Merge remote-tracking branch 'origin/2.4/dev' into issue/10975

2025-12-06 17:22:49 +01:00 · 2023-08-31 08:58:28 -04:00
parent c812c3991e ca9dad396f
commit bfb0d0ddb5
11 changed files with 285 additions and 4 deletions
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -178,6 +178,9 @@ docker:
      extra_env: []
    'so-elastic-agent':
      final_octet: 46
      port_bindings:
        - 0.0.0.0:514:514/tcp
        - 0.0.0.0:514:514/udp
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -31,6 +31,10 @@ so-elastic-agent:
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
      {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
      - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
      - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs
--- a/salt/elasticagent/files/elastic-agent.yml.jinja
+++ b/salt/elasticagent/files/elastic-agent.yml.jinja
@@ -430,3 +430,54 @@ inputs:
        exclude_files:
          - >-
            broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$
  - id: udp-udp-35051de0-46a5-11ee-8d5d-9f98c8182f60
    name: syslog-udp-514
    revision: 3
    type: udp
    use_output: default
    meta:
      package:
        name: udp
        version: 1.10.0
    data_stream:
      namespace: so
    package_policy_id: 35051de0-46a5-11ee-8d5d-9f98c8182f60
    streams:
      - id: udp-udp.generic-35051de0-46a5-11ee-8d5d-9f98c8182f60
        data_stream:
          dataset: syslog
        pipeline: syslog
        host: '0.0.0.0:514'
        max_message_size: 10KiB
        processors:
          - add_fields:
              fields:
                module: syslog
              target: event
        tags:
          - syslog
  - id: tcp-tcp-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
    name: syslog-tcp-514
    revision: 3
    type: tcp
    use_output: default
    meta:
      package:
        name: tcp
        version: 1.10.0
    data_stream:
      namespace: so
    package_policy_id: 33d37bb0-46a5-11ee-8d5d-9f98c8182f60
    streams:
      - id: tcp-tcp.generic-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
        data_stream:
          dataset: syslog
        pipeline: syslog
        host: '0.0.0.0:514'
        processors:
          - add_fields:
              fields:
                module: syslog
              target: event
        tags:
          - syslog
--- a/salt/elasticfleet/defaults.yaml
+++ b/salt/elasticfleet/defaults.yaml
@@ -26,6 +26,7 @@ elasticfleet:
        - stderr
        - stdout
  packages:
    - apache
    - auditd
    - aws
    - azure
@@ -40,6 +41,7 @@ elasticfleet:
    - fleet_server
    - fim
    - fortinet
    - fortinet_fortigate
    - gcp
    - github
    - google_workspace
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -286,6 +286,42 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-apache_x_access:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-apache.access-*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "logs-apache.access@package"
          - "logs-apache.access@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-apache_x_error:
      index_sorting: False
      index_template:
        index_patterns:
          - "logs-apache.error-*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
          - "logs-apache.error@package"
          - "logs-apache.error@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
        data_stream:
          hidden: false
          allow_custom_routing: false
    so-logs-auditd_x_log:
      index_sorting: False
      index_template:
@@ -934,18 +970,18 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-fortinet_x_fortigate:
+    so-logs-fortinet_fortigate_x_log:
      index_sorting: False
      index_template:
        index_patterns:
-          - "logs-fortinet.fortigate-*"
+          - "logs-fortinet_fortigate.log-*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
-          - "logs-fortinet.fortigate@package"
+          - "logs-fortinet_fortigate.log@package"
-          - "logs-fortinet.fortigate@custom"
+          - "logs-fortinet_fortigate.log@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
@@ -4151,6 +4187,7 @@ elasticsearch:
    so-syslog:
      index_sorting: False
      index_template:
        data_stream: {}
        index_patterns:
          - logs-syslog-so*
        template:
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -201,6 +201,8 @@ elasticsearch:
    so-logs-windows_x_powershell: *indexSettings
    so-logs-windows_x_powershell_operational: *indexSettings
    so-logs-windows_x_sysmon_operational: *indexSettings
    so-logs-apache_x_access: *indexSettings
    so-logs-apache_x_error: *indexSettings
    so-logs-auditd_x_log: *indexSettings
    so-logs-aws_x_cloudtrail: *indexSettings
    so-logs-aws_x_cloudwatch_logs: *indexSettings
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
@@ -1141,6 +1141,12 @@ firewall:
            localhost:
              portgroups:
                - all
            self:
              portgroups:
                - syslog
            syslog:
              portgroups:
                - syslog
            customhostgroup0:
              portgroups: []
            customhostgroup1:
--- a/salt/sensoroni/defaults.yaml
+++ b/salt/sensoroni/defaults.yaml
@@ -8,3 +8,31 @@ sensoroni:
    node_checkin_interval_ms: 10000
    sensoronikey:
    soc_host:
  analyzers:
      emailrep:
        base_url: https://emailrep.io/
        api_key:
      greynoise:
        base_url: https://api.greynoise.io/
        api_key:
        api_version: community
      localfile:
        file_path: []
      otx:
        base_url: https://otx.alienvault.com/api/v1/
        api_key:
      pulsedive:
        base_url: https://pulsedive.com/api/ 
        api_key:
      spamhaus:
        lookup_host: zen.spamhaus.org
        nameservers: []
      urlscan:
        base_url: https://urlscan.io/api/v1/
        api_key:
        enabled: False
        visibility: public
        timeout: 180
      virustotal:
        base_url: https://www.virustotal.com/api/v3/search?query=
        api_key:
--- a/salt/sensoroni/soc_sensoroni.yaml
+++ b/salt/sensoroni/soc_sensoroni.yaml
@@ -37,3 +37,145 @@ sensoroni:
      helpLink: sensoroni.html
      global: True
      advanced: True
  analyzers:
    emailrep:
      api_key:
        description: API key for the EmailRep analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the EmailRep analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: string
    greynoise:
      api_key:
        description: API key for the GreyNoise analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      api_version:
        description: API version for the GreyNoise analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the GreyNoise analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: string
    localfile:
      file_path:
        description: File path for the LocalFile analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: "[]string"
    otx:
      api_key:
        description: API key for the OTX analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the OTX analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: string
    pulsedive:
      api_key:
        description: API key for the Pulsedive analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the Pulsedive analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: string
    spamhaus:
      lookup_host:
        description: Host to use for lookups.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: string
      nameservers:
        description: Nameservers used for queries.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedTypes: "[]string"
    urlscan:
      api_key:
        description: API key for the Urlscan analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the Urlscan analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: string
      enabled:
        description: Analyzer enabled
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: bool
      timeout:
        description: Timeout for the Urlscan analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: int
      visibility:
        description: Type of visibility.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: string
    virustotal:
      api_key:
        description: API key for the VirusTotal analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: True
        advanced: True
        forcedType: string
      base_url:
        description: Base URL for the VirusTotal analyzer.
        helpLink: sensoroni.html
        global: False
        sensitive: False
        advanced: True
        forcedType: string
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1012,6 +1012,7 @@ soc:
          verifyCert: false
        salt:
          queueDir: /opt/sensoroni/queue
          longRelayTimeoutMs: 120000
        sostatus:
          refreshIntervalMs: 30000
          offlineThresholdMs: 900000
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -111,6 +111,11 @@ soc:
            description: Duration (in milliseconds) that must elapse after a grid node fails to check-in before the node will be marked offline (fault).
            global: True
            advanced: True
        salt:
          longRelayTimeoutMs:
            description: Duration (in milliseconds) to wait for a response from the Salt API when executing tasks known for being long running before giving up and showing an error on the SOC UI.
            global: True
            advanced: True
      client:
        enableReverseLookup:
          description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.