Merge pull request #14075 from Security-Onion-Solutions/reyesj2/es-integ-tmp

merge dev
2025-12-08 10:12:53 +01:00 · 2025-01-06 15:18:05 -06:00
parent 37d67ee9d0 b97619b8f9
commit b431fb1e49
7 changed files with 79 additions and 32 deletions
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -151,6 +151,10 @@ so-elastic-fleet-integration-upgrade:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-integration-upgrade

+so-elastic-fleet-addon-integrations:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-fleet-optional-integrations-load
+
 {%   if ELASTICFLEETMERGED.config.defend_filters.enable_auto_configuration %}
 so-elastic-defend-manage-filters-file-watch:
  cmd.run:
--- a/salt/elasticsearch/enabled.sls
+++ b/salt/elasticsearch/enabled.sls
@@ -172,13 +172,6 @@ so-elasticsearch-ilm-policy-load:
    - onchanges:
      - file: so-elasticsearch-ilm-policy-load-script

-configure-addon-fleet-integrations:
-  cmd.run:
-    - name: /usr/sbin/so-elastic-fleet-optional-integrations-load
-    - cwd: /opt/so
-    - require:
-      - docker_container: so-elasticsearch
-
 so-elasticsearch-templates-reload:
  file.absent:
    - name: /opt/so/state/estemplates.txt
--- a/salt/elasticsearch/files/ingest/zeek.quic
+++ b/salt/elasticsearch/files/ingest/zeek.quic
@@ -0,0 +1,18 @@
+{
+  "description" : "zeek.quic",
+  "processors" : [
+    { "set":      { "field": "event.dataset",                           "value": "quic" } },
+    { "set":      { "field": "network.transport",                       "value": "udp"  } },
+    { "json":     { "field": "message",                                 "target_field": "message2",                       "ignore_failure": true    } },
+    { "rename": 	{ "field": "message2.version",	                    "target_field": "quic.version",		              "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_initial_dcid",	        "target_field": "quic.client_initial_dcid",		  "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_scid",	                "target_field": "quic.client_scid",		          "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.server_scid",	                "target_field": "quic.server_scid",		          "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.server_name",	                "target_field": "quic.server_name",		          "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.client_protocol",	            "target_field": "quic.client_protocol",		      "ignore_missing": true 	} },
+    { "rename": 	{ "field": "message2.history",	                    "target_field": "quic.history",                   "ignore_missing": true 	} },
+    { "remove":		{ "field": "message2.tags",		                                                                      "ignore_failure": true    } },
+    { "remove":   { "field": ["host"],                                                                                    "ignore_failure": true    } },
+    { "pipeline":       { "name": "zeek.common" } }
+  ]
+}
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -404,7 +404,8 @@ preupgrade_changes() {
    [[ "$INSTALLEDVERSION" == 2.4.80 ]] && up_to_2.4.90
    [[ "$INSTALLEDVERSION" == 2.4.90 ]] && up_to_2.4.100
    [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110
-    [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.120
+    [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.111
+    [[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120
    true
 }

@@ -519,6 +520,11 @@ post_to_2.4.110() {
  POSTVERSION=2.4.110
 }

+post_to_2.4.111() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.111
+}
+
 post_to_2.4.120() {
  update_elasticsearch_index_settings
  POSTVERSION=2.4.120
@@ -714,6 +720,12 @@ up_to_2.4.110() {
  INSTALLEDVERSION=2.4.110
 }

+up_to_2.4.111() {
+  echo "Nothing to do for 2.4.111"
+
+  INSTALLEDVERSION=2.4.111
+}
+
 up_to_2.4.120() {
  add_hydra_pillars

--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -339,6 +339,16 @@ soc:
        - file.os
        - file.subsystem
        - log.id.fuid
+      '::quic':
+        - soc_timestamp
+        - event.dataset
+        - source.ip
+        - source.port
+        - destination.ip
+        - destination.port
+        - quic.server_name
+        - log.id.uid
+        - network.community_id
      '::radius':
        - soc_timestamp
        - event.dataset
@@ -1732,6 +1742,10 @@ soc:
              description: PE files list
              query: 'tags:pe | groupby file.machine file.os file.subsystem'
              showSubtitle: true
+            - name: QUIC
+              description: QUIC connections
+              query: 'tags:quic | groupby quic.server_name | groupby source.ip quic.server_name destination.ip'
+              showSubtitle: true
            - name: RADIUS
              description: RADIUS grouped by username
              query: 'tags:radius | groupby user.name'
@@ -1950,6 +1964,9 @@ soc:
            - name: PE
              description: PE (Portable Executable) files transferred via network traffic
              query: 'tags:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby -sankey file.os file.subsystem | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
+            - name: QUIC
+              description: QUIC network metadata
+              query: 'tags:quic | groupby quic.server_name | groupby -sankey quic.server_name source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby quic.server_scid | groupby quic.version | groupby quic.client_protocol'
            - name: RADIUS
              description: RADIUS (Remote Authentication Dial-In User Service) network metadata
              query: 'tags:radius | groupby user.name | groupby -sankey user.name source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
--- a/salt/soc/files/soc/sigma_so_pipeline.yaml
+++ b/salt/soc/files/soc/sigma_so_pipeline.yaml
@@ -45,24 +45,25 @@ transformations:
      rule_conditions:
      - type: logsource
        category: antivirus
-    # Drops the Hashes field which is specific to Sysmon logs
-    # Ingested sysmon logs will have the Hashes field mapped to ECS specific fields
-    - id: hashes_drop_sysmon-specific-field
-      type: drop_detection_item
+    # Transforms the `Hashes` field to ECS fields
+    # ECS fields are used by the hash fields emitted by Elastic Defend
+    # If shipped with Elastic Agent, sysmon logs will also have hashes mapped to ECS fields    
+    - id: hashes_break_out_field
+      type: hashes_fields
+      valid_hash_algos: ["MD5", "SHA1", "SHA256", "SHA512", "IMPHASH"]
+      field_prefix: "file"
+      drop_algo_prefix: False
      field_name_conditions:
        - type: include_fields
          fields:
            - winlog.event_data.Hashes
-      rule_conditions:
-      - type: logsource
-        product: windows
    - id: hashes_process-creation
      type: field_name_mapping
      mapping:
-        winlog.event_data.sha256: process.hash.sha256
-        winlog.event_data.sha1: process.hash.sha1
-        winlog.event_data.md5: process.hash.md5
-        winlog.event_data.Imphash: process.pe.imphash
+        fileSHA256: process.hash.sha256
+        fileSHA1: process.hash.sha1
+        fileMD5: process.hash.md5
+        fileIMPHASH: process.pe.imphash
      rule_conditions:
      - type: logsource
        product: windows
@@ -70,10 +71,10 @@ transformations:
    - id: hashes_image-load
      type: field_name_mapping
      mapping:
-        winlog.event_data.sha256: dll.hash.sha256
-        winlog.event_data.sha1: dll.hash.sha1
-        winlog.event_data.md5: dll.hash.md5
-        winlog.event_data.Imphash: dll.pe.imphash
+        fileSHA256: dll.hash.sha256
+        fileSHA1: dll.hash.sha1
+        fileMD5: dll.hash.md5
+        fileIMPHASH: dll.pe.imphash
      rule_conditions:
      - type: logsource
        product: windows
@@ -81,10 +82,10 @@ transformations:
    - id: hashes_driver-load
      type: field_name_mapping
      mapping:
-        winlog.event_data.sha256: dll.hash.sha256
-        winlog.event_data.sha1: dll.hash.sha1
-        winlog.event_data.md5: dll.hash.md5
-        winlog.event_data.Imphash: dll.pe.imphash
+        fileSHA256: dll.hash.sha256
+        fileSHA1: dll.hash.sha1
+        fileMD5: dll.hash.md5
+        fileIMPHASH: dll.pe.imphash
      rule_conditions:
      - type: logsource
        product: windows
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -962,7 +962,12 @@ docker_seed_update() {
 docker_seed_registry() {
 	local VERSION="$SOVERSION"

-	if ! [ -f /nsm/docker-registry/docker/registry.tar ]; then
+	if [ -f /nsm/docker-registry/docker/registry.tar ]; then
+		logCmd "tar xvf /nsm/docker-registry/docker/registry.tar -C /nsm/docker-registry/docker"
+		logCmd "rm /nsm/docker-registry/docker/registry.tar"
+	elif [ -d /nsm/docker-registry/docker/registry ] && [ -f /etc/SOCLOUD ]; then
+		echo "Using existing docker registry content for cloud install"
+	else
 		if [ "$install_type" == 'IMPORT' ]; then
 			container_list 'so-import'	
 		else
@@ -972,9 +977,6 @@ docker_seed_registry() {
 		docker_seed_update_percent=25

 		update_docker_containers 'netinstall' '' 'docker_seed_update' '/dev/stdout' 2>&1 | tee -a "$setup_log"
-	else
-		logCmd "tar xvf /nsm/docker-registry/docker/registry.tar -C /nsm/docker-registry/docker"
-		logCmd "rm /nsm/docker-registry/docker/registry.tar"
 	fi
 }