From e4db2f4819d6dddc96f7ba0108a6eb7cfb7a9585 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 10 Dec 2024 17:19:15 -0500
Subject: [PATCH 1/8] Update defaults.yaml

---
 salt/docker/defaults.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml
index 21cdf606c..7c776937d 100644
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -82,6 +82,7 @@ docker:
         - 443:443
         - 8443:8443
         - 7788:7788
+        - 7789:7789
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []

From 5bc9fb19a85a5b97363c134b341978092cce5617 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 13 Dec 2024 09:18:58 -0500
Subject: [PATCH 2/8] Update VERSION

---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 3cda1f5a4..5710f9e1d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.4.110
+2.4.111

From 7d06dd4b1d1a6d6e6f5f29cad105a1c45c173cbe Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 13 Dec 2024 09:20:49 -0500
Subject: [PATCH 3/8] Update HOTFIX

---
 HOTFIX | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/HOTFIX b/HOTFIX
index 7f0f80c64..8b1378917 100644
--- a/HOTFIX
+++ b/HOTFIX
@@ -1 +1 @@
-20241010
+

From 897e8f68833a5c1b3d41ae11a3190aead6f115c5 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Tue, 17 Dec 2024 13:03:52 -0500
Subject: [PATCH 4/8] 2.4.111

---
 DOWNLOAD_AND_VERIFY_ISO.md                  |  20 ++++++++++----------
 sigs/securityonion-2.4.111-20241217.iso.sig | Bin 0 -> 566 bytes
 2 files changed, 10 insertions(+), 10 deletions(-)
 create mode 100644 sigs/securityonion-2.4.111-20241217.iso.sig

diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md
index 18a38a91c..940ad4d8c 100644
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,17 +1,17 @@
-### 2.4.110-20241010 ISO image released on 2024/10/10
+### 2.4.111-20241217 ISO image released on 2024/12/17
 
 
 ### Download and Verify
 
-2.4.110-20241010 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241010.iso
+2.4.111-20241217 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.111-20241217.iso
  
-MD5: A8003DEBC4510D538F06238D9DBB86C0  
-SHA1: 441DE90A192C8FE8BEBAB9ACE1A3CC18F71A2B1F  
-SHA256: B087A0D12FC2CA3CCD02BD52E52421F4F60DC09BF826337A057E05A04D114CCE  
+MD5: 4EC241C5C7B59BAE58F09063508DEFB7  
+SHA1: 4808FDD64C39B1F8A5E41B0AAA229FB03563BAB1  
+SHA256: EA8C54CF6520809156F99EE4344F764920B1CC88136EEE70E0A666F5960DEC7D  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241010.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.111-20241217.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,17 +25,17 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.110-20241010.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.111-20241217.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.110-20241010.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.111-20241217.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.110-20241010.iso.sig securityonion-2.4.110-20241010.iso
+gpg --verify securityonion-2.4.111-20241217.iso.sig securityonion-2.4.111-20241217.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
diff --git a/sigs/securityonion-2.4.111-20241217.iso.sig b/sigs/securityonion-2.4.111-20241217.iso.sig
new file mode 100644
index 0000000000000000000000000000000000000000..6c277cdd54ed9d2a39fed72b5e86537edea6397f
GIT binary patch
literal 566
zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%u^FdjJXv5PT3|
zxBgIY6QJb}{Sl{Zk=p=yEeLl03rU#)xJjWQ=}kjq{<5BjUq-H+7PaUz2D|w<)<l%o
zT}+Cx(ry{1&B3Y@bYeEdDERAvn@Vy4ds{ZVsowB<?5Y>SZg-x^k`Ewd99SgUKmAff
z?yE8QB;pf6%9&mOV(7z08mnPb4j`PeRd;cWeB57obevBmZHT0>0rF0gceE1Z2dU&e
zuM$;BS+@_?Y-)yti>j}jn1@KV2~V`V=HSEyVY$EpqX-8JL<>++S;%f&Es0R&cb3pv
ztbEh|j*Xi6M&`swGY{}v)CM?D6ig?X{x!++$83g!!8B>vzWc=kB(p84J)V*&^EABD
z=VZ}`+j*R_)`qo-aJK{o*Jm>z%M<0w-`S@c5+f!Rl#ikWoHyySV+da)$nk!5;XU}8
zg<WbcI3mUJH^Mg*risr_Vzfr&l*2y2KM|lVo6%5)PMjrX79mJQuyTeU1xXQeecu>|
zdKQ$TKLx@5f`c|};HDJ8t{pE$0?9Wq{jW5QkG!y-{~U<(9=78T;AZ>&axM(<<o|p(
z<kWg%M>(WZS^26Yx_l=FBWG*%Kt$o+j*S|&9NPDhYU?|Bt!}Pqy4?aA;}rf{of!S)
z#P^fE%azXHSq*-CUSA9Mx?uZm8z^G0)tE?-sM)DLoM4|jisurfkXn0N;qUQQ_eof}
EZ&3gbx&QzG

literal 0
HcmV?d00001


From 17405b849a164aeed02f9761772674bdaa12b29c Mon Sep 17 00:00:00 2001
From: defensivedepth <josh@defensivedepth.com>
Date: Tue, 17 Dec 2024 16:01:31 -0500
Subject: [PATCH 5/8] Delete uneeded files

---
 salt/manager/tools/sbin/soup | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
index 5e3deff15..86d00ec0b 100755
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -901,7 +901,7 @@ update_airgap_rules() {
   rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/
   rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/
   # Copy the securityonion-resorces repo over for SOC Detection Summaries and checkout the published summaries branch
-  rsync -av --chown=socore:socore $UPDATE_DIR/agrules/securityonion-resources /opt/so/conf/soc/ai_summary_repos
+  rsync -av --delete --chown=socore:socore $UPDATE_DIR/agrules/securityonion-resources /opt/so/conf/soc/ai_summary_repos
   git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources
   git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published
   # Copy the securityonion-resorces repo over to nsm

From 3e04bfbd21ed5fa07b8504c2816400f47082b92b Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 18 Dec 2024 09:27:55 -0500
Subject: [PATCH 6/8] 2.4.111

---
 DOWNLOAD_AND_VERIFY_ISO.md                  |  10 +++++-----
 sigs/securityonion-2.4.111-20241217.iso.sig | Bin 566 -> 566 bytes
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md
index 940ad4d8c..57a07e53c 100644
--- a/DOWNLOAD_AND_VERIFY_ISO.md
+++ b/DOWNLOAD_AND_VERIFY_ISO.md
@@ -1,4 +1,4 @@
-### 2.4.111-20241217 ISO image released on 2024/12/17
+### 2.4.111-20241217 ISO image released on 2024/12/18
 
 
 ### Download and Verify
@@ -6,9 +6,9 @@
 2.4.111-20241217 ISO image:  
 https://download.securityonion.net/file/securityonion/securityonion-2.4.111-20241217.iso
  
-MD5: 4EC241C5C7B59BAE58F09063508DEFB7  
-SHA1: 4808FDD64C39B1F8A5E41B0AAA229FB03563BAB1  
-SHA256: EA8C54CF6520809156F99EE4344F764920B1CC88136EEE70E0A666F5960DEC7D  
+MD5: 767823D75EB76A6DC6132F799FD0E720  
+SHA1: 0A7B6918FE5D4BC89EE3F2E03B4F8F4D6255141D  
+SHA256: 394BFCED9B5EAA0788E2D04806231B3A170839394AAF8DD23B4CE0EB9D6EF727  
 
 Signature for ISO image:  
 https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.111-20241217.iso.sig
@@ -40,7 +40,7 @@ gpg --verify securityonion-2.4.111-20241217.iso.sig securityonion-2.4.111-202412
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 10 Oct 2024 07:05:30 AM EDT using RSA key ID FE507013
+gpg: Signature made Tue 17 Dec 2024 04:33:10 PM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
diff --git a/sigs/securityonion-2.4.111-20241217.iso.sig b/sigs/securityonion-2.4.111-20241217.iso.sig
index 6c277cdd54ed9d2a39fed72b5e86537edea6397f..e3545c57a35a59c7864bf6ce47235253e4f7b91b 100644
GIT binary patch
delta 542
zcmV+(0^$9(1hxc_BY$D;761wf5PT3|xBgIY69UN({x1;ihaOo?jFhbfW8uPyzY8>B
zs%>o8RA|GI<tt44k}g<tpdu~C7y|{l8D9W?0)8pWLh^pWU=2{`PIF{m4LW{o^Dz%m
z)nT=>r06&=EPA_I?$oLZX>g}jua2_;oOYTWpmoGCjz@!y9e@9B$#<juUAk7|4Xg5(
zspZIA_C>Gh`_?qqU4jQ|Kg1&aVQ8mJvy?uLcSa9KU*EF5QwNh-ak$${uY*&8&>A*c
zpAK`(IJ`yN<q@+b3&9k{8e<#u@rGeUAfnaEbPt}GBj`ed^N>iyUTDU_x{si0dR7p=
z^<E`-N(H{L8-Hy6M3OHY&65(h16=V!h^#g<GTbwjAGt~v6T`C<=^sg*qQnk3blpw3
z{5H7Ks274k<~U6~ZT;{O!x|ItgKQnVr~f<3D3g~eLyTyVL*g7x*?E-kthf){yypoJ
zoib;7T?;lGv%Emgyh!|pSmUv-kIupeM{$CwImV>XQGcj*g31Q0BB}<0+S0T!+V|&W
zTT<FbMP-?6p!ZmGFBB<L=5oyn9mc|jH`QiWR8e4R7Pl}W^q)CK*<we{_G2rdmu=Tu
ze#i$alZ|;{NNBH#f(teL2%0YC1pHonX=mFYJjD0%lc;rm!y;*w@3>tMnIcD`&y8zb
g$0Nl|!WSaive%!NEHm`Ag_z?H$VMGA1p6r|9g~~_u>b%7

delta 542
zcmV+(0^$9(1hxc_BY$9;djJXv5PT3|xBgIY6QJb}{Sl{Zk=p=yEeLl03rU#)xJjWQ
z=}kjq{<5BjUq-H+7PaUz2D|w<)<l%oT}+Cx(ry{1&B3Y@bYeEdDERAvn@Vy4ds{ZV
zsowB<?5Y>SZg-x^k`Ewd99SgUKmAff?yE8QB;pf6%9&mOVt?qvMjESOQw|`UvQ>9+
zjC|Z*d32mlC2feLumSQ;l6SNc<OiwbJ+Bf~Nm;iK)@*8qgo~=LoS275wh2$PyyoD<
z1!1|s0;32A3q%W0QCY}tTrG)E<#(3QTC9B2|Bj8C`9|i%NHY)cThs<PPZUfinf^7&
z^2cn3gTXXu*?+$K#RDX>EvY@8k}2~vywc}n(TCf4oU+!2wTW=I1P0e<Ga$<o<;vgL
zry3F?CKZ&Aq6C~b>9b=9UnI!!es<wK_?m@XYA!e;#qu}8Hx#Cc&rf2sM&y*kKEOW_
zpe~!yP=-#NC1w^ONJX%6h93n<5p#Xt7>9Zml%hWc!GHdOgEnm7rWC=h9WO-!$u}|m
zuQZL1ys)4D9EkHCw&M@rX8ZnfE)4PH|9m&()Oun^Iiyor`Klzkd?yAYXKVF9MB(3#
zjT*Kb+V_!a>pOX^Zmwy%-2xip6#iPB82#nM_mjQLmCoQ<4SsxHUkmrTVEb+xC}OYG
gm`ISQ*%zrkoM4|jisurfkXn0N;qUQQ_eof}Z`AAx5dZ)H


From d4f1772d2e06076280b45b4df05d303e2b77e4e9 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Wed, 18 Dec 2024 10:36:15 -0500
Subject: [PATCH 7/8] Update 2-4.yml

---
 .github/DISCUSSION_TEMPLATE/2-4.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml
index af5fa3a84..0b8d5e6b9 100644
--- a/.github/DISCUSSION_TEMPLATE/2-4.yml
+++ b/.github/DISCUSSION_TEMPLATE/2-4.yml
@@ -22,6 +22,7 @@ body:
         - 2.4.90
         - 2.4.100
         - 2.4.110
+        - 2.4.111
         - 2.4.120
         - Other (please provide detail below)
     validations:

From 157185c370b64983a46075c31bf5d69f7a69c015 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Wed, 18 Dec 2024 11:33:49 -0600
Subject: [PATCH 8/8] add ti_opencti integration support

---
 salt/elasticfleet/defaults.yaml               |  1 +
 salt/elasticsearch/defaults.yaml              | 46 +++++++++++++++++++
 salt/elasticsearch/soc_elasticsearch.yaml     |  1 +
 .../logs-ti_opencti.indicator@custom.json     | 36 +++++++++++++++
 4 files changed, 84 insertions(+)
 create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json

diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml
index 2f237cac1..bce028235 100644
--- a/salt/elasticfleet/defaults.yaml
+++ b/salt/elasticfleet/defaults.yaml
@@ -108,6 +108,7 @@ elasticfleet:
     - ti_anomali
     - ti_cybersixgill
     - ti_misp
+    - ti_opencti
     - ti_otx
     - ti_rapid7_threat_command
     - ti_recordedfuture
diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml
index 9f0d3576c..22da47337 100644
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -10353,6 +10353,52 @@ elasticsearch:
               set_priority:
                 priority: 50
             min_age: 30d
+    so-logs-ti_opencti_x_indicator:
+      index_sorting: False
+      index_template:
+        composed_of:
+          - "logs-ti_opencti.indicator@package"
+          - "logs-ti_opencti.indicator@custom"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+        ignore_missing_component_templates:
+          - "logs-ti_opencti.indicator@custom"
+        index_patterns:
+          - "logs-ti_opencti.indicator-*"
+        priority: 501
+        template:
+          settings:
+            index:
+              lifecycle:
+                name: so-logs-ti_opencti.indicator-logs
+              number_of_replicas: 0
+      policy:
+        phases:
+          cold:
+            actions:
+              set_priority:
+                priority: 0
+            min_age: 60d
+          delete:
+            actions:
+              delete: {}
+            min_age: 365d
+          hot:
+            actions:
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+              set_priority:
+                priority: 100
+            min_age: 0ms
+          warm:
+            actions:
+              set_priority:
+                priority: 50
+            min_age: 30d
     so-logs-ti_otx_x_pulses_subscribed:
       index_sorting: false
       index_template:
diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml
index 88ea45b89..0db3f34fa 100644
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -491,6 +491,7 @@ elasticsearch:
     so-logs-ti_cybersixgill_x_threat: *indexSettings
     so-logs-ti_misp_x_threat: *indexSettings
     so-logs-ti_misp_x_threat_attributes: *indexSettings
+    so-logs-ti_opencti_x_indicator: *indexSettings
     so-logs-ti_otx_x_pulses_subscribed: *indexSettings  
     so-logs-ti_otx_x_threat: *indexSettings
     so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings
diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json
new file mode 100644
index 000000000..17319ab9f
--- /dev/null
+++ b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json
@@ -0,0 +1,36 @@
+{
+  "template": {
+    "mappings": {
+      "properties": {
+        "host": {
+	  "properties":{
+            "ip": {
+              "type": "ip"
+            }
+	  }
+	},
+	"related": {
+          "properties":{
+            "ip": {
+              "type": "ip"
+            }
+          }
+        },
+	"destination": {
+          "properties":{
+            "ip": {
+              "type": "ip"
+            }
+          }
+        },
+	"source": {
+          "properties":{
+            "ip": {
+              "type": "ip"
+            }
+          }
+        }
+      }
+    }
+  }
+}