Merge remote-tracking branch 'origin/2.4/dev' into vlb2

2025-12-06 17:22:49 +01:00 · 2025-05-19 10:02:26 -04:00
parent 28aedcf50b 2948577b0e
commit b0a8191f59
30 changed files with 168 additions and 48 deletions
--- a/.github/DISCUSSION_TEMPLATE/2-4.yml
+++ b/.github/DISCUSSION_TEMPLATE/2-4.yml
@@ -28,6 +28,7 @@ body:
        - 2.4.140
        - 2.4.141
        - 2.4.150
        - 2.4.160
        - Other (please provide detail below)
    validations:
      required: true
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 2.4.141-20250331 ISO image released on 2025/03/31
+### 2.4.150-20250512 ISO image released on 2025/05/12
 ### Download and Verify
-2.4.141-20250331 ISO image:  
+2.4.150-20250512 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.141-20250331.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.150-20250512.iso
-MD5: CAE347BC0437A93DC8F4089973ED0EA7  
+MD5: 7A7469A7A38EA9A2DB770C36AE36A0CA  
-SHA1: 3A6F0C2F3B6E3625E06F67EB251372D7E592CB0E  
+SHA1: 7E768D515353F339DC536DED6207B786DAFF7D27  
-SHA256: D0426D8E55E01A0FBA15AFE0BB7887CCB724C07FE82DA706CD1592E6001CD12B  
+SHA256: F8B2EB6B332F2367F0C097D211577565C8FB5CC7809E97D63687C634035B3699  
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.141-20250331.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.150-20250512.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.141-20250331.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.150-20250512.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.141-20250331.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.150-20250512.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.141-20250331.iso.sig securityonion-2.4.141-20250331.iso
+gpg --verify securityonion-2.4.150-20250512.iso.sig securityonion-2.4.150-20250512.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Fri 28 Mar 2025 06:28:11 PM EDT using RSA key ID FE507013
+gpg: Signature made Fri 09 May 2025 06:27:29 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.150
+2.4.160
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -299,7 +299,8 @@ fail() {
 get_agent_count() {
 	if [ -f /opt/so/log/agents/agentstatus.log ]; then
-		AGENTCOUNT=$(cat /opt/so/log/agents/agentstatus.log | grep -wF active | awk '{print $2}')
+		AGENTCOUNT=$(cat /opt/so/log/agents/agentstatus.log | grep -wF active | awk '{print $2}' | sed 's/,//')
 		[[ -z "$AGENTCOUNT" ]] && AGENTCOUNT="0"
 	else
 		AGENTCOUNT=0
 	fi
--- a/salt/common/tools/sbin/so-common-status-check
+++ b/salt/common/tools/sbin/so-common-status-check
@@ -45,7 +45,7 @@ def check_for_fps():
        result = subprocess.run([feat_full + '-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
        if result.returncode == 0:
            fps = 1
-    except FileNotFoundError:
+    except:
        fn = '/proc/sys/crypto/' + feat_full + '_enabled'
        try:
          with open(fn, 'r') as f:
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
@@ -83,8 +83,10 @@ docker run \
 {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} wixl -o so-elastic-agent_windows_amd64_msi --arch x64 /workspace/so-elastic-agent.wxs
 printf "\n### MSI Generated...\n"
-printf "\n### Cleaning up temp files in /nsm/elastic-agent-workspace\n"
+printf "\n### Cleaning up temp files \n"
 rm -rf /nsm/elastic-agent-workspace
 rm -rf /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/so-elastic-agent_windows_amd64.exe
 printf "\n### Copying so_agent-installers to /nsm/elastic-fleet/ for nginx.\n"
 \cp -vr /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/ /nsm/elastic-fleet/
 chmod 644 /nsm/elastic-fleet/so_agent-installers/*
--- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
+++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade
@@ -14,7 +14,7 @@ if ! is_manager_node; then
 fi
 # Get current list of Grid Node Agents that need to be upgraded
-RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=policy_id%20%3A%20so-grid-nodes_%2A&showInactive=false&showUpgradeable=true&getStatusSummary=true")
+RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=NOT%20agent.version%20:%20%22{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}%22%20and%20policy_id%20:%20%22so-grid-nodes_general%22&showInactive=false&getStatusSummary=true")
 # Check to make sure that the server responded with good data - else, bail from script
 CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON")
--- a/salt/elasticsearch/files/ingest/global@custom
+++ b/salt/elasticsearch/files/ingest/global@custom
@@ -8,7 +8,7 @@
  "processors": [
    { "set":        { "ignore_failure": true,  "field": "event.module", "value": "elastic_agent" } },
    { "split":      { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp"  } },
-    { "split":      { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } },
+    { "split":      { "if": "ctx.data_stream?.dataset != null && ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } },
    { "set":        { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } },
    { "set":        { "if": "ctx.datastream_dataset_temp != null && ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } },
    { "gsub":       { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } },
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -417,6 +417,7 @@ preupgrade_changes() {
    [[ "$INSTALLEDVERSION" == 2.4.130 ]] && up_to_2.4.140
    [[ "$INSTALLEDVERSION" == 2.4.140 ]] && up_to_2.4.141
    [[ "$INSTALLEDVERSION" == 2.4.141 ]] && up_to_2.4.150
    [[ "$INSTALLEDVERSION" == 2.4.150 ]] && up_to_2.4.160
    true
 }
@@ -444,6 +445,7 @@ postupgrade_changes() {
    [[ "$POSTVERSION"  == 2.4.130 ]] && post_to_2.4.140
    [[ "$POSTVERSION"  == 2.4.140 ]] && post_to_2.4.141
    [[ "$POSTVERSION"  == 2.4.141 ]] && post_to_2.4.150
    [[ "$POSTVERSION"  == 2.4.150 ]] && post_to_2.4.160
    true
 }
@@ -560,9 +562,6 @@ post_to_2.4.130() {
  echo "Updating Kibana default space"
  /usr/sbin/so-kibana-space-defaults
  echo "Regenerating Elastic Agent Installers"
  /sbin/so-elastic-agent-gen-installers
  POSTVERSION=2.4.130
 }
@@ -577,10 +576,16 @@ post_to_2.4.141() {
 }
 post_to_2.4.150() {
-  echo "Nothing to apply"
+  echo "Regenerating Elastic Agent Installers"
  /sbin/so-elastic-agent-gen-installers
  POSTVERSION=2.4.150
 }
 post_to_2.4.160() {
  echo "Nothing to apply"
  POSTVERSION=2.4.160
 }
 repo_sync() {
  echo "Sync the local repo."
  su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -818,6 +823,12 @@ up_to_2.4.150() {
  INSTALLEDVERSION=2.4.150
 }
 up_to_2.4.160() {
  echo "Nothing to do for 2.4.160"
  INSTALLEDVERSION=2.4.160
 }
 add_hydra_pillars() {
  mkdir -p /opt/so/saltstack/local/pillar/hydra
  touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
--- a/salt/sensoroni/files/analyzers/malwarehashregistry/requirements.txt
+++ b/salt/sensoroni/files/analyzers/malwarehashregistry/requirements.txt
@@ -1,2 +1,2 @@
 requests>=2.31.0
-python-whois>=0.7.3
+python-whois>=0.9.5
--- a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/future-0.18.3.tar.gz
+++ b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/future-0.18.3.tar.gz
--- a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python-whois-0.8.0.tar.gz
+++ b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python-whois-0.8.0.tar.gz
--- a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_dateutil-2.9.0.post0-py2.py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_dateutil-2.9.0.post0-py2.py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_whois-0.9.5-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/python_whois-0.9.5-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/setuptools-80.1.0-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/setuptools-80.1.0-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/six-1.17.0-py2.py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/malwarehashregistry/source-packages/six-1.17.0-py2.py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2021.10.8-py2.py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2021.10.8-py2.py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2023.5.7-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/sublime/source-packages/certifi-2023.5.7-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.3-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.3-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.4-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/sublime/source-packages/idna-3.4-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.27.1-py2.py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.27.1-py2.py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.31.0-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/sublime/source-packages/requests-2.31.0-py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-1.26.9-py2.py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-1.26.9-py2.py3-none-any.whl
--- a/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.0.3-py3-none-any.whl
+++ b/salt/sensoroni/files/analyzers/sublime/source-packages/urllib3-2.0.3-py3-none-any.whl
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -10,7 +10,7 @@ soc:
        icon: fa-crosshairs
        target:
        links:
-          - '/#/hunt?q="{value|escape}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
+          - '/#/hunt?q="{value|escape}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}'
      - name: actionAddToCase
        description: actionAddToCaseHelp
        icon: fa-briefcase
@@ -24,20 +24,20 @@ soc:
        icon: fa-magnifying-glass-arrow-right
        target: ''
        links:
-          - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
+          - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}'
-          - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
+          - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}'
-          - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
+          - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}'
-          - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
+          - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}'
-          - '/#/hunt?q="{:log.id.fuid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
+          - '/#/hunt?q="{:log.id.fuid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}'
-          - '/#/hunt?q="{:log.id.uid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
+          - '/#/hunt?q="{:log.id.uid}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}'
-          - '/#/hunt?q="{:network.community_id}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid'
+          - '/#/hunt?q="{:network.community_id}" | groupby event.module* | groupby -sankey event.module* event.dataset | groupby event.dataset | groupby source.ip source.port destination.ip destination.port | groupby network.protocol | groupby source_geo.organization_name source.geo.country_name | groupby destination_geo.organization_name destination.geo.country_name | groupby rule.name rule.category event.severity_label | groupby dns.query.name | groupby file.mime_type | groupby http.virtual_host http.uri | groupby notice.note notice.message notice.sub_message | groupby ssl.server_name | groupby source.ip host.hostname user.name event.action event.type process.executable process.pid&gridId={gridId}'
      - name: actionPcap
        description: actionPcapHelp
        icon: fa-stream
        target: ''
        links:
-          - '/joblookup?esid={:soc_id}&time={:@timestamp}'
+          - '/joblookup?esid={:soc_id}&time={:@timestamp}&gridId={gridId}'
-          - '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
+          - '/joblookup?ncid={:network.community_id}&time={:@timestamp}&gridId={gridId}'
        categories:
          - hunt
          - alerts
@@ -71,30 +71,30 @@ soc:
        icon: fa-person-running
        target: ''
        links:
-          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
+          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path&gridId={gridId}'
      - name: actionProcessChildInfo
        description: actionProcessChildInfoHelp
        icon: fa-users-line
        target: ''
        links:
-          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.parent.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
+          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.parent.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path&gridId={gridId}'
      - name: actionProcessAllInfo
        description: actionProcessAllInfoHelp
        icon: fa-users-between-lines
        target: ''
        links:
-          - '/#/hunt?q="{:process.entity_id}" | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
+          - '/#/hunt?q="{:process.entity_id}" | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path&gridId={gridId}'
      - name: actionProcessAncestors
        description: actionProcessAncestorsHelp
        icon: fa-people-roof
        target: ''
        links:
-          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
+          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path&gridId={gridId}'
      - name: actionRelatedAlerts
        description: actionRelatedAlertsHelp
        icon: fa-bell
        links:
-          - '/#/alerts?q=rule.uuid: {:so_detection.publicId|escape} | groupby rule.name event.module* event.severity_label'
+          - '/#/alerts?q=rule.uuid: {:so_detection.publicId|escape} | groupby rule.name event.module* event.severity_label&gridId={gridId}'
        target: ''
      - name: actionAdd
        description: actionAddHelp
@@ -116,14 +116,14 @@ soc:
        - soc_timestamp
        - event.dataset
        - http_request.headers.x-real-ip
-        - identity_id
+        - user.name
        - http_request.headers.user-agent
        - msg
      ':hydra:':
        - soc_timestamp
        - event.dataset
        - http_request.headers.x-real-ip
-        - identity_id
+        - user.name
        - http_request.headers.user-agent
        - msg
      '::conn':
@@ -1456,6 +1456,14 @@ soc:
          org: Security Onion
          bucket: telegraf/so_short_term
          verifyCert: false
        playbook:
          autoUpdateEnabled: true
          playbookImportFrequencySeconds: 86400
          playbookImportErrorSeconds: 600
          playbookRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources
          playbookRepoBranch: playbook-stable
          playbookRepoPath: /opt/sensoroni/playbooks/
          playbookPathInRepo: playbook/dev
        salt:
          queueDir: /opt/sensoroni/queue
          timeoutMs: 45000
@@ -1605,7 +1613,7 @@ soc:
              showSubtitle: true
            - name: SOC - Auth
              description: Users authenticated to SOC grouped by IP address and identity
-              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip identity_id'
+              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip user.name'
              showSubtitle: true
            - name: SOC - App
              description: Logs generated by the Security Onion Console (SOC) server and modules
@@ -1885,7 +1893,7 @@ soc:
              query: '* | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port'
            - name: SOC Logins
              description: SOC (Security Onion Console) logins
-              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip identity_id | groupby identity_id | groupby http_request.headers.user-agent'
+              query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip user.name | groupby user.name | groupby http_request.headers.user-agent'
            - name: SOC Login Failures
              description: SOC (Security Onion Console) login failures
              query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip http_request.headers.user-agent | groupby http_request.headers.user-agent'
--- a/salt/soc/enabled.sls
+++ b/salt/soc/enabled.sls
@@ -35,6 +35,7 @@ so-soc:
      - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
      - /opt/so/conf/soc/ai_summary_repos:/opt/sensoroni/ai_summary_repos:rw
      - /opt/so/conf/navigator/layers/:/opt/sensoroni/navigator/:rw
      - /opt/so/conf/soc/playbooks/:/opt/sensoroni/playbooks/:rw
 {% if SOCMERGED.telemetryEnabled and not GLOBALS.airgap %}
      - /opt/so/conf/soc/analytics.js:/opt/sensoroni/html/js/analytics.js:ro
 {% endif %}
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -1,6 +1,45 @@
 name: Security Onion Baseline Pipeline
 priority: 90
 transformations:
 vars:
  document_id:
   - '{soc_id}'
  hostname:
   - '{event_data.host.name}'
  ProcessGuid:
   - '{event_data.process.entity_id}'
  User:
   - '{user.name}'
  private_ip:
   - '{network.private.ip}' 
  public_ip:
   - '{network.public.ip}'   
  related_ip:
   - '{event_data.related.ip}'
  related.hosts:
   - '{event_data.related.hosts'
  CurrentDirectory:
   - '{event_data.process.working_directory}'
  ParentProcessGuid:
   - '{ParentProcessGuid}'
  Image:
   - '{process.executable}'
  community_id:
   - '{network.community_id}'
 transformations:
    - type: value_placeholders
      include:
        - 'community_id'
        - 'document_id'
        - 'ProcessGuid'      
        - 'hostname'
        - 'User'
        - 'CurrentDirectory'
        - 'ParentProcessGuid'
        - 'Image'
        - 'related_ip'
        - 'private_ip'
        - 'public_ip'
    - id: baseline_field_name_mapping
      type: field_name_mapping
      mapping:
@@ -12,12 +51,27 @@ transformations:
        sid: rule.uuid
        answer: answers
        query: dns.query.name
-        src_ip: source.ip.keyword
+        src_ip: source.ip
        src_port: source.port
-        dst_ip: destination.ip.keyword
+        dst_ip: destination.ip
        dst_port: destination.port
        winlog.event_data.User: user.name
        logtype: event.code # OpenCanary
      ## Start Temp Linux Mappings ##
        ProcessGuid: process.entity_id
        ProcessId: process.pid
        Image: process.executable
        CommandLine: process.command_line
        CurrentDirectory: process.working_directory
        ParentProcessGuid: process.parent.entity_id
        ParentProcessId: process.parent.pid"
        ParentImage: process.parent.executable
        ParentCommandLine: process.parent.command_line
     ## End Temp Linux Mappings ##
        rule.type: event.module
        related_ip: related.ip
        community_id: network.community_id
        event_dataset: event.dataset
    # Maps "opencanary" product to SO IDH logs
    - id: opencanary_idh_add-fields
      type: add_condition
@@ -127,3 +181,40 @@ transformations:
      rule_conditions:
      - type: logsource
        category: file_event
        category: file_event
    # Maps network_connection rules to endpoint network creation logs
    # This is an OS-agnostic mapping, to account for logs that don't specify source OS
    - id: endpoint_network_connection_add-fields
      type: add_condition
      conditions:
        event.category: 'network'
        event.type: 'start'
      rule_conditions:
      - type: logsource
        category: network_connection
    # Maps "alert" category to SO Alert events
    - id: alert_so_add-fields
      type: add_condition
      conditions:
        tags: 'alert'
      rule_conditions:
      - type: logsource
        category: alert
    # Maps "network + connection" to SO connection logs
    - id: network_connection_so_add-fields
      type: add_condition
      conditions:
        tags: 'conn'
      rule_conditions:
      - type: logsource
        category: network
        service: connection
    # Maps "network + dns" to SO DNS logs
    - id: network_dns_so_add-fields
      type: add_condition
      conditions:
        tags: 'dns'
      rule_conditions:
      - type: logsource
        category: network
        service: dns
--- a/salt/telegraf/etc/telegraf.conf
+++ b/salt/telegraf/etc/telegraf.conf
@@ -241,7 +241,12 @@
 #   ## Use TLS but skip chain & host verification
 #   # insecure_skip_verify = false
-{% if grains.role in ['so-searchnode','so-standalone','so-manager', 'so-managersearch', 'so-heavynode', 'so-receiver'] -%}
+{%- set logstash_metrics_roles = ['so-searchnode','so-standalone','so-managersearch','so-heavynode'] %}
 {%- if GLOBALS.pipeline != "KAFKA" %}
 {%-   set logstash_metrics_roles = logstash_metrics_roles + ['so-manager', 'so-receiver'] %}
 {%- endif %}
 {%- if grains.role in logstash_metrics_roles %}
 [[inputs.logstash]]
  url = "http://localhost:9600"
  collect = ["pipelines"]
@@ -252,7 +257,7 @@
 {% if grains.role in ['so-manager','so-managersearch','so-standalone','so-receiver'] and GLOBALS.pipeline == "KAFKA" -%}
 [[inputs.jolokia2_agent]]
  name_prefix= "kafka_"
-  urls = ["http://localhost:8778/jolokia"]
+  urls = ["http://{{ NODEIP }}:8778/jolokia"]
 [[inputs.jolokia2_agent.metric]]
  name         = "topics"
--- a/sigs/securityonion-2.4.150-20250512.iso.sig
+++ b/sigs/securityonion-2.4.150-20250512.iso.sig
`@@ -1,2 +1,2 @@`
	`requests>=2.31.0`	`requests>=2.31.0`
	`python-whois>=0.7.3`	`python-whois>=0.9.5`