- a/setup/so-preflight +++ b/setup/so-preflight @@ -56,7 +56,7 @@ check_default_repos() { printf '%s' 'apt update.' | tee -a "$preflight_log" fi echo "" >> "$preflight_log" - retry 50 10 "apt-get -y update" >> $preflight_log 2>&1 + retry 150 10 "apt-get -y update" >> $preflight_log 2>&1 ret_code=$? [[ $ret_code == 0 ]] && printf '%s\n' ' SUCCESS' || printf '%s\n' ' FAILURE' @@ -161,7 +161,7 @@ preflight_prereqs() { if [[ $OS == 'centos' ]]; then : # no-op to match structure of other checks for $OS var else - retry 50 10 "apt-get -y install curl" >> "$preflight_log" 2>&1 || ret_code=1 + retry 150 10 "apt-get -y install curl" >> "$preflight_log" 2>&1 || ret_code=1 fi return $ret_code