CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into vlb2

Browse Source
This commit is contained in:
Josh Patterson
2025-03-11 11:20:50 -04:00
parent ae993c47c1 6081c46d7f
commit ae94722eda
8 changed files with 158 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
salt/elasticsearch/defaults.yaml
View File

@@ -2659,7 +2659,25 @@ elasticsearch:
set_priority: set_priority:
priority: 50 priority: 50
min_age: 30d min_age: 30d
so-logs-osquery_manager_x_action_x_responses: so-logs-osquery-manager-action_x_responses:
index_sorting: false
index_template:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
composed_of:
- logs-osquery_manager.action.responses
ignore_missing_component_templates: []
index_patterns:
- .logs-osquery_manager.action.responses*
priority: 501
template:
settings:
index:
number_of_replicas: 0
so-logs-osquery-manager_x_action_x_responses:
index_sorting: false index_sorting: false
index_template: index_template:
_meta: _meta:
@@ -2683,9 +2701,10 @@ elasticsearch:
priority: 501 priority: 501
template: template:
settings: settings:
lifecycle:
name:
so-logs-osquery-manager.action.responses-logs
index: index:
lifecycle:
name: so-logs-osquery_manager.action.responses-logs
number_of_replicas: 0 number_of_replicas: 0
policy: policy:
phases: phases:
@@ -2711,7 +2730,25 @@ elasticsearch:
set_priority: set_priority:
priority: 50 priority: 50
min_age: 30d min_age: 30d
so-logs-osquery_manager_x_result: so-logs-osquery-manager-actions:
index_sorting: false
index_template:
_meta:
managed: true
managed_by: security_onion
package:
name: elastic_agent
composed_of:
- logs-osquery_manager.actions
ignore_missing_component_templates: []
index_patterns:
- .logs-osquery_manager.actions-*
priority: 501
template:
settings:
index:
number_of_replicas: 0
so-logs-osquery-manager_x_result:
index_sorting: false index_sorting: false
index_template: index_template:
_meta: _meta:
@@ -2737,7 +2774,7 @@ elasticsearch:
settings: settings:
index: index:
lifecycle: lifecycle:
name: so-logs-osquery_manager.result-logs name: so-logs-osquery-manager.result-logs
number_of_replicas: 0 number_of_replicas: 0
policy: policy:
phases: phases:

19
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -133,7 +133,7 @@ elasticsearch:
helpLink: elasticsearch.html helpLink: elasticsearch.html
cold: cold:
min_age: min_age:
description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. Its important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier.
regex: ^[0-9]{1,5}d$ regex: ^[0-9]{1,5}d$
forcedType: string forcedType: string
global: True global: True
@@ -146,10 +146,11 @@ elasticsearch:
helpLink: elasticsearch.html helpLink: elasticsearch.html
warm: warm:
min_age: min_age:
description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally dont need to be as fast as those in the hot tier. description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally dont need to be as fast as those in the hot tier. Its important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier.
regex: ^[0-9]{1,5}d$ regex: ^[0-9]{1,5}d$
forcedType: string forcedType: string
global: True global: True
helpLink: elasticsearch.html
actions: actions:
set_priority: set_priority:
priority: priority:
@@ -159,7 +160,7 @@ elasticsearch:
helpLink: elasticsearch.html helpLink: elasticsearch.html
delete: delete:
min_age: min_age:
description: Minimum age of index. ex. 90d - This determines when the index should be deleted. description: Minimum age of index. ex. 90d - This determines when the index should be deleted. Its important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion.
regex: ^[0-9]{1,5}d$ regex: ^[0-9]{1,5}d$
forcedType: string forcedType: string
global: True global: True
@@ -288,7 +289,7 @@ elasticsearch:
helpLink: elasticsearch.html helpLink: elasticsearch.html
warm: warm:
min_age: min_age:
description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally dont need to be as fast as those in the hot tier. description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally dont need to be as fast as those in the hot tier. Its important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier.
regex: ^[0-9]{1,5}d$ regex: ^[0-9]{1,5}d$
forcedType: string forcedType: string
global: True global: True
@@ -315,7 +316,7 @@ elasticsearch:
helpLink: elasticsearch.html helpLink: elasticsearch.html
cold: cold:
min_age: min_age:
description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. Its important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier.
regex: ^[0-9]{1,5}d$ regex: ^[0-9]{1,5}d$
forcedType: string forcedType: string
global: True global: True
@@ -331,7 +332,7 @@ elasticsearch:
helpLink: elasticsearch.html helpLink: elasticsearch.html
delete: delete:
min_age: min_age:
description: Minimum age of index. This determines when the index should be deleted. description: Minimum age of index. ex. 90d - This determines when the index should be deleted. Its important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion.
regex: ^[0-9]{1,5}d$ regex: ^[0-9]{1,5}d$
forcedType: string forcedType: string
global: True global: True
@@ -368,8 +369,10 @@ elasticsearch:
so-logs-detections_x_alerts: *indexSettings so-logs-detections_x_alerts: *indexSettings
so-logs-http_endpoint_x_generic: *indexSettings so-logs-http_endpoint_x_generic: *indexSettings
so-logs-httpjson_x_generic: *indexSettings so-logs-httpjson_x_generic: *indexSettings
so-logs-osquery_manager_x_action_x_responses: *indexSettings so-logs-osquery-manager-actions: *indexSettings
so-logs-osquery_manager_x_result: *indexSettings so-logs-osquery-manager-action_x_responses: *indexSettings
so-logs-osquery-manager_x_action_x_responses: *indexSettings
so-logs-osquery-manager_x_result: *indexSettings
so-logs-elastic_agent_x_apm_server: *indexSettings so-logs-elastic_agent_x_apm_server: *indexSettings
so-logs-elastic_agent_x_auditbeat: *indexSettings so-logs-elastic_agent_x_auditbeat: *indexSettings
so-logs-elastic_agent_x_cloudbeat: *indexSettings so-logs-elastic_agent_x_cloudbeat: *indexSettings

49
salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json Normal file
View File

@@ -0,0 +1,49 @@
{
"template": {
"mappings": {
"dynamic_templates": [
{
"action_data.ecs_mapping": {
"path_match": "action_data.ecs_mapping.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"properties": {
"action_data": {
"dynamic": true,
"type": "object",
"properties": {
"ecs_mapping": {
"dynamic": true,
"type": "object"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"saved_query_id": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

10
salt/global/soc_global.yaml
View File

@@ -12,11 +12,18 @@ global:
mdengine: mdengine:
description: Which engine to use for meta data generation. Options are ZEEK and SURICATA. description: Which engine to use for meta data generation. Options are ZEEK and SURICATA.
regex: ^(ZEEK|SURICATA)$ regex: ^(ZEEK|SURICATA)$
options:
- ZEEK
- SURICATA
regexFailureMessage: You must enter either ZEEK or SURICATA. regexFailureMessage: You must enter either ZEEK or SURICATA.
global: True global: True
pcapengine: pcapengine:
description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION. description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION.
regex: ^(STENO|SURICATA|TRANSITION)$ regex: ^(STENO|SURICATA|TRANSITION)$
options:
- STENO
- SURICATA
- TRANSITION
regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION. regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION.
global: True global: True
ids: ids:
@@ -38,6 +45,9 @@ global:
pipeline: pipeline:
description: Sets which pipeline technology for events to use. Currently only Redis is fully supported. Kafka is experimental and requires a Security Onion Pro license. description: Sets which pipeline technology for events to use. Currently only Redis is fully supported. Kafka is experimental and requires a Security Onion Pro license.
regex: ^(REDIS|KAFKA)$ regex: ^(REDIS|KAFKA)$
options:
- REDIS
- KAFKA
regexFailureMessage: You must enter either REDIS or KAFKA. regexFailureMessage: You must enter either REDIS or KAFKA.
global: True global: True
advanced: True advanced: True

2
salt/kibana/defaults.yaml
View File

@@ -22,7 +22,7 @@ kibana:
- default - default
- file - file
migrations: migrations:
discardCorruptObjects: "8.17.2" discardCorruptObjects: "8.17.3"
telemetry: telemetry:
enabled: False enabled: False
security: security:

1
salt/soc/defaults.yaml
View File

@@ -2337,6 +2337,7 @@ soc:
eventFetchLimit: 500 eventFetchLimit: 500
eventItemsPerPage: 50 eventItemsPerPage: 50
groupFetchLimit: 50 groupFetchLimit: 50
groupItemsPerPage: 10
mostRecentlyUsedLimit: 5 mostRecentlyUsedLimit: 5
safeStringMaxLength: 100 safeStringMaxLength: 100
queryBaseFilter: '_index:"*:so-detection" AND so_kind:detection' queryBaseFilter: '_index:"*:so-detection" AND so_kind:detection'

42
salt/soc/soc_soc.yaml
View File

@@ -60,9 +60,34 @@ soc:
- warn - warn
- error - error
actions: actions:
description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action.
global: True global: True
forcedType: "[]{}" forcedType: "[]{}"
syntax: json
uiElements:
- field: name
label: Name
required: True
- field: description
label: Description
- field: icon
label: "Icon (Example: fa-shuttle-space)"
- field: links
label: Links
required: True
forcedType: "[]string"
multiline: True
- field: target
label: Target
- field: jscall
label: JavaScript Call
- field: category
label: Category
options:
- hunt
- alerts
- dashboards
forcedType: "[]string"
eventFields: eventFields:
default: &eventFields default: &eventFields
description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left.
@@ -492,9 +517,22 @@ soc:
description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list. description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list.
global: True global: True
queries: queries:
description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. description: List of default queries to show in the query list.
global: True global: True
forcedType: "[]{}" forcedType: "[]{}"
syntax: json
uiElements:
- field: name
label: Name
required: True
- field: description
label: Description
- field: query
label: Query
required: True
- field: showSubtitle
label: Show Query in Dropdown.
forcedType: bool
queryToggleFilters: queryToggleFilters:
description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query.
global: True global: True

8
setup/so-functions
View File

@@ -797,9 +797,9 @@ copy_salt_master_config() {
#logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" #logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service"
fi fi
info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir"
logCmd "cp -Rv $temp_install_dir/pillar/ $local_salt_dir/" logCmd "cp -R $temp_install_dir/pillar/ $local_salt_dir/"
if [ -d "$temp_install_dir"/salt ] ; then if [ -d "$temp_install_dir"/salt ] ; then
logCmd "cp -Rv $temp_install_dir/salt/ $local_salt_dir/" logCmd "cp -R $temp_install_dir/salt/ $local_salt_dir/"
fi fi
# Restart the service so it picks up the changes # Restart the service so it picks up the changes
@@ -2142,8 +2142,8 @@ setup_salt_master_dirs() {
logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel" logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel"
logCmd "touch $local_salt_dir/salt/zeek/policy/intel/intel.dat" logCmd "touch $local_salt_dir/salt/zeek/policy/intel/intel.dat"
else else
logCmd "cp -Rv ../pillar/* $default_salt_dir/pillar/" logCmd "cp -R ../pillar/* $default_salt_dir/pillar/"
logCmd "cp -Rv ../salt/* $default_salt_dir/salt/" logCmd "cp -R ../salt/* $default_salt_dir/salt/"
logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel" logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel"
logCmd "touch $local_salt_dir/salt/zeek/policy/intel/intel.dat" logCmd "touch $local_salt_dir/salt/zeek/policy/intel/intel.dat"
fi fi