diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index fbd4d2c22..d192a0eec 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -28,6 +28,7 @@ body: - 2.4.140 - 2.4.141 - 2.4.150 + - 2.4.160 - Other (please provide detail below) validations: required: true diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index 6b50d3190..c72865113 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.141-20250331 ISO image released on 2025/03/31 +### 2.4.150-20250512 ISO image released on 2025/05/12 ### Download and Verify -2.4.141-20250331 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.141-20250331.iso +2.4.150-20250512 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.150-20250512.iso -MD5: CAE347BC0437A93DC8F4089973ED0EA7 -SHA1: 3A6F0C2F3B6E3625E06F67EB251372D7E592CB0E -SHA256: D0426D8E55E01A0FBA15AFE0BB7887CCB724C07FE82DA706CD1592E6001CD12B +MD5: 7A7469A7A38EA9A2DB770C36AE36A0CA +SHA1: 7E768D515353F339DC536DED6207B786DAFF7D27 +SHA256: F8B2EB6B332F2367F0C097D211577565C8FB5CC7809E97D63687C634035B3699 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.141-20250331.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.150-20250512.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.141-20250331.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.150-20250512.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.141-20250331.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.150-20250512.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.141-20250331.iso.sig securityonion-2.4.141-20250331.iso +gpg --verify securityonion-2.4.150-20250512.iso.sig securityonion-2.4.150-20250512.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Fri 28 Mar 2025 06:28:11 PM EDT using RSA key ID FE507013 +gpg: Signature made Fri 09 May 2025 06:27:29 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/VERSION b/VERSION index 316ab4cee..3fe7dce73 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.150 +2.4.160 diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index e46eaac69..3e05614d6 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -299,7 +299,8 @@ fail() { get_agent_count() { if [ -f /opt/so/log/agents/agentstatus.log ]; then - AGENTCOUNT=$(cat /opt/so/log/agents/agentstatus.log | grep -wF active | awk '{print $2}') + AGENTCOUNT=$(cat /opt/so/log/agents/agentstatus.log | grep -wF active | awk '{print $2}' | sed 's/,//') + [[ -z "$AGENTCOUNT" ]] && AGENTCOUNT="0" else AGENTCOUNT=0 fi diff --git a/salt/common/tools/sbin/so-common-status-check b/salt/common/tools/sbin/so-common-status-check index 4aa981123..cbef7309e 100644 --- a/salt/common/tools/sbin/so-common-status-check +++ b/salt/common/tools/sbin/so-common-status-check @@ -45,7 +45,7 @@ def check_for_fps(): result = subprocess.run([feat_full + '-mode-setup', '--is-enabled'], stdout=subprocess.PIPE) if result.returncode == 0: fps = 1 - except FileNotFoundError: + except: fn = '/proc/sys/crypto/' + feat_full + '_enabled' try: with open(fn, 'r') as f: diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers index 14d83bfdb..d25c18e29 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers @@ -83,8 +83,10 @@ docker run \ {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} wixl -o so-elastic-agent_windows_amd64_msi --arch x64 /workspace/so-elastic-agent.wxs printf "\n### MSI Generated...\n" -printf "\n### Cleaning up temp files in /nsm/elastic-agent-workspace\n" +printf "\n### Cleaning up temp files \n" rm -rf /nsm/elastic-agent-workspace +rm -rf /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/so-elastic-agent_windows_amd64.exe printf "\n### Copying so_agent-installers to /nsm/elastic-fleet/ for nginx.\n" \cp -vr /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/ /nsm/elastic-fleet/ +chmod 644 /nsm/elastic-fleet/so_agent-installers/* diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade index 1ce379c1c..449d26c99 100644 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade @@ -14,7 +14,7 @@ if ! is_manager_node; then fi # Get current list of Grid Node Agents that need to be upgraded -RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=policy_id%20%3A%20so-grid-nodes_%2A&showInactive=false&showUpgradeable=true&getStatusSummary=true") +RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=NOT%20agent.version%20:%20%22{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}%22%20and%20policy_id%20:%20%22so-grid-nodes_general%22&showInactive=false&getStatusSummary=true") # Check to make sure that the server responded with good data - else, bail from script CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON") diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index e11a0be72..828ee0a03 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -8,7 +8,7 @@ "processors": [ { "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, - { "split": { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, + { "split": { "if": "ctx.data_stream?.dataset != null && ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, { "set": { "if": "ctx.datastream_dataset_temp != null && ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } }, { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } }, @@ -22,7 +22,7 @@ { "date": { "if": "ctx.event?.module == 'system'", "field": "event.created", "target_field": "@timestamp","ignore_failure": true, "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSX","yyyy-MM-dd'T'HH:mm:ss.SSSSSS'Z'"] } }, { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } }, { "set": { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } }, - { "rename": { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } }, + { "rename": { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } }, { "set": { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } }, { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } ] diff --git a/salt/elasticsearch/files/ingest/suricata.alert b/salt/elasticsearch/files/ingest/suricata.alert index 9dd97e190..71e346728 100644 --- a/salt/elasticsearch/files/ingest/suricata.alert +++ b/salt/elasticsearch/files/ingest/suricata.alert @@ -11,4 +11,4 @@ { "rename":{ "field": "message2.payload_printable", "target_field": "network.data.decoded", "ignore_failure": true } }, { "pipeline": { "name": "common.nids" } } ] -} +} \ No newline at end of file diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index f28061880..987c599f1 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -417,6 +417,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.130 ]] && up_to_2.4.140 [[ "$INSTALLEDVERSION" == 2.4.140 ]] && up_to_2.4.141 [[ "$INSTALLEDVERSION" == 2.4.141 ]] && up_to_2.4.150 + [[ "$INSTALLEDVERSION" == 2.4.150 ]] && up_to_2.4.160 true } @@ -444,6 +445,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.130 ]] && post_to_2.4.140 [[ "$POSTVERSION" == 2.4.140 ]] && post_to_2.4.141 [[ "$POSTVERSION" == 2.4.141 ]] && post_to_2.4.150 + [[ "$POSTVERSION" == 2.4.150 ]] && post_to_2.4.160 true } @@ -560,9 +562,6 @@ post_to_2.4.130() { echo "Updating Kibana default space" /usr/sbin/so-kibana-space-defaults - echo "Regenerating Elastic Agent Installers" - /sbin/so-elastic-agent-gen-installers - POSTVERSION=2.4.130 } @@ -577,10 +576,16 @@ post_to_2.4.141() { } post_to_2.4.150() { - echo "Nothing to apply" + echo "Regenerating Elastic Agent Installers" + /sbin/so-elastic-agent-gen-installers POSTVERSION=2.4.150 } +post_to_2.4.160() { + echo "Nothing to apply" + POSTVERSION=2.4.160 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -818,6 +823,12 @@ up_to_2.4.150() { INSTALLEDVERSION=2.4.150 } +up_to_2.4.160() { + echo "Nothing to do for 2.4.160" + + INSTALLEDVERSION=2.4.160 +} + add_hydra_pillars() { mkdir -p /opt/so/saltstack/local/pillar/hydra touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/requirements.txt b/salt/sensoroni/files/analyzers/malwarehashregistry/requirements.txt index dfaf321f1..a5a02f4fa 100644 --- a/salt/sensoroni/files/analyzers/malwarehashregistry/requirements.txt +++ b/salt/sensoroni/files/analyzers/malwarehashregistry/requirements.txt @@ -1,2 +1,2 @@ requests>=2.31.0 -python-whois>=0.7.3 +python-whois>=0.9.5 diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/future-0.18.3.tar.gz b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/future-0.18.3.tar.gz deleted file mode 100644 index 9ca264a4f..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/future-0.18.3.tar.gz and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python-whois-0.8.0.tar.gz b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python-whois-0.8.0.tar.gz deleted file mode 100644 index ffa2e5ded..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python-whois-0.8.0.tar.gz and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_dateutil-2.9.0.post0-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_dateutil-2.9.0.post0-py2.py3-none-any.whl new file mode 100644 index 000000000..b9a14e1bf Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_dateutil-2.9.0.post0-py2.py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_whois-0.9.5-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_whois-0.9.5-py3-none-any.whl new file mode 100644 index 000000000..d92bc8729 Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_whois-0.9.5-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/setuptools-80.1.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/setuptools-80.1.0-py3-none-any.whl deleted file mode 100644 index 98164f3da..000000000 Binary files a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/setuptools-80.1.0-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/six-1.17.0-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/six-1.17.0-py2.py3-none-any.whl new file mode 100644 index 000000000..c506fd05b Binary files /dev/null and b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/six-1.17.0-py2.py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2021.10.8-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2021.10.8-py2.py3-none-any.whl deleted file mode 100644 index fbcb86b5f..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2021.10.8-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2023.5.7-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2023.5.7-py3-none-any.whl new file mode 100644 index 000000000..c983e799c Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2023.5.7-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.3-py3-none-any.whl deleted file mode 100644 index 060541bc9..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.3-py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.4-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.4-py3-none-any.whl new file mode 100644 index 000000000..7343c6845 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.4-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.27.1-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.27.1-py2.py3-none-any.whl deleted file mode 100644 index 807fc6110..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.27.1-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.31.0-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.31.0-py3-none-any.whl new file mode 100644 index 000000000..bfd5d2ea9 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.31.0-py3-none-any.whl differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-1.26.9-py2.py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-1.26.9-py2.py3-none-any.whl deleted file mode 100644 index 5019453dd..000000000 Binary files a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-1.26.9-py2.py3-none-any.whl and /dev/null differ diff --git a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.0.3-py3-none-any.whl b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.0.3-py3-none-any.whl new file mode 100644 index 000000000..5e0b52889 Binary files /dev/null and b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.0.3-py3-none-any.whl differ diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 5a8ec840c..fe190ea69 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -10,7 +10,7 @@ soc: icon: fa-crosshairs target: links: - - '/#/hunt?q="{value|escape}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid' + - '/#/hunt?q="{value|escape}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}' - name: actionAddToCase description: actionAddToCaseHelp icon: fa-briefcase @@ -24,20 +24,20 @@ soc: icon: fa-magnifying-glass-arrow-right target: '' links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid' - - '/#/hunt?q="{:network.community_id}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}' + - '/#/hunt?q="{:network.community_id}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}' - name: actionPcap description: actionPcapHelp icon: fa-stream target: '' links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + - '/joblookup?esid={:soc_id}&time={:@timestamp}&gridId={gridId}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}&gridId={gridId}' categories: - hunt - alerts @@ -71,30 +71,30 @@ soc: icon: fa-person-running target: '' links: - - '/#/hunt?q=(process.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path' + - '/#/hunt?q=(process.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path&gridId={gridId}' - name: actionProcessChildInfo description: actionProcessChildInfoHelp icon: fa-users-line target: '' links: - - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.parent.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path' + - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.parent.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path&gridId={gridId}' - name: actionProcessAllInfo description: actionProcessAllInfoHelp icon: fa-users-between-lines target: '' links: - - '/#/hunt?q="{:process.entity_id}" | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path' + - '/#/hunt?q="{:process.entity_id}" | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path&gridId={gridId}' - name: actionProcessAncestors description: actionProcessAncestorsHelp icon: fa-people-roof target: '' links: - - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path' + - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path&gridId={gridId}' - name: actionRelatedAlerts description: actionRelatedAlertsHelp icon: fa-bell links: - - '/#/alerts?q=rule.uuid: {:so_detection.publicId|escape} | groupby rule.name event.module* event.severity_label' + - '/#/alerts?q=rule.uuid: {:so_detection.publicId|escape} | groupby rule.name event.module* event.severity_label&gridId={gridId}' target: '' - name: actionAdd description: actionAddHelp @@ -116,14 +116,14 @@ soc: - soc_timestamp - event.dataset - http_request.headers.x-real-ip - - identity_id + - user.name - http_request.headers.user-agent - msg ':hydra:': - soc_timestamp - event.dataset - http_request.headers.x-real-ip - - identity_id + - user.name - http_request.headers.user-agent - msg '::conn': @@ -1456,6 +1456,14 @@ soc: org: Security Onion bucket: telegraf/so_short_term verifyCert: false + playbook: + autoUpdateEnabled: true + playbookImportFrequencySeconds: 86400 + playbookImportErrorSeconds: 600 + playbookRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources + playbookRepoBranch: playbook-stable + playbookRepoPath: /opt/sensoroni/playbooks/ + playbookPathInRepo: playbook/dev salt: queueDir: /opt/sensoroni/queue timeoutMs: 45000 @@ -1605,7 +1613,7 @@ soc: showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity - query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip identity_id' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip user.name' showSubtitle: true - name: SOC - App description: Logs generated by the Security Onion Console (SOC) server and modules @@ -1885,7 +1893,7 @@ soc: query: '* | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SOC Logins description: SOC (Security Onion Console) logins - query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip identity_id | groupby identity_id | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip user.name | groupby user.name | groupby http_request.headers.user-agent' - name: SOC Login Failures description: SOC (Security Onion Console) login failures query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip http_request.headers.user-agent | groupby http_request.headers.user-agent' diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index d687289b5..4b39d036e 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -35,6 +35,7 @@ so-soc: - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/ai_summary_repos:/opt/sensoroni/ai_summary_repos:rw - /opt/so/conf/navigator/layers/:/opt/sensoroni/navigator/:rw + - /opt/so/conf/soc/playbooks/:/opt/sensoroni/playbooks/:rw {% if SOCMERGED.telemetryEnabled and not GLOBALS.airgap %} - /opt/so/conf/soc/analytics.js:/opt/sensoroni/html/js/analytics.js:ro {% endif %} diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 48e9e1215..88abcc200 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -1,6 +1,45 @@ name: Security Onion Baseline Pipeline priority: 90 transformations: +vars: + document_id: + - '{soc_id}' + hostname: + - '{event_data.host.name}' + ProcessGuid: + - '{event_data.process.entity_id}' + User: + - '{user.name}' + private_ip: + - '{network.private.ip}' + public_ip: + - '{network.public.ip}' + related_ip: + - '{event_data.related.ip}' + related.hosts: + - '{event_data.related.hosts' + CurrentDirectory: + - '{event_data.process.working_directory}' + ParentProcessGuid: + - '{ParentProcessGuid}' + Image: + - '{process.executable}' + community_id: + - '{network.community_id}' +transformations: + - type: value_placeholders + include: + - 'community_id' + - 'document_id' + - 'ProcessGuid' + - 'hostname' + - 'User' + - 'CurrentDirectory' + - 'ParentProcessGuid' + - 'Image' + - 'related_ip' + - 'private_ip' + - 'public_ip' - id: baseline_field_name_mapping type: field_name_mapping mapping: @@ -12,12 +51,27 @@ transformations: sid: rule.uuid answer: answers query: dns.query.name - src_ip: source.ip.keyword + src_ip: source.ip src_port: source.port - dst_ip: destination.ip.keyword + dst_ip: destination.ip dst_port: destination.port winlog.event_data.User: user.name logtype: event.code # OpenCanary + ## Start Temp Linux Mappings ## + ProcessGuid: process.entity_id + ProcessId: process.pid + Image: process.executable + CommandLine: process.command_line + CurrentDirectory: process.working_directory + ParentProcessGuid: process.parent.entity_id + ParentProcessId: process.parent.pid" + ParentImage: process.parent.executable + ParentCommandLine: process.parent.command_line + ## End Temp Linux Mappings ## + rule.type: event.module + related_ip: related.ip + community_id: network.community_id + event_dataset: event.dataset # Maps "opencanary" product to SO IDH logs - id: opencanary_idh_add-fields type: add_condition @@ -126,4 +180,41 @@ transformations: event.type: 'creation' rule_conditions: - type: logsource - category: file_event \ No newline at end of file + category: file_event + category: file_event + # Maps network_connection rules to endpoint network creation logs + # This is an OS-agnostic mapping, to account for logs that don't specify source OS + - id: endpoint_network_connection_add-fields + type: add_condition + conditions: + event.category: 'network' + event.type: 'start' + rule_conditions: + - type: logsource + category: network_connection + # Maps "alert" category to SO Alert events + - id: alert_so_add-fields + type: add_condition + conditions: + tags: 'alert' + rule_conditions: + - type: logsource + category: alert + # Maps "network + connection" to SO connection logs + - id: network_connection_so_add-fields + type: add_condition + conditions: + tags: 'conn' + rule_conditions: + - type: logsource + category: network + service: connection + # Maps "network + dns" to SO DNS logs + - id: network_dns_so_add-fields + type: add_condition + conditions: + tags: 'dns' + rule_conditions: + - type: logsource + category: network + service: dns diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index f5d331209..b358c178f 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -241,7 +241,12 @@ # ## Use TLS but skip chain & host verification # # insecure_skip_verify = false -{% if grains.role in ['so-searchnode','so-standalone','so-manager', 'so-managersearch', 'so-heavynode', 'so-receiver'] -%} +{%- set logstash_metrics_roles = ['so-searchnode','so-standalone','so-managersearch','so-heavynode'] %} +{%- if GLOBALS.pipeline != "KAFKA" %} +{%- set logstash_metrics_roles = logstash_metrics_roles + ['so-manager', 'so-receiver'] %} +{%- endif %} + +{%- if grains.role in logstash_metrics_roles %} [[inputs.logstash]] url = "http://localhost:9600" collect = ["pipelines"] @@ -252,7 +257,7 @@ {% if grains.role in ['so-manager','so-managersearch','so-standalone','so-receiver'] and GLOBALS.pipeline == "KAFKA" -%} [[inputs.jolokia2_agent]] name_prefix= "kafka_" - urls = ["http://localhost:8778/jolokia"] + urls = ["http://{{ NODEIP }}:8778/jolokia"] [[inputs.jolokia2_agent.metric]] name = "topics" diff --git a/sigs/securityonion-2.4.150-20250512.iso.sig b/sigs/securityonion-2.4.150-20250512.iso.sig new file mode 100644 index 000000000..7121c68c6 Binary files /dev/null and b/sigs/securityonion-2.4.150-20250512.iso.sig differ