From 715d801ce8072d3ef55d5d84e8e7c3c232aab5d4 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 13:02:44 -0600 Subject: [PATCH 1/8] format json zeek.dns --- salt/elasticsearch/files/ingest/zeek.dns | 257 ++++++++++++++++++++--- 1 file changed, 224 insertions(+), 33 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.dns b/salt/elasticsearch/files/ingest/zeek.dns index 7be8afec6..2df71a8e4 100644 --- a/salt/elasticsearch/files/ingest/zeek.dns +++ b/salt/elasticsearch/files/ingest/zeek.dns @@ -1,35 +1,226 @@ { - "description" : "zeek.dns", - "processors" : [ - { "set": { "field": "event.dataset", "value": "dns" } }, - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "message2.trans_id", "target_field": "dns.id", "ignore_missing": true } }, - { "rename": { "field": "message2.rtt", "target_field": "event.duration", "ignore_missing": true } }, - { "rename": { "field": "message2.query", "target_field": "dns.query.name", "ignore_missing": true } }, - { "rename": { "field": "message2.qclass", "target_field": "dns.query.class", "ignore_missing": true } }, - { "rename": { "field": "message2.qclass_name", "target_field": "dns.query.class_name", "ignore_missing": true } }, - { "rename": { "field": "message2.qtype", "target_field": "dns.query.type", "ignore_missing": true } }, - { "rename": { "field": "message2.qtype_name", "target_field": "dns.query.type_name", "ignore_missing": true } }, - { "rename": { "field": "message2.rcode", "target_field": "dns.response.code", "ignore_missing": true } }, - { "rename": { "field": "message2.rcode_name", "target_field": "dns.response.code_name", "ignore_missing": true } }, - { "rename": { "field": "message2.AA", "target_field": "dns.authoritative", "ignore_missing": true } }, - { "rename": { "field": "message2.TC", "target_field": "dns.truncated", "ignore_missing": true } }, - { "rename": { "field": "message2.RD", "target_field": "dns.recursion.desired", "ignore_missing": true } }, - { "rename": { "field": "message2.RA", "target_field": "dns.recursion.available", "ignore_missing": true } }, - { "rename": { "field": "message2.Z", "target_field": "dns.reserved", "ignore_missing": true } }, - { "rename": { "field": "message2.answers", "target_field": "dns.answers.name", "ignore_missing": true } }, - { "foreach": {"field": "dns.answers.name","processor": {"pipeline": {"name": "common.ip_validation"}},"if": "ctx.dns != null && ctx.dns.answers != null && ctx.dns.answers.name != null","ignore_failure": true}}, - { "foreach": {"field": "temp._valid_ips","processor": {"append": {"field": "dns.resolved_ip","allow_duplicates": false,"value": "{{{_ingest._value}}}","ignore_failure": true}},"ignore_failure": true}}, - { "script": { "source": "if (ctx.dns.resolved_ip != null && ctx.dns.resolved_ip instanceof List) {\n ctx.dns.resolved_ip.removeIf(item -> item == null || item.toString().trim().isEmpty());\n }","ignore_failure": true }}, - { "remove": {"field": ["temp"], "ignore_missing": true ,"ignore_failure": true } }, - { "rename": { "field": "message2.TTLs", "target_field": "dns.ttls", "ignore_missing": true } }, - { "rename": { "field": "message2.rejected", "target_field": "dns.query.rejected", "ignore_missing": true } }, - { "script": { "lang": "painless", "source": "ctx.dns.query.length = ctx.dns.query.name.length()", "ignore_failure": true } }, - { "set": { "if": "ctx._index == 'so-zeek'", "field": "_index", "value": "so-zeek_dns", "override": true } }, - { "pipeline": { "if": "ctx.dns?.query?.name != null && ctx.dns.query.name.contains('.')", "name": "dns.tld" } }, - { "pipeline": { "name": "zeek.common" } } - ] + "description": "zeek.dns", + "processors": [ + { + "set": { + "field": "event.dataset", + "value": "dns" + } + }, + { + "remove": { + "field": [ + "host" + ], + "ignore_failure": true + } + }, + { + "json": { + "field": "message", + "target_field": "message2", + "ignore_failure": true + } + }, + { + "dot_expander": { + "field": "id.orig_h", + "path": "message2", + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.proto", + "target_field": "network.transport", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.trans_id", + "target_field": "dns.id", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.rtt", + "target_field": "event.duration", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.query", + "target_field": "dns.query.name", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.qclass", + "target_field": "dns.query.class", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.qclass_name", + "target_field": "dns.query.class_name", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.qtype", + "target_field": "dns.query.type", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.qtype_name", + "target_field": "dns.query.type_name", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.rcode", + "target_field": "dns.response.code", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.rcode_name", + "target_field": "dns.response.code_name", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.AA", + "target_field": "dns.authoritative", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.TC", + "target_field": "dns.truncated", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.RD", + "target_field": "dns.recursion.desired", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.RA", + "target_field": "dns.recursion.available", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.Z", + "target_field": "dns.reserved", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.answers", + "target_field": "dns.answers.name", + "ignore_missing": true + } + }, + { + "foreach": { + "field": "dns.answers.name", + "processor": { + "pipeline": { + "name": "common.ip_validation" + } + }, + "if": "ctx.dns != null && ctx.dns.answers != null && ctx.dns.answers.name != null", + "ignore_failure": true + } + }, + { + "foreach": { + "field": "temp._valid_ips", + "processor": { + "append": { + "field": "dns.resolved_ip", + "allow_duplicates": false, + "value": "{{{_ingest._value}}}", + "ignore_failure": true + } + }, + "ignore_failure": true + } + }, + { + "script": { + "source": "if (ctx.dns.resolved_ip != null && ctx.dns.resolved_ip instanceof List) {\n ctx.dns.resolved_ip.removeIf(item -> item == null || item.toString().trim().isEmpty());\n }", + "ignore_failure": true + } + }, + { + "remove": { + "field": [ + "temp" + ], + "ignore_missing": true, + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.TTLs", + "target_field": "dns.ttls", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.rejected", + "target_field": "dns.query.rejected", + "ignore_missing": true + } + }, + { + "script": { + "lang": "painless", + "source": "ctx.dns.query.length = ctx.dns.query.name.length()", + "ignore_failure": true + } + }, + { + "set": { + "if": "ctx._index == 'so-zeek'", + "field": "_index", + "value": "so-zeek_dns", + "override": true + } + }, + { + "pipeline": { + "if": "ctx.dns?.query?.name != null && ctx.dns.query.name.contains('.')", + "name": "dns.tld" + } + }, + { + "pipeline": { + "name": "zeek.common" + } + } + ] } \ No newline at end of file From 68b0cd7549a7f4b8459022e2b94d6ed81bbf09e2 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 14:14:12 -0600 Subject: [PATCH 2/8] rename zeek.dpd zeek.analyzer --- salt/elasticsearch/files/ingest/{zeek.dpd => zeek.analyzer} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/elasticsearch/files/ingest/{zeek.dpd => zeek.analyzer} (100%) diff --git a/salt/elasticsearch/files/ingest/zeek.dpd b/salt/elasticsearch/files/ingest/zeek.analyzer similarity index 100% rename from salt/elasticsearch/files/ingest/zeek.dpd rename to salt/elasticsearch/files/ingest/zeek.analyzer From fcfd74ec1ef7fdeeae920e1594bccf7fc55e6b44 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 14:14:54 -0600 Subject: [PATCH 3/8] zeek.analyzer format json --- salt/elasticsearch/files/ingest/zeek.analyzer | 126 +++++++++++++++--- 1 file changed, 107 insertions(+), 19 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.analyzer b/salt/elasticsearch/files/ingest/zeek.analyzer index 2f76c5ecb..7b0c3dfa7 100644 --- a/salt/elasticsearch/files/ingest/zeek.analyzer +++ b/salt/elasticsearch/files/ingest/zeek.analyzer @@ -1,20 +1,108 @@ { - "description" : "zeek.dpd", - "processors" : [ - { "set": { "field": "event.dataset", "value": "dpd" } }, - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "dot_expander": { "field": "id.orig_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_h", "target_field": "source.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.orig_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.orig_p", "target_field": "source.port", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_h", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_h", "target_field": "destination.ip", "ignore_missing": true } }, - { "dot_expander": { "field": "id.resp_p", "path": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.id.resp_p", "target_field": "destination.port", "ignore_missing": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.analyzer", "target_field": "observer.analyzer", "ignore_missing": true } }, - { "rename": { "field": "message2.failure_reason", "target_field": "error.reason", "ignore_missing": true } }, - { "pipeline": { "name": "zeek.common" } } - ] -} + "description": "zeek.dpd", + "processors": [ + { + "set": { + "field": "event.dataset", + "value": "dpd" + } + }, + { + "remove": { + "field": [ + "host" + ], + "ignore_failure": true + } + }, + { + "json": { + "field": "message", + "target_field": "message2", + "ignore_failure": true + } + }, + { + "dot_expander": { + "field": "id.orig_h", + "path": "message2", + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.id.orig_h", + "target_field": "source.ip", + "ignore_missing": true + } + }, + { + "dot_expander": { + "field": "id.orig_p", + "path": "message2", + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.id.orig_p", + "target_field": "source.port", + "ignore_missing": true + } + }, + { + "dot_expander": { + "field": "id.resp_h", + "path": "message2", + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.id.resp_h", + "target_field": "destination.ip", + "ignore_missing": true + } + }, + { + "dot_expander": { + "field": "id.resp_p", + "path": "message2", + "ignore_failure": true + } + }, + { + "rename": { + "field": "message2.id.resp_p", + "target_field": "destination.port", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.proto", + "target_field": "network.protocol", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.analyzer", + "target_field": "observer.analyzer", + "ignore_missing": true + } + }, + { + "rename": { + "field": "message2.failure_reason", + "target_field": "error.reason", + "ignore_missing": true + } + }, + { + "pipeline": { + "name": "zeek.common" + } + } + ] +} \ No newline at end of file From 45b4b1d96309dd44fdf49610edc2a02bc557836c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 14:42:58 -0600 Subject: [PATCH 4/8] ingest zeek analyzer.log + update dpd dashboard with analyzer tag --- salt/elasticfleet/defaults.yaml | 1 - salt/soc/defaults.yaml | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 0220428bf..0f013e320 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -15,7 +15,6 @@ elasticfleet: logging: zeek: excluded: - - analyzer - broker - capture_loss - cluster diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 83d116eec..b3bbfa659 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1746,7 +1746,7 @@ soc: showSubtitle: true - name: DPD description: Dynamic Protocol Detection errors - query: 'tags:dpd | groupby error.reason' + query: '(tags:dpd OR tags:analyzer) | groupby error.reason' showSubtitle: true - name: Files description: Files grouped by mimetype @@ -2012,7 +2012,7 @@ soc: query: 'tags:dns | groupby dns.query.name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.query.type_name | groupby dns.response.code_name | groupby dns.answers.name | groupby destination.as.organization.name' - name: DPD description: DPD (Dynamic Protocol Detection) errors - query: 'tags:dpd | groupby error.reason | groupby -sankey error.reason source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby destination.as.organization.name' + query: '(tags:dpd OR tags:analyzer) | groupby error.reason | groupby -sankey error.reason source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby destination.as.organization.name' - name: Files description: Files seen in network traffic query: 'tags:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination.as.organization.name' From 7c73b4713f6bb302ae8c072020604bcbf84c9a54 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 15:41:54 -0600 Subject: [PATCH 5/8] update analyzer pipeline --- salt/elasticsearch/files/ingest/zeek.analyzer | 89 +++++-------------- 1 file changed, 21 insertions(+), 68 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.analyzer b/salt/elasticsearch/files/ingest/zeek.analyzer index 7b0c3dfa7..aa743b0ee 100644 --- a/salt/elasticsearch/files/ingest/zeek.analyzer +++ b/salt/elasticsearch/files/ingest/zeek.analyzer @@ -1,10 +1,10 @@ { - "description": "zeek.dpd", + "description": "zeek.analyzer", "processors": [ { "set": { "field": "event.dataset", - "value": "dpd" + "value": "analyzer" } }, { @@ -23,75 +23,28 @@ } }, { - "dot_expander": { - "field": "id.orig_h", - "path": "message2", + "set": { + "field": "network.protocol", + "copy_from": "message2.analyzer_name", + "ignore_empty_value": true, + "if": "ctx?.message2?.analyzer_kind == 'protocol'" + } + }, + { + "set": { + "field": "network.protocol", + "ignore_empty_value": true, + "if": "ctx?.message2?.analyzer_kind != 'protocol'", + "copy_from": "message2.proto" + } + }, + { + "lowercase": { + "field": "network.protocol", + "ignore_missing": true, "ignore_failure": true } }, - { - "rename": { - "field": "message2.id.orig_h", - "target_field": "source.ip", - "ignore_missing": true - } - }, - { - "dot_expander": { - "field": "id.orig_p", - "path": "message2", - "ignore_failure": true - } - }, - { - "rename": { - "field": "message2.id.orig_p", - "target_field": "source.port", - "ignore_missing": true - } - }, - { - "dot_expander": { - "field": "id.resp_h", - "path": "message2", - "ignore_failure": true - } - }, - { - "rename": { - "field": "message2.id.resp_h", - "target_field": "destination.ip", - "ignore_missing": true - } - }, - { - "dot_expander": { - "field": "id.resp_p", - "path": "message2", - "ignore_failure": true - } - }, - { - "rename": { - "field": "message2.id.resp_p", - "target_field": "destination.port", - "ignore_missing": true - } - }, - { - "rename": { - "field": "message2.proto", - "target_field": "network.protocol", - "ignore_missing": true - } - }, - { - "rename": { - "field": "message2.analyzer", - "target_field": "observer.analyzer", - "ignore_missing": true - } - }, { "rename": { "field": "message2.failure_reason", From bcec999be49a436de325a402bd29953610266f45 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 15:42:22 -0600 Subject: [PATCH 6/8] zeek.dns reduce errors --- salt/elasticsearch/files/ingest/zeek.dns | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/zeek.dns b/salt/elasticsearch/files/ingest/zeek.dns index 2df71a8e4..43853ffe8 100644 --- a/salt/elasticsearch/files/ingest/zeek.dns +++ b/salt/elasticsearch/files/ingest/zeek.dns @@ -164,6 +164,7 @@ "ignore_failure": true } }, + "if": "ctx.dns != null && ctx.dns.answers != null && ctx.dns.answers.name != null", "ignore_failure": true } }, From 136a829509c0a3f791be45114604b59848aa71c9 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 14 Nov 2025 16:51:00 -0600 Subject: [PATCH 7/8] detect-sqli deprecated in favor of detect-sql-injection --- salt/zeek/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 81bfa3d9d..169b6521a 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -45,7 +45,7 @@ zeek: - protocols/ssh/geo-data - protocols/ssh/detect-bruteforcing - protocols/ssh/interesting-hostnames - - protocols/http/detect-sqli + - protocols/http/detect-sql-injection - frameworks/files/hash-all-files - frameworks/files/detect-MHR - policy/frameworks/notice/extend-email/hostnames From 76cbd18d2c64bd7c504ec9a719b908608e39dc13 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 19 Nov 2025 09:56:42 -0500 Subject: [PATCH 8/8] communicate to the viewer that OS patches may take some time --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 952645c61..f885301e6 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -271,7 +271,7 @@ check_os_updates() { if [[ "$confirm" == [cC] ]]; then echo "Continuing without updating packages" elif [[ "$confirm" == [uU] ]]; then - echo "Applying Grid Updates" + echo "Applying Grid Updates. The following patch.os salt state may take a while depending on how many packages need to be updated." update_flag=true else echo "Exiting soup"