From 9e18fe64cf4c69ad4af078c8bbad7bfbab1bc412 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 21 Aug 2023 11:20:47 -0400 Subject: [PATCH 01/26] Remove OSSEC configuration --- salt/soc/defaults.yaml | 50 ------------------------------------------ 1 file changed, 50 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 49be076c0..8ac49ea2e 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -474,19 +474,6 @@ soc: - event.dataset - process.executable - user.name - ':ossec:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location ':strelka:file': - soc_timestamp - file.name @@ -523,28 +510,6 @@ soc: - message - kibana.log.meta.req.headers.x-real-ip - event.dataset - '::rootcheck': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::ossec': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::syscollector': - - soc_timestamp - - host.name - - metadata.ip_address - - wazuh.data.type - - log.full - - event.dataset - - event.module ':syslog:syslog': - soc_timestamp - host.name @@ -1621,21 +1586,6 @@ soc: - rule.uuid - rule.category - rule.rev - ':ossec:': - - soc_timestamp - - rule.name - - event.severity_label - - source.ip - - source.port - - destination.ip - - destination.port - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location - - process.name queryBaseFilter: tags:alert queryToggleFilters: - name: acknowledged From 563a495725d5aca4b8b0b70a7963b5173ce2a53a Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 21 Aug 2023 11:24:07 -0400 Subject: [PATCH 02/26] Add Playbook --- salt/soc/defaults.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 8ac49ea2e..ff8b240ec 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1586,6 +1586,15 @@ soc: - rule.uuid - rule.category - rule.rev + ':playbook:': + - soc_timestamp + - rule.name + - event.severity_label + - event_data.event.module + - event_data.event.category + - event_data.process.executable + - event_data.process.pid + - event_data.winlog.computer_name queryBaseFilter: tags:alert queryToggleFilters: - name: acknowledged From 8a751e097d231004580735173910512cb5205fbf Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 23 Aug 2023 14:32:05 -0400 Subject: [PATCH 03/26] cert path refactor --- salt/elasticfleet/enabled.sls | 12 +----------- .../tools/sbin_jinja/so-elastic-agent-gen-installers | 2 +- .../tools/sbin_jinja/so-elastic-fleet-setup | 4 ---- salt/elasticsearch/enabled.sls | 2 +- salt/logstash/enabled.sls | 2 +- salt/redis/enabled.sls | 2 +- salt/ssl/init.sls | 2 +- salt/ssl/remove.sls | 2 +- salt/telegraf/enabled.sls | 2 +- 9 files changed, 8 insertions(+), 22 deletions(-) diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 82c7735db..320b6d6b6 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -68,11 +68,6 @@ so-elastic-fleet: - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - {% if GLOBALS.os_family == 'Debian' %} - - /etc/ssl/elasticfleet-server.crt:/etc/ssl/elasticfleet-server.crt:ro - - /etc/ssl/elasticfleet-server.key:/etc/ssl/elasticfleet-server.key:ro - - /etc/ssl/tls/certs/intca.crt:/etc/ssl/tls/certs/intca.crt:ro - {% endif %} - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} @@ -87,13 +82,8 @@ so-elastic-fleet: - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }} - FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key - {% if GLOBALS.os_family == 'Debian' %} - - FLEET_CA=/etc/ssl/certs/intca.crt - - FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt - {% else %} - - FLEET_CA=/etc/pki/tls/certs/intca.crt + - FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt - {% endif %} - LOGS_PATH=logs {% if DOCKER.containers['so-elastic-fleet'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %} diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index d7d6458c9..c935521fd 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -65,7 +65,7 @@ do if [[ $GOOS == 'darwin/arm64' ]]; then GOOS="darwin" && GOARCH="arm64"; fi printf "\n\n### Generating $GOOS/$GOARCH Installer...\n" docker run -e CGO_ENABLED=0 -e GOOS=$GOOS -e GOARCH=$GOARCH \ - --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ + --mount type=bind,source=/etc/pki/tls/certs/,target=/workspace/files/cert/ \ --mount type=bind,source=/nsm/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \ {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHostURLsList=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_${GOOS}_${GOARCH} diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index ac0ce4db9..83a155ae6 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -6,11 +6,7 @@ # this file except in compliance with the Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{% if GLOBALS.os_family == 'Debian' %} -INTCA=/etc/ssl/certs/intca.crt -{% else %} INTCA=/etc/pki/tls/certs/intca.crt -{% endif %} . /usr/sbin/so-elastic-fleet-common diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index e28ca5fdf..8baff4901 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -59,7 +59,7 @@ so-elasticsearch: {% if GLOBALS.is_manager %} - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro {% endif %} - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 731ad4ca3..c76f81d21 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -73,7 +73,7 @@ so-logstash: {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/usr/share/filebeat/ca.crt:ro {% endif %} {% if GLOBALS.role in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %} - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 2a4f5a179..4c452bec0 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -33,7 +33,7 @@ so-redis: {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/certs/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/certs/ca.crt:ro + - /etc/pki/certs/intca.crt:/certs/ca.crt:ro {% endif %} {% if DOCKER.containers['so-redis'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 4e48688f3..9ff3a3a6d 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -41,7 +41,7 @@ include: # Trust the CA trusttheca: x509.pem_managed: - - name: /etc/ssl/certs/intca.crt + - name: /etc/pki/tls/certs/intca.crt - text: {{ trusttheca_text }} # Install packages needed for the sensor diff --git a/salt/ssl/remove.sls b/salt/ssl/remove.sls index 4eb0eb442..43a245288 100644 --- a/salt/ssl/remove.sls +++ b/salt/ssl/remove.sls @@ -1,6 +1,6 @@ trusttheca: file.absent: - - name: /etc/ssl/certs/intca.crt + - name: /etc/pki/tls/certs/intca.crt influxdb_key: file.absent: diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 598587e17..d55e536d6 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -46,7 +46,7 @@ so-telegraf: {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %} - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro {% else %} - - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/etc/telegraf/ca.crt:ro {% endif %} - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro From 0f24c8e8bb855306eca56bd433ba594ae63e5723 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 23 Aug 2023 19:02:32 +0000 Subject: [PATCH 04/26] Add packages --- salt/elasticfleet/defaults.yaml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index d86a441cd..77fa9dd31 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -26,20 +26,51 @@ elasticfleet: - stderr - stdout packages: + - auditd - aws - azure + - barracuda + - cisco_asa - cloudflare + - crowdstrike + - darktrace - elasticsearch - endpoint + - f5_bigip - fleet_server - fim + - fortinet + - gcp - github - google_workspace + - http_endpoint + - httpjson + - juniper + - juniper_srx + - kafka_log + - lastpass - log + - m365_defender + - microsoft_defender_endpoint + - microsoft_dhcp + - netflow + - o365 + - okta - osquery_manager + - panw + - pfsense - redis + - sentinel_one + - sonicwall_firewall + - symantec_endpoint - system - tcp + - ti_abusech + - ti_misp + - ti_otx + - ti_recordedfuture - udp - windows + - zscaler_zia + - zscaler_zpa - 1password From 3f2793088a28354fdae2a7eb3422b6e4923abdaf Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 23 Aug 2023 19:02:50 +0000 Subject: [PATCH 05/26] Add templates --- salt/elasticsearch/defaults.yaml | 1134 ++++++++++++++++++++++++++++++ 1 file changed, 1134 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 5cb027fd2..1c1d3ec58 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -286,6 +286,24 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-auditd_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-auditd.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-auditd.log@package" + - "logs-auditd.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-aws_x_cloudtrail: index_sorting: False index_template: @@ -646,6 +664,42 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-barracuda_x_waf: + index_sorting: False + index_template: + index_patterns: + - "logs-barracuda.waf-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-barracuda.waf@package" + - "logs-barracuda.waf@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-cisco_asa_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-cisco_asa.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cisco_asa.log@package" + - "logs-cisco_asa.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-cloudflare_x_audit: index_sorting: False index_template: @@ -682,6 +736,114 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-crowdstrike_x_falcon: + index_sorting: False + index_template: + index_patterns: + - "logs-crowdstrike.falcon-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-crowdstrike.falcon@package" + - "logs-crowdstrike.falcon@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-crowdstrike_x_fdr: + index_sorting: False + index_template: + index_patterns: + - "logs-crowdstrike.fdr-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-crowdstrike.fdr@package" + - "logs-crowdstrike.fdr@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-darktrace_x_ai_analyst_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-darktrace.ai_analyst_alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-darktrace.ai_analyst_alert@package" + - "logs-darktrace.ai_analyst_alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-darktrace_x_model_breach_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-darktrace.model_breach_alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-darktrace.model_breach_alert@package" + - "logs-darktrace.model_breach_alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-darktrace_x_system_status_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-darktrace.system_status_alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-darktrace.system_status_alert@package" + - "logs-darktrace.system_status_alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-f5_bigip_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-f5_bigip.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-f5_bigip.log@package" + - "logs-f5_bigip.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-fim_x_event: index_sorting: False index_template: @@ -700,6 +862,186 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-fortinet_x_clientendpoint: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.clientendpoint-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.clientendpoint@package" + - "logs-fortinet.clientendpoint@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_x_firewall: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.firewall-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.firewall@package" + - "logs-fortinet.firewall@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_x_fortimail: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.fortimail-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.fortimail@package" + - "logs-fortinet.fortimail@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_x_fortimanager: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.fortimanager-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.fortimanager@package" + - "logs-fortinet.fortimanager@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fortinet_x_fortigate: + index_sorting: False + index_template: + index_patterns: + - "logs-fortinet.fortigate-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fortinet.fortigate@package" + - "logs-fortinet.fortigate@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.audit-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.audit@package" + - "logs-gcp.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_dns: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.dns-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.dns@package" + - "logs-gcp.dns@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_firewall: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.firewall-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.firewall@package" + - "logs-gcp.firewall@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_loadbalancing_logs: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.loadbalancing_logs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.loadbalancing_logs@package" + - "logs-gcp.loadbalancing_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-gcp_x_vpcflow: + index_sorting: False + index_template: + index_patterns: + - "logs-gcp.vpcflow-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-gcp.vpcflow@package" + - "logs-gcp.vpcflow@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-github_x_audit: index_sorting: False index_template: @@ -1042,6 +1384,798 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-http_endpoint_x_generic: + index_sorting: False + index_template: + index_patterns: + - "logs-http_endpoint.generic-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-http_endpoint.generic@package" + - "logs-http_endpoint.generic@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-httpjson_x_generic: + index_sorting: False + index_template: + index_patterns: + - "logs-httpjson.generic-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-httpjson.generic@package" + - "logs-httpjson.generic@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_x_junos: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper.junos-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper.junos@package" + - "logs-juniper.junos@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_x_netscreen: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper.netscreen-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper.netscreen@package" + - "logs-juniper.netscreen@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_x_srx: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper.srx-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper.srx@package" + - "logs-juniper.srx@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-juniper_srx_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-juniper_srx.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-juniper_srx.log@package" + - "logs-juniper_srx.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-kafka_log_x_generic: + index_sorting: False + index_template: + index_patterns: + - "logs-kafka_log.generic-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-kafka_log.generic@package" + - "logs-kafka_log.generic@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-lastpass_x_detailed_shared_folder: + index_sorting: False + index_template: + index_patterns: + - "logs-lastpass.detailed_shared_folder-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-lastpass.detailed_shared_folder@package" + - "logs-lastpass.detailed_shared_folder@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-lastpass_x_event_report: + index_sorting: False + index_template: + index_patterns: + - "logs-lastpass.event_report-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-lastpass.event_report@package" + - "logs-lastpass.event_report@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-lastpass_x_user: + index_sorting: False + index_template: + index_patterns: + - "logs-lastpass.user-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-lastpass.user@package" + - "logs-lastpass.user@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-m365_defender_x_event: + index_sorting: False + index_template: + index_patterns: + - "logs-m365_defender.event-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-m365_defender.event@package" + - "logs-m365_defender.event@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-m365_defender_x_incident: + index_sorting: False + index_template: + index_patterns: + - "logs-m365_defender.incident-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-m365_defender.incident@package" + - "logs-m365_defender.incident@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-m365_defender_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-m365_defender.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-m365_defender.log@package" + - "logs-m365_defender.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-microsoft_defender_endpoint_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-microsoft_defender_endpoint.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-microsoft_defender_endpoint.log@package" + - "logs-microsoft_defender_endpoint.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-microsoft_dhcp_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-microsoft_dhcp.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-microsoft_dhcp.log@package" + - "logs-microsoft_dhcp.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-netflow_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-netflow.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-netflow.log@package" + - "logs-netflow.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-panw_x_panos: + index_sorting: False + index_template: + index_patterns: + - "logs-panw.panos-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-panw.panos@package" + - "logs-panw.panos@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-pfsense_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-pfsense.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-pfsense.log@package" + - "logs-pfsense.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_activity: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.activity-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.activity@package" + - "logs-sentinel_one.activity@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_agent: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.agent-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.agent@package" + - "logs-sentinel_one.agent@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.alert@package" + - "logs-sentinel_one.alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_group: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.group-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.group@package" + - "logs-sentinel_one.group@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sentinel_one_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-sentinel_one.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sentinel_one.threat@package" + - "logs-sentinel_one.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-sonicwall_firewall_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-sonicwall_firewall.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-sonicwall_firewall.log@package" + - "logs-sonicwall_firewall.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-symantec_endpoint_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-symantec_endpoint.log-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-symantec_endpoint.log@package" + - "logs-symantec_endpoint.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_malware: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.malware-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.malware@package" + - "logs-ti_abusech.malware@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_malwarebazaar: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.malwarebazaar-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.malwarebazaar@package" + - "logs-ti_abusech.malwarebazaar@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_threatfox: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.threatfox-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.threatfox@package" + - "logs-ti_abusech.threatfox@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_abusech_x_url: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_abusech.url-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_abusech.url@package" + - "logs-ti_abusech.url@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_misp_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_misp.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_misp.threat@package" + - "logs-ti_misp.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_misp_x_threat_attributes: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_misp.threat_attributes-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_misp.threat_attributes@package" + - "logs-ti_misp.threat_attributes@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_otx_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_otx.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_otx.threat@package" + - "logs-ti_otx.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_recordedfuture_x_latest_ioc-template: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_recordedfuture.latest_ioc-template-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_recordedfuture.latest_ioc-template@package" + - "logs-ti_recordedfuture.latest_ioc-template@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-ti_recordedfuture_x_threat: + index_sorting: False + index_template: + index_patterns: + - "logs-ti_recordedfuture.threat-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-ti_recordedfuture.threat@package" + - "logs-ti_recordedfuture.threat@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_alerts: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.alerts-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.alerts@package" + - "logs-zscaler_zia.alerts@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_dns: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.dns-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.dns@package" + - "logs-zscaler_zia.dns@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_firewall: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.firewall-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.firewall@package" + - "logs-zscaler_zia.firewall@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_tunnel: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.tunnel-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.tunnel@package" + - "logs-zscaler_zia.tunnel@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zia_x_web: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zia.web-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zia.web@package" + - "logs-zscaler_zia.web@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_app_connector_status: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.app_connector_status-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.app_connector_status@package" + - "logs-zscaler_zpa.app_connector_status@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.audit-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.audit@package" + - "logs-zscaler_zpa.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_browser_access: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.browser_access-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.browser_access@package" + - "logs-zscaler_zpa.browser_access@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_user_activity: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.user_activity-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.user_activity@package" + - "logs-zscaler_zpa.user_activity@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-zscaler_zpa_x_user_status: + index_sorting: False + index_template: + index_patterns: + - "logs-zscaler_zpa.user_status-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-zscaler_zpa.user_status@package" + - "logs-zscaler_zpa.user_status@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-1password_x_item_usages: index_sorting: False index_template: From 2f51349ff817a5cf6325a6f648fff058a3b4f80c Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 23 Aug 2023 20:07:42 +0000 Subject: [PATCH 06/26] Add SOC configuration --- salt/elasticsearch/soc_elasticsearch.yaml | 63 +++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index f269ec014..01de1ec30 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -201,6 +201,7 @@ elasticsearch: so-logs-windows_x_powershell: *indexSettings so-logs-windows_x_powershell_operational: *indexSettings so-logs-windows_x_sysmon_operational: *indexSettings + so-logs-auditd_x_log: *indexSettings so-logs-aws_x_cloudtrail: *indexSettings so-logs-aws_x_cloudwatch_logs: *indexSettings so-logs-aws_x_ec2_logs: *indexSettings @@ -221,9 +222,27 @@ elasticsearch: so-logs-azure_x_provisioning: *indexSettings so-logs-azure_x_signinlogs: *indexSettings so-logs-azure_x_springcloudlogs: *indexSettings + so-logs-barracuda_x_waf: *indexSettings + so-logs-cisco_asa_x_log: *indexSettings so-logs-cloudflare_x_audit: *indexSettings so-logs-cloudflare_x_logpull: *indexSettings + so-logs-crowdstrike_x_falcon: *indexSettings + so-logs-crowdstrike_x_fdr: *indexSettings + so-logs-darktrace_x_ai_analyst_alert: *indexSettings + so-logs-darktrace_x_model_breach_alert: *indexSettings + so-logs-darktrace_x_system_status_alert: *indexSettings + so-logs-f5_bigip_x_log: *indexSettings so-logs-fim_x_event: *indexSettings + so-logs-fortinet_x_clientendpoint: *indexSettings + so-logs-fortinet_x_firewall: *indexSettings + so-logs-fortinet_x_fortimail: *indexSettings + so-logs-fortinet_x_fortimanager: *indexSettings + so-logs-fortinet_x_fortigate: *indexSettings + so-logs-gcp_x_audit: *indexSettings + so-logs-gcp_x_dns: *indexSettings + so-logs-gcp_x_firewall: *indexSettings + so-logs-gcp_x_loadbalancing_logs: *indexSettings + so-logs-gcp_x_vpcflow: *indexSettings so-logs-github_x_audit: *indexSettings so-logs-github_x_code_scanning: *indexSettings so-logs-github_x_dependabot: *indexSettings @@ -243,6 +262,50 @@ elasticsearch: so-logs-google_workspace_x_saml: *indexSettings so-logs-google_workspace_x_token: *indexSettings so-logs-google_workspace_x_user_accounts: *indexSettings + so-logs-http_endpoint_x_generic: *indexSettings + so-logs-httpjson_x_generic: *indexSettings + so-logs-juniper_x_junos: *indexSettings + so-logs-juniper_x_netscreen: *indexSettings + so-logs-juniper_x_srx: *indexSettings + so-logs-juniper_srx_x_log: *indexSettings + so-logs-kafka_log_x_generic: *indexSettings + so-logs-lastpass_x_detailed_shared_folder: *indexSettings + so-logs-lastpass_x_event_report: *indexSettings + so-logs-lastpass_x_user: *indexSettings + so-logs-m365_defender_x_event: *indexSettings + so-logs-m365_defender_x_incident: *indexSettings + so-logs-m365_defender_x_log: *indexSettings + so-logs-microsoft_defender_endpoint_x_log: *indexSettings + so-logs-microsoft_dhcp_x_log: *indexSettings + so-logs-netflow_x_log: *indexSettings + so-logs-panw_x_panos: *indexSettings + so-logs-pfsense_x_log: *indexSettings + so-logs-sentinel_one_x_activity: *indexSettings + so-logs-sentinel_one_x_agent: *indexSettings + so-logs-sentinel_one_x_alert: *indexSettings + so-logs-sentinel_one_x_group: *indexSettings + so-logs-sentinel_one_x_threat: *indexSettings + so-logs-sonicwall_firewall_x_log: *indexSettings + so-logs-symantec_endpoint_x_log: *indexSettings + so-logs-ti_abusech_x_malware: *indexSettings + so-logs-ti_abusech_x_malwarebazaar: *indexSettings + so-logs-ti_abusech_x_threatfox: *indexSettings + so-logs-ti_abusech_x_url: *indexSettings + so-logs-ti_misp_x_threat: *indexSettings + so-logs-ti_misp_x_threat_attributes: *indexSettings + so-logs-ti_otx_x_threat: *indexSettings + so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings + so-logs-ti_recordedfuture_x_threat: *indexSettings + so-logs-zscaler_zia_x_alerts: *indexSettings + so-logs-zscaler_zia_x_dns: *indexSettings + so-logs-zscaler_zia_x_firewall: *indexSettings + so-logs-zscaler_zia_x_tunnel: *indexSettings + so-logs-zscaler_zia_x_web: *indexSettings + so-logs-zscaler_zpa_x_app_connector_status: *indexSettings + so-logs-zscaler_zpa_x_audit: *indexSettings + so-logs-zscaler_zpa_x_browser_access: *indexSettings + so-logs-zscaler_zpa_x_user_activity: *indexSettings + so-logs-zscaler_zpa_x_user_status: *indexSettings so-logs-1password_x_item_usages: *indexSettings so-logs-1password_x_signin_attempts: *indexSettings so-logs-osquery-manager-actions: *indexSettings From 31a49268cb960d26c04d7e8ea28cc5f9c4bf4260 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 23 Aug 2023 20:20:06 +0000 Subject: [PATCH 07/26] Add o365 and okta --- salt/elasticsearch/defaults.yaml | 36 +++++++++++++++++++++++ salt/elasticsearch/soc_elasticsearch.yaml | 2 ++ 2 files changed, 38 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 1c1d3ec58..3ea24c3fd 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1672,6 +1672,42 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-o365_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-o365.audit-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-o365.audit@package" + - "logs-o365.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-okta_x_system: + index_sorting: False + index_template: + index_patterns: + - "logs-okta.system-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-okta.system@package" + - "logs-okta.system@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-panw_x_panos: index_sorting: False index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 01de1ec30..e8ecccd2c 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -278,6 +278,8 @@ elasticsearch: so-logs-microsoft_defender_endpoint_x_log: *indexSettings so-logs-microsoft_dhcp_x_log: *indexSettings so-logs-netflow_x_log: *indexSettings + so-logs-okta_x_system: *indexSettings + so-logs-o365_x_audit: *indexSettings so-logs-panw_x_panos: *indexSettings so-logs-pfsense_x_log: *indexSettings so-logs-sentinel_one_x_activity: *indexSettings From d2d0d53eefb476c109b47e82ef8d1880f065535a Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 23 Aug 2023 20:20:44 +0000 Subject: [PATCH 08/26] Change order --- salt/elasticsearch/soc_elasticsearch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index e8ecccd2c..a960facd1 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -278,8 +278,8 @@ elasticsearch: so-logs-microsoft_defender_endpoint_x_log: *indexSettings so-logs-microsoft_dhcp_x_log: *indexSettings so-logs-netflow_x_log: *indexSettings - so-logs-okta_x_system: *indexSettings so-logs-o365_x_audit: *indexSettings + so-logs-okta_x_system: *indexSettings so-logs-panw_x_panos: *indexSettings so-logs-pfsense_x_log: *indexSettings so-logs-sentinel_one_x_activity: *indexSettings From b8dc9ea5600e31fd08b569b45bc2d999f2aee9b2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 23 Aug 2023 17:50:08 -0400 Subject: [PATCH 09/26] cert work --- salt/ssl/init.sls | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 9ff3a3a6d..80164c622 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -36,7 +36,10 @@ include: {% set ca_server = global_ca_server[0] %} {% endif %} - +cacertdir: + file.directory: + - name: /etc/pki/tls/certs + - makedirs: True # Trust the CA trusttheca: @@ -44,6 +47,13 @@ trusttheca: - name: /etc/pki/tls/certs/intca.crt - text: {{ trusttheca_text }} +{% if GLOBALS.os_family == 'Debian' %} +symlinkca: + file.symlink: + - source: /etc/pki/tls/certs/intca.crt + - name: /etc/ssl/certs/intca.crt +{% end %} + # Install packages needed for the sensor m2cryptopkgs: pkg.installed: From 4484e2d031d9b6ffc0d761e4a109a7ff0238bcda Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 23 Aug 2023 18:16:49 -0400 Subject: [PATCH 10/26] cert work --- salt/ssl/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 80164c622..1131eec12 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -52,7 +52,7 @@ symlinkca: file.symlink: - source: /etc/pki/tls/certs/intca.crt - name: /etc/ssl/certs/intca.crt -{% end %} +{% endif %} # Install packages needed for the sensor m2cryptopkgs: From f4be5641daca889155f965787303d2c2172dbdd6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 23 Aug 2023 20:49:37 -0400 Subject: [PATCH 11/26] cert work --- salt/ssl/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 1131eec12..ef93a9072 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -50,7 +50,7 @@ trusttheca: {% if GLOBALS.os_family == 'Debian' %} symlinkca: file.symlink: - - source: /etc/pki/tls/certs/intca.crt + - target: /etc/pki/tls/certs/intca.crt - name: /etc/ssl/certs/intca.crt {% endif %} From 82529242031eb02bafeb704ecd89969fd5d950ab Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 24 Aug 2023 12:16:25 -0400 Subject: [PATCH 12/26] allow testing runs to proceed with unsupported os --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index c3172280f..22a9e9238 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -69,7 +69,7 @@ detect_os # Ubuntu/Debian whiptail pallete to make it look the same as CentOS and Rocky. set_palette >> $setup_log 2>&1 -if [[ $not_supported ]]; then +if [[ $not_supported ]] && [ -z "$TESTING" ]; then if [[ "$OSVER" == "focal" ]]; then if (whiptail_focal_warning); then true From 43e4cf632ad70d66f4ee1994ae8254c323bf6a54 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 24 Aug 2023 12:57:35 -0400 Subject: [PATCH 13/26] use the correct var --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 22a9e9238..14d6b2304 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -69,7 +69,7 @@ detect_os # Ubuntu/Debian whiptail pallete to make it look the same as CentOS and Rocky. set_palette >> $setup_log 2>&1 -if [[ $not_supported ]] && [ -z "$TESTING" ]; then +if [[ $not_supported ]] && [ -z "$test_profile" ]; then if [[ "$OSVER" == "focal" ]]; then if (whiptail_focal_warning); then true From e57cc0308424cf288aad574fc2b07e69437c68e3 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 24 Aug 2023 14:41:04 -0400 Subject: [PATCH 14/26] fix centos install --- salt/common/packages.sls | 4 ---- 1 file changed, 4 deletions(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 5f4a348e7..5f013e40b 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -63,11 +63,7 @@ commonpkgs: - httpd-tools - jq - lvm2 - {% if GLOBALS.os == 'CentOS Stream' %} - - MariaDB-devel - {% else %} - mariadb-devel - {% endif %} - net-tools - nmap-ncat - openssl From 4a489afb893077be5575076359fe9a2be42b7df5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 25 Aug 2023 08:55:00 -0400 Subject: [PATCH 15/26] remove old and install new watchdog package --- salt/common/packages.sls | 2 -- salt/strelka/filestream/config.sls | 8 ++++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 5f4a348e7..fe36a1fa1 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -21,7 +21,6 @@ commonpkgs: - python3-dateutil - python3-docker - python3-packaging - - python3-watchdog - python3-lxml - git - rsync @@ -78,7 +77,6 @@ commonpkgs: - python3-packaging - python3-pyyaml - python3-rich - - python3-watchdog - rsync - sqlite - tcpdump diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls index 993a59650..a254e9253 100644 --- a/salt/strelka/filestream/config.sls +++ b/salt/strelka/filestream/config.sls @@ -47,6 +47,14 @@ filestream_config: FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }} # Filecheck Section +remove_old_watchdog: + pkg.removed: + - name: python3-watchdog + +install_watchdog: + pkg.installed: + - name: securityonion-python39-watchdog + filecheck_logdir: file.directory: - name: /opt/so/log/strelka From ab1d97c985130bb3504ec3eee4ea330953cdb595 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 25 Aug 2023 09:39:16 -0400 Subject: [PATCH 16/26] restart filecheck if watchdog pkg changes --- salt/strelka/filestream/config.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls index a254e9253..a84ab5ba1 100644 --- a/salt/strelka/filestream/config.sls +++ b/salt/strelka/filestream/config.sls @@ -135,6 +135,7 @@ filecheck_restart: - onchanges: - file: filecheck_script - file: filecheck_conf + - pkg: install_watchdog filcheck_history_clean: cron.present: From 0a88c812e867b51d19eb643d47dab1f9f7c24df3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 25 Aug 2023 13:03:33 -0400 Subject: [PATCH 17/26] differnet watchdog package names for debian vs redhat fams --- salt/strelka/filestream/config.sls | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls index a84ab5ba1..833a08505 100644 --- a/salt/strelka/filestream/config.sls +++ b/salt/strelka/filestream/config.sls @@ -47,6 +47,12 @@ filestream_config: FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }} # Filecheck Section +{% if GLOBALS.os_family == 'Debian' %} +install_watchdog: + pkg.installed: + - name: python3-watchdog + +{% elif GLOBALS.os_family == 'RedHat' %} remove_old_watchdog: pkg.removed: - name: python3-watchdog @@ -54,6 +60,7 @@ remove_old_watchdog: install_watchdog: pkg.installed: - name: securityonion-python39-watchdog +{% endif %} filecheck_logdir: file.directory: From c22f9687fb1f23f5232c1a21e4dfa59555def7ec Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 25 Aug 2023 13:40:34 -0400 Subject: [PATCH 18/26] sync local repo in soup --- salt/manager/tools/sbin/soup | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 934cef2ee..21933c1a8 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -303,6 +303,7 @@ check_log_size_limit() { check_os_updates() { # Check to see if there are OS updates + echo "Checking for OS updates." NEEDUPDATES="We have detected missing operating system (OS) updates. Do you want to install these OS updates now? This could take a while depending on the size of your grid and how many packages are missing, but it is recommended to keep your system updated." OSUPDATES=$(dnf -q list updates | grep -v docker | grep -v containerd | grep -v salt | grep -v Available | wc -l) if [[ "$OSUPDATES" -gt 0 ]]; then @@ -437,6 +438,11 @@ post_to_2.4.20() { POSTVERSION=2.4.20 } +repo_sync() { + echo "Sync the local repo." + su socore -c '/usr/sbin/so-repo-sync' +} + stop_salt_master() { # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts set +e @@ -762,9 +768,7 @@ main() { fi echo "Verifying we have the latest soup script." verify_latest_update_script - echo "Checking for OS updates." - check_os_updates - + echo "Let's see if we need to update Security Onion." upgrade_check upgrade_space @@ -776,6 +780,10 @@ main() { if [[ $is_airgap -eq 0 ]]; then yum clean all check_os_updates + elif [[ $OS == 'oracle' || $OS == 'redhat'|| $OS == 'centos' ]]; then + # sync remote repo down to local if not airgap + repo_sync + check_os_updates fi if [ "$is_hotfix" == "true" ]; then From 388c90f64113af0f750fec4aa091bda4064571b0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 25 Aug 2023 14:56:42 -0400 Subject: [PATCH 19/26] add oel to set_os --- salt/common/tools/sbin/so-common | 4 ++++ salt/manager/tools/sbin/soup | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index a76aab1f1..03b19d756 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -446,6 +446,10 @@ set_os() { OS=centos OSVER=9 is_centos=true + elif grep -q "Oracle Linux Server release 9" /etc/system-release; then + OS=oel + OSVER=9 + is_oracle=true fi cron_service_name="crond" else diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 21933c1a8..5cb59d6ac 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -780,7 +780,7 @@ main() { if [[ $is_airgap -eq 0 ]]; then yum clean all check_os_updates - elif [[ $OS == 'oracle' || $OS == 'redhat'|| $OS == 'centos' ]]; then + elif [[ $OS == 'oel' || $OS == 'rocky'|| $OS == 'centos' ]]; then # sync remote repo down to local if not airgap repo_sync check_os_updates From 022ee36bca46ae016b0e14868dfcf1cf726c68dd Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 25 Aug 2023 16:44:03 -0400 Subject: [PATCH 20/26] ingest pfsense sample data --- salt/common/tools/sbin/so-test | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/common/tools/sbin/so-test b/salt/common/tools/sbin/so-test index 8d6bcf4e1..90309766b 100755 --- a/salt/common/tools/sbin/so-test +++ b/salt/common/tools/sbin/so-test @@ -5,4 +5,10 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +set -e + +# Playback live sample data onto monitor interface so-tcpreplay /opt/samples/* 2> /dev/null + +# Ingest sample pfsense log entry +echo "<134>$(date '+%b %d %H:%M:%S') filterlog[31624]: 84,,,1567509287,igb0.244,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.1.1,10.10.10.10,56320,443,0,S,3333585167,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol" | nc -uv -w1 localhost 514 From 5879eeabfa12a370feed8b7a462ed36ee379230e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 25 Aug 2023 16:45:31 -0400 Subject: [PATCH 21/26] ingest pfsense sample data --- salt/common/tools/sbin/so-test | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-test b/salt/common/tools/sbin/so-test index 90309766b..7286a35a8 100755 --- a/salt/common/tools/sbin/so-test +++ b/salt/common/tools/sbin/so-test @@ -11,4 +11,4 @@ set -e so-tcpreplay /opt/samples/* 2> /dev/null # Ingest sample pfsense log entry -echo "<134>$(date '+%b %d %H:%M:%S') filterlog[31624]: 84,,,1567509287,igb0.244,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.1.1,10.10.10.10,56320,443,0,S,3333585167,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol" | nc -uv -w1 localhost 514 +echo "<134>$(date '+%b %d %H:%M:%S') filterlog[31624]: 84,,,1567509287,igb0.244,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,64,192.168.1.1,10.10.10.10,56320,443,0,S,3333585167,,65535,,mss;nop;wscale;nop;nop;TS;sackOK;eol" | nc -uv -w1 localhost 514 > /dev/null 2>&1 From 1ef4d2cde11d581dd5b3f871460306f554f90a0c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 28 Aug 2023 09:37:45 -0400 Subject: [PATCH 22/26] dont need to repo_sync rocky or centos --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 5cb59d6ac..37c9b3ba5 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -780,7 +780,7 @@ main() { if [[ $is_airgap -eq 0 ]]; then yum clean all check_os_updates - elif [[ $OS == 'oel' || $OS == 'rocky'|| $OS == 'centos' ]]; then + elif [[ $OS == 'oel' ]]; then # sync remote repo down to local if not airgap repo_sync check_os_updates From a8ec3717c44d1fd76343b321babaa7e44ab64bea Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 28 Aug 2023 10:20:53 -0400 Subject: [PATCH 23/26] fail soup if so-repo-sync fails --- salt/manager/tools/sbin/so-repo-sync | 4 +++- salt/manager/tools/sbin/soup | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/so-repo-sync b/salt/manager/tools/sbin/so-repo-sync index 3e129cd0d..84384fcdf 100644 --- a/salt/manager/tools/sbin/so-repo-sync +++ b/salt/manager/tools/sbin/so-repo-sync @@ -11,6 +11,8 @@ set_version set_os salt_minion_count +set -e + curl --retry 5 --retry-delay 60 -A "reposync/$VERSION/$OS/$(uname -r)/$MINIONCOUNT" https://sigs.securityonion.net/checkup --output /tmp/checkup dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ -createrepo /nsm/repo \ No newline at end of file +createrepo /nsm/repo diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 37c9b3ba5..45e3df530 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -440,7 +440,7 @@ post_to_2.4.20() { repo_sync() { echo "Sync the local repo." - su socore -c '/usr/sbin/so-repo-sync' + su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." } stop_salt_master() { From c10e686ec6f91d55bc53c8bd3b73c7f431b77bb9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 28 Aug 2023 11:07:28 -0400 Subject: [PATCH 24/26] fix path to intermediate ca cert on heavy nodes --- salt/redis/enabled.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 4c452bec0..27177d217 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -33,7 +33,7 @@ so-redis: {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/certs/ca.crt:ro {% else %} - - /etc/pki/certs/intca.crt:/certs/ca.crt:ro + - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro {% endif %} {% if DOCKER.containers['so-redis'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %} From 6b0fbe4634609603fdbddcc86d7eeea96e406a3b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 28 Aug 2023 11:53:45 -0400 Subject: [PATCH 25/26] include so-repo-sync in soup_manager_scripts state --- salt/common/soup_scripts.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/common/soup_scripts.sls b/salt/common/soup_scripts.sls index 8dff85ddb..041649200 100644 --- a/salt/common/soup_scripts.sls +++ b/salt/common/soup_scripts.sls @@ -19,4 +19,5 @@ soup_manager_scripts: - source: salt://manager/tools/sbin - include_pat: - so-firewall - - soup \ No newline at end of file + - so-repo-sync + - soup From bd61ee22be5ea6e0568505f4dc1381322efd70fe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 28 Aug 2023 14:41:06 -0400 Subject: [PATCH 26/26] Update defaults.map.jinja --- salt/soc/defaults.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index 7720e7027..2587051c5 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -16,7 +16,7 @@ {# add nodes from the logstash:nodes pillar to soc.server.modules.elastic.remoteHostUrls #} {% for node_type, minions in salt['pillar.get']('logstash:nodes', {}).items() %} {% for m in minions.keys() %} -{% do SOCDEFAULTS.soc.config.server.modules.elastic.remoteHostUrls.append(m) %} +{% do SOCDEFAULTS.soc.config.server.modules.elastic.remoteHostUrls.append('https://' ~ m ~ ':9200') %} {% endfor %} {% endfor %}