From e0039a08ef435df402c0364f172dd9d4f02d5338 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 22 Jan 2025 13:57:26 -0600 Subject: [PATCH 1/4] fix forcedType typo --- salt/elasticsearch/soc_elasticsearch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0d5d0ea28..48b8b2e27 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -166,7 +166,7 @@ elasticsearch: index_template: index_patterns: description: Patterns for matching multiple indices or tables. - forceType: "[]string" + forcedType: "[]string" multiline: True global: True advanced: True From 5b8f8fb62f0dfbf7ce5692351a36f2a3250e0ba8 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 23 Jan 2025 12:47:22 -0600 Subject: [PATCH 2/4] add/remove es annotations/defaults automagically Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/soc_elasticsearch.yaml | 6 +++ salt/manager/managed_soc_annotations.sls | 59 +++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 salt/manager/managed_soc_annotations.sls diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 48b8b2e27..adce41bff 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -77,6 +77,12 @@ elasticsearch: custom008: *pipelines custom009: *pipelines custom010: *pipelines + managed_integrations: + description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass + forcedType: "[]string" + global: True + advanced: True + helpLink: elasticsearch.html index_settings: global_overrides: index_template: diff --git a/salt/manager/managed_soc_annotations.sls b/salt/manager/managed_soc_annotations.sls new file mode 100644 index 000000000..17621f973 --- /dev/null +++ b/salt/manager/managed_soc_annotations.sls @@ -0,0 +1,59 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #} +{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %} +{% if managed_integrations %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %} +{% set matched_integration_names = [] %} +{% for k in addon_integration_keys %} +{% for i in managed_integrations %} +{% if i in k %} +{% do matched_integration_names.append(k) %} +{% endif %} +{% endfor %} +{% endfor %} +{% set es_soc_annotations = '/opt/so/saltstack/default/salt/elasticsearch/soc_elasticsearch.yaml' %} +{{ es_soc_annotations }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_soc_annotations) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% set input = index_settings.get('so-logs', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set _ = index_settings.update({k: input}) %} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} + +{# Managed elasticsearch/defaults.yaml file for enabling 'Revert to default' via SOC UI for newly added config items #} +{% set es_defaults = '/opt/so/saltstack/default/salt/elasticsearch/defaults.yaml' %} +{{ es_defaults }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_defaults) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set input = ADDON_INTEGRATION_DEFAULTS[k] %} + {% set _ = index_settings.update({k: input})%} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} +{% endif %} \ No newline at end of file From a373d96c3c7b46ef56475dd0f6f674ec16ebfc6d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 27 Jan 2025 13:45:03 -0600 Subject: [PATCH 3/4] run managed_soc_annotations.sls from manager state --- salt/manager/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index c4b2ad136..8de5d097a 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -14,6 +14,7 @@ include: - manager.sync_es_users - manager.elasticsearch - manager.kibana + - manager.managed_soc_annotations repo_log_dir: file.directory: From 38b0276458261c9c1049d8e49b40c4f2d919d02c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 27 Jan 2025 13:45:18 -0600 Subject: [PATCH 4/4] remove reference to deleted file --- salt/elasticfleet/integration-defaults.map.jinja | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 30eda7081..6d31cc71f 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -5,7 +5,6 @@ {% import_json '/opt/so/state/esfleet_package_components.json' as ADDON_PACKAGE_COMPONENTS %} {% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} -{% import_yaml 'elasticfleet/integration-defaults.yaml' as INTEGRATIONDEFAULTS %} {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} {% set ADDON_INTEGRATION_DEFAULTS = {} %}