From 102c3271d1480a35d0dc15866769058e9741de71 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Fri, 29 Mar 2024 12:04:47 -0400
Subject: [PATCH 1/5] FEATURE: Add process.command_line to Process Info and
 Process Ancestry dashboards #12694

---
 salt/soc/defaults.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 861f6b02c..987011c99 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -70,13 +70,13 @@ soc:
         icon: fa-person-running
         target: ''
         links:
-          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
+          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
       - name: actionProcessAncestors
         description: actionProcessAncestorsHelp
         icon: fa-people-roof
         target: ''
         links:
-          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
+          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
     eventFields:
       default:
         - soc_timestamp

From e747a4e3fed1a42e5ec41be0d3f17cc6aa89d26b Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 29 Mar 2024 12:25:03 -0600
Subject: [PATCH 2/5] New Settings for Manual Sync in Detections

---
 salt/soc/defaults.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 987011c99..4ecf1713d 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1993,6 +1993,13 @@ soc:
           mostRecentlyUsedLimit: 5
           safeStringMaxLength: 100
           queryBaseFilter: '_index:"*:so-detection" AND so_kind:detection'
+          presets:
+            manualSync:
+              customEnabled:false
+              labels:
+                - Suricata
+                - Strelka
+                - ElastAlert
           eventFields:
             default:
               - so_detection.title

From 0c7ba6286790ccc0cb7ab822fa71d6914585642b Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Fri, 29 Mar 2024 14:44:29 -0400
Subject: [PATCH 3/5] FEATURE: Add Events table columns for zeek ssl and
 suricata ssl #12697

---
 salt/soc/defaults.yaml | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 987011c99..d0e769620 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -457,7 +457,7 @@ soc:
         - ssh.server
         - log.id.uid
         - event.dataset
-      '::ssl':
+      ':suricata:ssl':
         - soc_timestamp
         - source.ip
         - source.port
@@ -465,10 +465,30 @@ soc:
         - destination.port
         - ssl.server_name
         - ssl.certificate.subject
+        - ssl.version
+        - log.id.uid
+        - event.dataset
+      ':zeek:ssl':
+        - soc_timestamp
+        - source.ip
+        - source.port
+        - destination.ip
+        - destination.port
+        - ssl.server_name
         - ssl.validation_status
         - ssl.version
         - log.id.uid
         - event.dataset
+      '::ssl':
+        - soc_timestamp
+        - source.ip
+        - source.port
+        - destination.ip
+        - destination.port
+        - ssl.server_name
+        - ssl.version
+        - log.id.uid
+        - event.dataset
       ':zeek:syslog':
         - soc_timestamp
         - source.ip

From b64ed5535e06690e31e83fb232848122b509256c Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Fri, 29 Mar 2024 15:29:38 -0400
Subject: [PATCH 4/5] FEATURE: Add individual dashboards for Zeek SSL and
 Suricata SSL logs #12699

---
 salt/soc/defaults.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 153937ad1..6fbbebd76 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1760,7 +1760,13 @@ soc:
               query: 'tags:ssh | groupby ssh.client | groupby -sankey ssh.client source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby ssh.server | groupby ssh.version | groupby ssh.hassh_version | groupby ssh.direction | groupby source_geo.organization_name | groupby destination_geo.organization_name'
             - name: SSL
               description: SSL/TLS network metadata
-              query: 'tags:ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey ssl.validation_status ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject'
+              query: 'tags:ssl | groupby ssl.version | groupby -sankey ssl.version ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
+            - name: SSL - Suricata
+              description: SSL/TLS network metadata from Suricata
+              query: 'event.dataset:suricata.ssl | groupby ssl.version | groupby -sankey ssl.version ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject'
+            - name: SSL - Zeek
+              description: SSL/TLS network metadata from Zeek
+              query: 'event.dataset:zeek.ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey ssl.validation_status ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
             - name: STUN
               description: STUN (Session Traversal Utilities for NAT) network metadata
               query: 'tags:stun* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset'

From e5a3a54aea80421b027afbed99eeed3d8382e557 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 29 Mar 2024 14:31:43 -0600
Subject: [PATCH 5/5] Proper YAML

---
 salt/soc/defaults.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 6fbbebd76..9ec22b180 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -2021,11 +2021,11 @@ soc:
           queryBaseFilter: '_index:"*:so-detection" AND so_kind:detection'
           presets:
             manualSync:
-              customEnabled:false
+              customEnabled: false
               labels:
-                - Suricata
-                - Strelka
-                - ElastAlert
+              - Suricata
+              - Strelka
+              - ElastAlert
           eventFields:
             default:
               - so_detection.title