From a5ae481ea4db1a9cf2e5ea22142bb5b5eb61b4a0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:10:57 -0500 Subject: [PATCH 01/41] globals --- salt/global/soc_global.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml index 5a349a3c3..15cae92b3 100644 --- a/salt/global/soc_global.yaml +++ b/salt/global/soc_global.yaml @@ -12,11 +12,18 @@ global: mdengine: description: Which engine to use for meta data generation. Options are ZEEK and SURICATA. regex: ^(ZEEK|SURICATA)$ + options: + - ZEEK + - SURICATA regexFailureMessage: You must enter either ZEEK or SURICATA. global: True pcapengine: description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION. regex: ^(STENO|SURICATA|TRANSITION)$ + options: + - STENO + - SURICATA + - TRANSITION regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION. global: True ids: @@ -38,6 +45,9 @@ global: pipeline: description: Sets which pipeline technology for events to use. Currently only Redis is fully supported. Kafka is experimental and requires a Security Onion Pro license. regex: ^(REDIS|KAFKA)$ + options: + - REDIS + - KAFKA regexFailureMessage: You must enter either REDIS or KAFKA. global: True advanced: True From ee1af39c556a7c31c4ef36b1555c3ff1bb4aa2ec Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:17:08 -0500 Subject: [PATCH 02/41] elastalert --- salt/elastalert/soc_elastalert.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 764ec87fc..2ce04307b 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -1,5 +1,6 @@ elastalert: enabled: + forcedType: bool description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery. helpLink: elastalert.html alerter_parameters: From 6fec2170689683002a50d712d61b85118468b26f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:34:32 -0500 Subject: [PATCH 03/41] actions --- .../soc_elastic-fleet-package-registry.yaml | 1 + salt/elasticagent/soc_elasticagent.yaml | 1 + salt/elasticfleet/soc_elasticfleet.yaml | 1 + salt/soc/soc_soc.yaml | 7 +++++++ 4 files changed, 10 insertions(+) diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 3d8a2112b..4a544fbc6 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,4 +1,5 @@ elastic_fleet_package_registry: enabled: + forcedType: bool description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True diff --git a/salt/elasticagent/soc_elasticagent.yaml b/salt/elasticagent/soc_elasticagent.yaml index a24ac1985..4632ae946 100644 --- a/salt/elasticagent/soc_elasticagent.yaml +++ b/salt/elasticagent/soc_elasticagent.yaml @@ -1,4 +1,5 @@ elasticagent: enabled: + forcedType: bool description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events. advanced: True diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 7ca59401f..8ec558d37 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -3,6 +3,7 @@ elasticfleet: description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents. advanced: True helpLink: elastic-fleet.html + forcedType: bool enable_manager_output: description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers. advanced: True diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..332662c09 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,6 +63,13 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 2bc2e86b01ec2589a5343e0457798cc30b2706fe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:36:16 -0500 Subject: [PATCH 04/41] actions --- salt/soc/soc_soc.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 332662c09..fc336a2df 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -64,12 +64,12 @@ soc: global: True forcedType: "[]{}" uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: links - label: Links + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 6d7e0a7a72df924e637ae7f18338b4a6723384bd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:39:18 -0500 Subject: [PATCH 05/41] sensoroni --- salt/sensoroni/soc_sensoroni.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 71a2c779b..325abf326 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -1,5 +1,6 @@ sensoroni: enabled: + forcedType: bool description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. advanced: True helpLink: grid.html From c5e0b8a42e352f74ab319bfb23167e2ce9513c73 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:40:24 -0500 Subject: [PATCH 06/41] sensoroni --- salt/soc/soc_soc.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fc336a2df..d7fcd9644 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,13 +63,6 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" - uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: links - label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 101f6e744a1abed43218146124633896c6e1df87 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:44:35 -0500 Subject: [PATCH 07/41] sensoroni --- salt/soc/soc_soc.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..fc336a2df 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,6 +63,13 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 0c2797ecdc81235e2b4f2c8ed3b34cf195692ba4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:49:30 -0500 Subject: [PATCH 08/41] soc --- salt/soc/soc_soc.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fc336a2df..338356c05 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -62,6 +62,7 @@ soc: actions: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True + syntax: json forcedType: "[]{}" uiElements: - field: description From 25217c3262e14f7feb85344f7719a8233f331fc8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 14:14:25 -0500 Subject: [PATCH 09/41] soc --- salt/soc/soc_soc.yaml | 43 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 338356c05..ec6177b65 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,7 +60,7 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. global: True syntax: json forcedType: "[]{}" @@ -265,6 +265,14 @@ soc: global: True advanced: True forcedType: "[]{}" + syntax: json + uiElements: + - field: community + label: Community + - field: license + label: License + - field: repo + label: Repo helpLink: sigma.html airgap: *eerulesRepos sigmaRulePackages: @@ -381,6 +389,15 @@ soc: advanced: True forcedType: "[]{}" helpLink: yara.html + syntax: json + uiElements: + - field: community + label: Community + - field: license + label: License + - field: repo + label: Repo + helpLink: sigma.html airgap: *serulesRepos suricataengine: aiRepoUrl: @@ -473,10 +490,18 @@ soc: description: List of external tools to remove from the SOC UI. global: True tools: - description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL. + description: List of available external tools visible in the SOC UI. global: True advanced: True forcedType: "[]{}" + syntax: json + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: link + label: Link hunt: &appSettings groupItemsPerPage: description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. @@ -503,11 +528,25 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Name + - field: query + label: Query queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True advanced: True forcedType: "[]{}" + syntax: json + uiElements: + - field: enabled + label: Enabled + - field: filter + label: Filter + - field: name + label: Name alerts: <<: *appSettings maxBulkEscalateEvents: From 8bc500e4daa0e1c0cca94eca3e7e9b9929c033cb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 14:16:42 -0500 Subject: [PATCH 10/41] soc --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index ec6177b65..103d13d6e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -525,7 +525,7 @@ soc: description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list. global: True queries: - description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. + description: List of default queries to show in the query list. All entries must include the "name" key and "query" key. global: True forcedType: "[]{}" syntax: json From 6c00cdd726f7742f64eb22891570a22aeadeefd0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 16:15:00 -0500 Subject: [PATCH 11/41] Fix healthlink --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 103d13d6e..6b00d512b 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -397,7 +397,7 @@ soc: label: License - field: repo label: Repo - helpLink: sigma.html + helpLink: sigma.html airgap: *serulesRepos suricataengine: aiRepoUrl: From 3ba82bd5a47d3a71ca188db2b8e135698f33455e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:04:47 -0500 Subject: [PATCH 12/41] Fix actions --- salt/soc/soc_soc.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 6b00d512b..d061dd65e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -65,12 +65,19 @@ soc: syntax: json forcedType: "[]{}" uiElements: + - field: name + label: Name + required: True - field: description label: Description - field: icon label: Icon - field: links label: Links + multiline: True + required: True + - field: target + label: Target (_blank, _self, mynewtab) eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From d950e4ebb3136abfb5af3785741dcbc71c1ee0f8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:11:56 -0500 Subject: [PATCH 13/41] Add additional entries for actions --- salt/soc/soc_soc.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d061dd65e..73ed72f2a 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,7 +60,7 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. JavaScript Function or Links must be specified. global: True syntax: json forcedType: "[]{}" @@ -75,9 +75,13 @@ soc: - field: links label: Links multiline: True - required: True + - field: jsCall + label: JavaScript Function - field: target - label: Target (_blank, _self, mynewtab) + label: Target (_blank, _self, mynewtab) + - field: categories + label: Categories + multiline: True eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 1d3bae4a7acbf10a90074c5a382a52d3fc0dfd78 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:15:51 -0500 Subject: [PATCH 14/41] Add additional entries for actions --- salt/soc/soc_soc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 73ed72f2a..d8a00bbfd 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -81,7 +81,8 @@ soc: label: Target (_blank, _self, mynewtab) - field: categories label: Categories - multiline: True + multiline: True + forcedType: "[]string" eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From e930d1dec62cd57a0615a8973b92e01ace0636d1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:28:06 -0500 Subject: [PATCH 15/41] roll back SOC changes --- salt/soc/soc_soc.yaml | 58 +++---------------------------------------- 1 file changed, 3 insertions(+), 55 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d8a00bbfd..fc336a2df 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,29 +60,16 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. JavaScript Function or Links must be specified. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True - syntax: json forcedType: "[]{}" uiElements: - - field: name - label: Name - required: True - field: description label: Description - field: icon label: Icon - field: links label: Links - multiline: True - - field: jsCall - label: JavaScript Function - - field: target - label: Target (_blank, _self, mynewtab) - - field: categories - label: Categories - multiline: True - forcedType: "[]string" eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. @@ -277,14 +264,6 @@ soc: global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: community - label: Community - - field: license - label: License - - field: repo - label: Repo helpLink: sigma.html airgap: *eerulesRepos sigmaRulePackages: @@ -401,15 +380,6 @@ soc: advanced: True forcedType: "[]{}" helpLink: yara.html - syntax: json - uiElements: - - field: community - label: Community - - field: license - label: License - - field: repo - label: Repo - helpLink: sigma.html airgap: *serulesRepos suricataengine: aiRepoUrl: @@ -502,18 +472,10 @@ soc: description: List of external tools to remove from the SOC UI. global: True tools: - description: List of available external tools visible in the SOC UI. + description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL. global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: link - label: Link hunt: &appSettings groupItemsPerPage: description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. @@ -537,28 +499,14 @@ soc: description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list. global: True queries: - description: List of default queries to show in the query list. All entries must include the "name" key and "query" key. + description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" - syntax: json - uiElements: - - field: name - label: Name - - field: query - label: Query queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: enabled - label: Enabled - - field: filter - label: Filter - - field: name - label: Name alerts: <<: *appSettings maxBulkEscalateEvents: From 9d31050907a03efbc535cd3ba84c7d916c47f611 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:32:59 -0500 Subject: [PATCH 16/41] roll back SOC changes --- salt/soc/soc_soc.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fc336a2df..d7fcd9644 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,13 +63,6 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" - uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: links - label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 4b5048bd804addddcaf017ee1cb16bf3afb45f84 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:57:57 -0500 Subject: [PATCH 17/41] Add hunt queries --- salt/soc/soc_soc.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..ff2a0a4ad 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -495,6 +495,18 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" + uiElements: + - field: name + label: Name + required: True + - field: description + label: Description + - field: query + label: Query + required: True + - field: showSubtitle + label: Show Query in Dropdown. Must be true or false + regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 40303c2d7816801062b2158799a07c4824a1d31d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:10:59 -0500 Subject: [PATCH 18/41] Add hunt queries --- salt/soc/soc_soc.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index ff2a0a4ad..87d3c0ab5 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -506,7 +506,6 @@ soc: required: True - field: showSubtitle label: Show Query in Dropdown. Must be true or false - regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 1fdbe987b8371a040067a2a565fa30cae4354ff0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:15:37 -0500 Subject: [PATCH 19/41] Add hunt queries --- salt/soc/soc_soc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 87d3c0ab5..7566d99af 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -494,7 +494,7 @@ soc: queries: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True - forcedType: "[]{}" + forcedType: json uiElements: - field: name label: Name @@ -506,6 +506,7 @@ soc: required: True - field: showSubtitle label: Show Query in Dropdown. Must be true or false + regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From a0944f83593f2738d4a05b286c71fce8eb326239 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:17:57 -0500 Subject: [PATCH 20/41] Add hunt queries --- salt/soc/soc_soc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 7566d99af..b4f724b38 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -494,7 +494,8 @@ soc: queries: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True - forcedType: json + forcedType: "[]{}" + syntax: json uiElements: - field: name label: Name From 4696152f7860212f358a7e3fa95dea100ae0836a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:31:51 -0500 Subject: [PATCH 21/41] Add hunt queries --- salt/soc/soc_soc.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b4f724b38..d7fcd9644 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -495,19 +495,6 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" - syntax: json - uiElements: - - field: name - label: Name - required: True - - field: description - label: Description - - field: query - label: Query - required: True - - field: showSubtitle - label: Show Query in Dropdown. Must be true or false - regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 2ffaf2f6019f1cd88e363353d95c8ac6e489e385 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:42:03 -0500 Subject: [PATCH 22/41] Add hunt queries --- salt/soc/soc_soc.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..fef5ce382 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -495,6 +495,16 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Name + required: True + - field: description + label: Description + - field: query + label: Query + required: True queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 75e3bba9f57a92cc07ab3b8607ce66dd20387fa5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 4 Mar 2025 11:35:22 -0500 Subject: [PATCH 23/41] reduce stdout --- setup/so-functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5c4da25ba..fffa1a932 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -758,9 +758,9 @@ copy_salt_master_config() { #logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" fi info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" - logCmd "cp -Rv $temp_install_dir/pillar/ $local_salt_dir/" + logCmd "cp -R $temp_install_dir/pillar/ $local_salt_dir/" if [ -d "$temp_install_dir"/salt ] ; then - logCmd "cp -Rv $temp_install_dir/salt/ $local_salt_dir/" + logCmd "cp -R $temp_install_dir/salt/ $local_salt_dir/" fi # Restart the service so it picks up the changes @@ -2107,8 +2107,8 @@ setup_salt_master_dirs() { logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel" logCmd "touch $local_salt_dir/salt/zeek/policy/intel/intel.dat" else - logCmd "cp -Rv ../pillar/* $default_salt_dir/pillar/" - logCmd "cp -Rv ../salt/* $default_salt_dir/salt/" + logCmd "cp -R ../pillar/* $default_salt_dir/pillar/" + logCmd "cp -R ../salt/* $default_salt_dir/salt/" logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel" logCmd "touch $local_salt_dir/salt/zeek/policy/intel/intel.dat" fi From 21a64b6c1d00be81c4194c7e64c4e7b0ee3ff517 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 5 Mar 2025 09:43:21 -0700 Subject: [PATCH 24/41] Add Client Parameter Add groupItemsPerPage so detections groupby tables have proper default value for page size. --- salt/soc/defaults.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index baaa9d8f7..5a8ec840c 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2337,6 +2337,7 @@ soc: eventFetchLimit: 500 eventItemsPerPage: 50 groupFetchLimit: 50 + groupItemsPerPage: 10 mostRecentlyUsedLimit: 5 safeStringMaxLength: 100 queryBaseFilter: '_index:"*:so-detection" AND so_kind:detection' From cf536469e68de10fbe6627873f3944a6615a58b4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:51:56 -0500 Subject: [PATCH 25/41] Some things I thought were bools are not bools --- salt/elastalert/soc_elastalert.yaml | 1 - .../soc_elastic-fleet-package-registry.yaml | 2 -- salt/elasticagent/soc_elasticagent.yaml | 1 - salt/sensoroni/soc_sensoroni.yaml | 1 - 4 files changed, 5 deletions(-) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 2ce04307b..764ec87fc 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -1,6 +1,5 @@ elastalert: enabled: - forcedType: bool description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery. helpLink: elastalert.html alerter_parameters: diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 4a544fbc6..18645490d 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,5 +1,3 @@ elastic_fleet_package_registry: - enabled: - forcedType: bool description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True diff --git a/salt/elasticagent/soc_elasticagent.yaml b/salt/elasticagent/soc_elasticagent.yaml index 4632ae946..a24ac1985 100644 --- a/salt/elasticagent/soc_elasticagent.yaml +++ b/salt/elasticagent/soc_elasticagent.yaml @@ -1,5 +1,4 @@ elasticagent: enabled: - forcedType: bool description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events. advanced: True diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 325abf326..71a2c779b 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -1,6 +1,5 @@ sensoroni: enabled: - forcedType: bool description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. advanced: True helpLink: grid.html From 72ffef94335c7a61ee92bfc0a0e9e64491144957 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:52:54 -0500 Subject: [PATCH 26/41] Some things I thought were bools are not bools --- .../soc_elastic-fleet-package-registry.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 18645490d..0624918b9 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,3 +1,4 @@ elastic_fleet_package_registry: + - enabled: description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True From 67f9cd39db4f9e4ac58a95b813ba1b048b9a4d72 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:53:29 -0500 Subject: [PATCH 27/41] Some things I thought were bools are not bools --- .../soc_elastic-fleet-package-registry.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 0624918b9..3d8a2112b 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,4 +1,4 @@ elastic_fleet_package_registry: - - enabled: + enabled: description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True From 945a467ec8c32c905a74ba3c809296887c3706a6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:54:17 -0500 Subject: [PATCH 28/41] Some things I thought were bools are not bools --- salt/elasticfleet/soc_elasticfleet.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 8ec558d37..7ca59401f 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -3,7 +3,6 @@ elasticfleet: description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents. advanced: True helpLink: elastic-fleet.html - forcedType: bool enable_manager_output: description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers. advanced: True From b01fb733a960944a7af005fa8344880ea0f5b6ff Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:56:26 -0500 Subject: [PATCH 29/41] Some things I thought were bools are not bools --- salt/soc/soc_soc.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fef5ce382..b4f724b38 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -505,6 +505,9 @@ soc: - field: query label: Query required: True + - field: showSubtitle + label: Show Query in Dropdown. Must be true or false + regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 0f16b00563397c4a6b86b3951469f673bc6b6242 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 5 Mar 2025 13:57:47 -0600 Subject: [PATCH 30/41] osquery templates --- salt/elasticsearch/defaults.yaml | 46 ++++++++++++++++++++--- salt/elasticsearch/soc_elasticsearch.yaml | 6 ++- 2 files changed, 45 insertions(+), 7 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index a12bb5ac9..6bd46aa27 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2659,7 +2659,25 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-osquery_manager_x_action_x_responses: + so-logs-osquery-manager-action_x_responses: + index_sorting: false + index_template: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + composed_of: + - logs-osquery_manager.action.responses + ignore_missing_component_templates: [] + index_patterns: + - .logs-osquery_manager.action.responses* + priority: 501 + template: + settings: + index: + number_of_replicas: 0 + so-logs-osquery-manager_x_action_x_responses: index_sorting: false index_template: _meta: @@ -2683,9 +2701,9 @@ elasticsearch: priority: 501 template: settings: + lifecycle: + so-logs-osquery-manager.action.responses-logs index: - lifecycle: - name: so-logs-osquery_manager.action.responses-logs number_of_replicas: 0 policy: phases: @@ -2711,7 +2729,25 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-osquery_manager_x_result: + so-logs-osquery-manager-actions: + index_sorting: false + index_template: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + composed_of: + - logs-osquery_manager.actions + ignore_missing_component_templates: [] + index_patterns: + - .logs-osquery_manager.actions* + priority: 501 + template: + settings: + index: + number_of_replicas: 0 + so-logs-osquery-manager_x_result: index_sorting: false index_template: _meta: @@ -2737,7 +2773,7 @@ elasticsearch: settings: index: lifecycle: - name: so-logs-osquery_manager.result-logs + name: so-logs-osquery-manager.result-logs number_of_replicas: 0 policy: phases: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index fe6c0c21e..ba85cd7b4 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -368,8 +368,10 @@ elasticsearch: so-logs-detections_x_alerts: *indexSettings so-logs-http_endpoint_x_generic: *indexSettings so-logs-httpjson_x_generic: *indexSettings - so-logs-osquery_manager_x_action_x_responses: *indexSettings - so-logs-osquery_manager_x_result: *indexSettings + so-logs-osquery-manager-actions: *indexSettings + so-logs-osquery-manager-action_x_responses: *indexSettings + so-logs-osquery-manager_x_action_x_responses: *indexSettings + so-logs-osquery-manager_x_result: *indexSettings so-logs-elastic_agent_x_apm_server: *indexSettings so-logs-elastic_agent_x_auditbeat: *indexSettings so-logs-elastic_agent_x_cloudbeat: *indexSettings From d2884ef00b09899150eea4ab887cd95214e5e081 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 5 Mar 2025 14:02:45 -0600 Subject: [PATCH 31/41] typo --- salt/elasticsearch/defaults.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 6bd46aa27..02e2f7ccb 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2702,7 +2702,8 @@ elasticsearch: template: settings: lifecycle: - so-logs-osquery-manager.action.responses-logs + name: + so-logs-osquery-manager.action.responses-logs index: number_of_replicas: 0 policy: From b51aa56e86b68d9ca9e4cef8429eb9aa847092f6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 15:15:26 -0500 Subject: [PATCH 32/41] Some things I thought were bools are not bools --- salt/soc/soc_soc.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b4f724b38..42c56ab52 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -506,8 +506,8 @@ soc: label: Query required: True - field: showSubtitle - label: Show Query in Dropdown. Must be true or false - regex: ^(true|false)$ + label: Show Query in Dropdown. + forcedType: bool queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 6a5377ceac38fc35222257ceb9fbc1704614e907 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 5 Mar 2025 14:39:01 -0600 Subject: [PATCH 33/41] bump version --- salt/kibana/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index a4be3787f..2446821f1 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.17.2" + discardCorruptObjects: "8.17.3" telemetry: enabled: False security: From 3021ed5d36f7fce48560042d7111b100d1aa1dd8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 15:56:26 -0500 Subject: [PATCH 34/41] Add Actions --- salt/soc/soc_soc.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 42c56ab52..480f8c5e7 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,6 +63,31 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" + syntax: json + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links + required: True + forcedType: "[]string" + multiline: True + - field: name + label: Name + required: True + - field: target + label: Target + - field: jscall + label: JavaScript Call + - field: category + label: Category + options: + - hunt + - alerts + - dashboards + forcedType: "[]string" eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 03ebc2d86e882d7a1ca28c0a7278b9d3e68cec45 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 15:58:10 -0500 Subject: [PATCH 35/41] Add Actions --- salt/soc/soc_soc.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 480f8c5e7..8e6ba42a8 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -65,6 +65,9 @@ soc: forcedType: "[]{}" syntax: json uiElements: + - field: name + label: Name + required: True - field: description label: Description - field: icon @@ -74,9 +77,6 @@ soc: required: True forcedType: "[]string" multiline: True - - field: name - label: Name - required: True - field: target label: Target - field: jscall From cce94d96d1843660fed53f5fbc89721e7d1b939a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 6 Mar 2025 11:14:48 -0500 Subject: [PATCH 36/41] Update soc_elasticsearch.yaml to include note about ILM rollover --- salt/elasticsearch/soc_elasticsearch.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index ba85cd7b4..8420611f2 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -133,7 +133,7 @@ elasticsearch: helpLink: elasticsearch.html cold: min_age: - description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. + description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True @@ -146,10 +146,11 @@ elasticsearch: helpLink: elasticsearch.html warm: min_age: - description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. + description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True + helpLink: elasticsearch.html actions: set_priority: priority: @@ -159,7 +160,7 @@ elasticsearch: helpLink: elasticsearch.html delete: min_age: - description: Minimum age of index. ex. 90d - This determines when the index should be deleted. + description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion. regex: ^[0-9]{1,5}d$ forcedType: string global: True @@ -288,7 +289,7 @@ elasticsearch: helpLink: elasticsearch.html warm: min_age: - description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. + description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True @@ -315,7 +316,7 @@ elasticsearch: helpLink: elasticsearch.html cold: min_age: - description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. + description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True @@ -331,7 +332,7 @@ elasticsearch: helpLink: elasticsearch.html delete: min_age: - description: Minimum age of index. This determines when the index should be deleted. + description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion. regex: ^[0-9]{1,5}d$ forcedType: string global: True From bad0031829714e79e571145b9dd735dcfa6e2f38 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 6 Mar 2025 20:58:23 -0500 Subject: [PATCH 37/41] Update soc_soc.yaml --- salt/soc/soc_soc.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 8e6ba42a8..64248f639 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,7 +60,7 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" syntax: json @@ -517,7 +517,7 @@ soc: description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list. global: True queries: - description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. + description: List of default queries to show in the query list. global: True forcedType: "[]{}" syntax: json From 14e95f4898ecca5c5c8c404d3b85d9cf109b763f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 6 Mar 2025 21:01:45 -0500 Subject: [PATCH 38/41] Update soc_soc.yaml --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 64248f639..da6d708e7 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -71,7 +71,7 @@ soc: - field: description label: Description - field: icon - label: Icon + label: Icon Example: fa-shuttle-space - field: links label: Links required: True From 3037dc7c38a6ec5ec60005cf960a66beb7a3f7b6 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 7 Mar 2025 07:13:27 -0500 Subject: [PATCH 39/41] Update soc_soc.yaml to fix previous change --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index da6d708e7..7153c7b5c 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -71,7 +71,7 @@ soc: - field: description label: Description - field: icon - label: Icon Example: fa-shuttle-space + label: Icon (Example - fa-shuttle-space) - field: links label: Links required: True From 2af05b9a23038b5fd6bbef491c336d1294e4dc2d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 7 Mar 2025 08:24:19 -0500 Subject: [PATCH 40/41] switch back to colon for better clarity --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 7153c7b5c..b0ecfdbc1 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -71,7 +71,7 @@ soc: - field: description label: Description - field: icon - label: Icon (Example - fa-shuttle-space) + label: "Icon (Example: fa-shuttle-space)" - field: links label: Links required: True From 4dd72ad15c54254f6dece22f80faaf6a01ebc6e8 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 7 Mar 2025 17:05:13 -0600 Subject: [PATCH 41/41] fix osquery action_data mapping conflict Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 2 +- .../logs-osquery_manager.result@custom.json | 49 +++++++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 02e2f7ccb..7b38ed0bb 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2742,7 +2742,7 @@ elasticsearch: - logs-osquery_manager.actions ignore_missing_component_templates: [] index_patterns: - - .logs-osquery_manager.actions* + - .logs-osquery_manager.actions-* priority: 501 template: settings: diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json new file mode 100644 index 000000000..83a68c814 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json @@ -0,0 +1,49 @@ +{ + "template": { + "mappings": { + "dynamic_templates": [ + { + "action_data.ecs_mapping": { + "path_match": "action_data.ecs_mapping.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "action_data": { + "dynamic": true, + "type": "object", + "properties": { + "ecs_mapping": { + "dynamic": true, + "type": "object" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file