From 985e1728d7fde2270c045ad32a77e8e9dbc28883 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 6 Oct 2022 15:13:27 -0400 Subject: [PATCH 1/6] Update to Kibana 8.4.3 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 73b83cece..bfc8c398d 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -64,7 +64,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config-X PUT "localhost:5601/api/saved_objects/config/8.4.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config-X PUT "localhost:5601/api/saved_objects/config/8.4.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From bee1b06f76de1f709f0784977021798e63ad099c Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 6 Oct 2022 15:14:43 -0400 Subject: [PATCH 2/6] Update to Kibana 8.4.3 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 68beb2dab..29bbfd84e 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.1","id": "8.4.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.3","id": "8.4.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From d65fde953624f25a6d7d6e0669f437da2ef0f74d Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 7 Oct 2022 12:23:40 -0400 Subject: [PATCH 3/6] improve sysmon dashboards --- salt/soc/defaults.yaml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 73c397104..c97850cc4 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1556,9 +1556,24 @@ soc: - name: Wazuh/OSSEC description: Wazuh/OSSEC HIDS alerts and logs query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full' - - name: Sysmon - description: Sysmon logs - query: 'event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line' + - name: Sysmon Overview + description: Overview of all Sysmon data types + query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Sysmon Registry + description: Registry changes captured by Sysmon + query: '(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject' + - name: Sysmon DNS + description: DNS queries captured by Sysmon + query: 'event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name' + - name: Sysmon Process + description: Process activity captured by Sysmon + query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' + - name: Sysmon File + description: File activity captured by Sysmon + query: '(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable' + - name: Sysmon Network + description: Network activity captured by Sysmon + query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port destination_geo.organization_name | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Strelka description: Strelka logs query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source' From dd09ce7aabdf414d1e916ddb9b7b516139d0ec32 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 11 Oct 2022 12:00:57 -0400 Subject: [PATCH 4/6] Add log package for Fleet to allow for custom log ingestion --- salt/kibana/defaults.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index b3494b118..f6bf17e7e 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -34,6 +34,8 @@ kibana: packages: - name: fleet_server version: latest + - name: log + version: latest - name: osquery_manager version: latest - name: system @@ -89,4 +91,4 @@ kibana: name: windows inputs: - type: windows/metrics - enabled: false \ No newline at end of file + enabled: false From 1c23d91a3b48149c1dde5c6adf8364d674e837ae Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 13 Oct 2022 06:57:17 -0400 Subject: [PATCH 5/6] retry up to 25 minutes if APT is locked by an unattended upgrade. This is an increase from 8 minutes. --- setup/so-functions | 12 ++++++------ setup/so-preflight | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 7dfa7b047..985a231e1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -946,17 +946,17 @@ installer_prereq_packages() { logCmd "systemctl start NetworkManager" elif [ "$OS" == ubuntu ]; then # Print message to stdout so the user knows setup is doing something - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 + retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 # Install network manager so we can do interface stuff if ! command -v nmcli > /dev/null 2>&1; then - retry 50 10 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || exit 1 + retry 150 10 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || exit 1 { systemctl enable NetworkManager systemctl start NetworkManager } >> "$setup_log" 2<&1 fi if ! command -v curl > /dev/null 2>&1; then - retry 50 10 "apt-get -y install curl" >> "$setup_log" 2>&1 || exit 1 + retry 150 10 "apt-get -y install curl" >> "$setup_log" 2>&1 || exit 1 fi fi } @@ -1827,7 +1827,7 @@ remove_package() { fi else if dpkg -l | grep -q "$package_name"; then - retry 50 10 "apt purge -y \"$package_name\"" + retry 150 10 "apt purge -y \"$package_name\"" fi fi } @@ -2260,8 +2260,8 @@ update_packages() { logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" logCmd "yum -y install yum-utils" else - retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 + retry 150 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 + retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 fi } diff --git a/setup/so-preflight b/setup/so-preflight index 59c78c70b..151651077 100755 --- a/setup/so-preflight +++ b/setup/so-preflight @@ -56,7 +56,7 @@ check_default_repos() { printf '%s' 'apt update.' | tee -a "$preflight_log" fi echo "" >> "$preflight_log" - retry 50 10 "apt-get -y update" >> $preflight_log 2>&1 + retry 150 10 "apt-get -y update" >> $preflight_log 2>&1 ret_code=$? [[ $ret_code == 0 ]] && printf '%s\n' ' SUCCESS' || printf '%s\n' ' FAILURE' @@ -161,7 +161,7 @@ preflight_prereqs() { if [[ $OS == 'centos' ]]; then : # no-op to match structure of other checks for $OS var else - retry 50 10 "apt-get -y install curl" >> "$preflight_log" 2>&1 || ret_code=1 + retry 150 10 "apt-get -y install curl" >> "$preflight_log" 2>&1 || ret_code=1 fi return $ret_code From f6151b3895739a98679b76e79d4d16d84d5cd9e8 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 13 Oct 2022 09:03:10 -0400 Subject: [PATCH 6/6] Remove destination_geo.organization_name from Sysmon Network sankey diagram --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index c97850cc4..278a02342 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1573,7 +1573,7 @@ soc: query: '(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable' - name: Sysmon Network description: Network activity captured by Sysmon - query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port destination_geo.organization_name | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Strelka description: Strelka logs query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source'