From 97366c04967000f0c63ab52edf85611ea5e66387 Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Mon, 20 Apr 2026 10:00:29 -0400
Subject: [PATCH 1/4] Rename 'ScanLNK' to 'ScanLnk' in defaults.yaml

---
 salt/strelka/defaults.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml
index 4d69bf53b..302a45af4 100644
--- a/salt/strelka/defaults.yaml
+++ b/salt/strelka/defaults.yaml
@@ -261,7 +261,7 @@ strelka:
               priority: 5
               options:
                 limit: 1000
-          'ScanLNK':
+          'ScanLnk':
             - positive:
                 flavors:
                   - 'lnk_file'

From affede7f0ae9fb439d5396c9b7f66711924219ea Mon Sep 17 00:00:00 2001
From: Josh Brower <josh@defensivedepth.com>
Date: Mon, 20 Apr 2026 10:01:10 -0400
Subject: [PATCH 2/4] Rename 'ScanLNK' to 'ScanLnk' in YAML config

---
 salt/strelka/soc_strelka.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml
index 0066bd6c3..65ff950b8 100644
--- a/salt/strelka/soc_strelka.yaml
+++ b/salt/strelka/soc_strelka.yaml
@@ -99,7 +99,7 @@ strelka:
           'ScanJpeg': *scannerOptions
           'ScanJson': *scannerOptions
           'ScanLibarchive': *scannerOptions
-          'ScanLNK': *scannerOptions
+          'ScanLnk': *scannerOptions
           'ScanLsb': *scannerOptions
           'ScanLzma': *scannerOptions
           'ScanMacho': *scannerOptions

From 4a2177c8278f20e871c1538f481d28b572f17672 Mon Sep 17 00:00:00 2001
From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com>
Date: Mon, 11 May 2026 16:15:56 -0500
Subject: [PATCH 3/4] update redis index template

missing redis integration component templates
---
 salt/elasticsearch/defaults.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml
index 6fb795bce..52964b9cf 100644
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -3958,10 +3958,13 @@ elasticsearch:
         - vulnerability-mappings
         - common-settings
         - common-dynamic-mappings
+        - logs-redis.log@package
+        - logs-redis.log@custom
         data_stream:
           allow_custom_routing: false
           hidden: false
-        ignore_missing_component_templates: []
+        ignore_missing_component_templates:
+        - logs-redis.log@custom
         index_patterns:
         - logs-redis.log*
         priority: 501

From d56bf0182334c79161ad9cb809e8f92cc73b22c9 Mon Sep 17 00:00:00 2001
From: reyesj2 <94730068+reyesj2@users.noreply.github.com>
Date: Wed, 13 May 2026 12:32:54 -0500
Subject: [PATCH 4/4] add zeek.ja4d ingest pipeline

---
 salt/elasticsearch/files/ingest/zeek.ja4d | 71 +++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 salt/elasticsearch/files/ingest/zeek.ja4d

diff --git a/salt/elasticsearch/files/ingest/zeek.ja4d b/salt/elasticsearch/files/ingest/zeek.ja4d
new file mode 100644
index 000000000..206622c49
--- /dev/null
+++ b/salt/elasticsearch/files/ingest/zeek.ja4d
@@ -0,0 +1,71 @@
+{
+    "description": "zeek.ja4d",
+    "processors": [
+        {
+            "set": {
+                "field": "event.dataset",
+                "value": "ja4d"
+            }
+        },
+        {
+            "remove": {
+                "field": [
+                    "host"
+                ],
+                "ignore_failure": true
+            }
+        },
+        {
+            "json": {
+                "field": "message",
+                "target_field": "message2",
+                "ignore_failure": true
+            }
+        },
+        {
+            "rename": {
+                "field": "message2.ja4d",
+                "target_field": "hash.ja4d",
+                "ignore_missing": true,
+                "if": "ctx?.message2?.ja4d != null && ctx.message2.ja4d.length() > 0"
+            }
+        },
+        {
+            "rename": {
+                "field": "message2.client_mac",
+                "target_field": "host.mac",
+                "ignore_missing": true,
+                "if": "ctx?.message2?.client_mac != null && ctx.message2.client_mac.length() > 0"
+            }
+        },
+        {
+            "rename": {
+                "field": "message2.hostname",
+                "target_field": "host.hostname",
+                "ignore_missing": true,
+                "if": "ctx?.message2?.hostname != null && ctx.message2.hostname.length() > 0"
+            }
+        },
+        {
+            "rename": {
+                "field": "message2.requested_ip",
+                "target_field": "dhcp.requested_address",
+                "ignore_missing": true,
+                "if": "ctx?.message2?.requested_ip != null && ctx.message2.requested_ip.length() > 0"
+            }
+        },
+        {
+            "rename": {
+                "field": "message2.vendor_class_id",
+                "target_field": "zeek.ja4d.vendor_class_id",
+                "ignore_missing": true,
+                "if": "ctx?.message2?.vendor_class_id != null && ctx.message2.vendor_class_id.length() > 0"
+            }
+        },
+        {
+            "pipeline": {
+                "name": "zeek.common"
+            }
+        }
+    ]
+}
\ No newline at end of file