Merge remote-tracking branch 'origin/2.4/dev' into issue/10975

2025-12-06 17:22:49 +01:00 · 2023-08-31 08:58:28 -04:00
parent c812c3991e ca9dad396f
commit bfb0d0ddb5
11 changed files with 285 additions and 4 deletions
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -178,6 +178,9 @@ docker:
      extra_env: []
    'so-elastic-agent':
      final_octet: 46
+      port_bindings:
+        - 0.0.0.0:514:514/tcp
+        - 0.0.0.0:514:514/udp
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -31,6 +31,10 @@ so-elastic-agent:
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
+    - port_bindings:
+      {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
    - binds:
      - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
      - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs
--- a/salt/elasticagent/files/elastic-agent.yml.jinja
+++ b/salt/elasticagent/files/elastic-agent.yml.jinja
@@ -430,3 +430,54 @@ inputs:
        exclude_files:
          - >-
            broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$
+  - id: udp-udp-35051de0-46a5-11ee-8d5d-9f98c8182f60
+    name: syslog-udp-514
+    revision: 3
+    type: udp
+    use_output: default
+    meta:
+      package:
+        name: udp
+        version: 1.10.0
+    data_stream:
+      namespace: so
+    package_policy_id: 35051de0-46a5-11ee-8d5d-9f98c8182f60
+    streams:
+      - id: udp-udp.generic-35051de0-46a5-11ee-8d5d-9f98c8182f60
+        data_stream:
+          dataset: syslog
+        pipeline: syslog
+        host: '0.0.0.0:514'
+        max_message_size: 10KiB
+        processors:
+          - add_fields:
+              fields:
+                module: syslog
+              target: event
+        tags:
+          - syslog
+  - id: tcp-tcp-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
+    name: syslog-tcp-514
+    revision: 3
+    type: tcp
+    use_output: default
+    meta:
+      package:
+        name: tcp
+        version: 1.10.0
+    data_stream:
+      namespace: so
+    package_policy_id: 33d37bb0-46a5-11ee-8d5d-9f98c8182f60
+    streams:
+      - id: tcp-tcp.generic-33d37bb0-46a5-11ee-8d5d-9f98c8182f60
+        data_stream:
+          dataset: syslog
+        pipeline: syslog
+        host: '0.0.0.0:514'
+        processors:
+          - add_fields:
+              fields:
+                module: syslog
+              target: event
+        tags:
+          - syslog
--- a/salt/elasticfleet/defaults.yaml
+++ b/salt/elasticfleet/defaults.yaml
@@ -26,6 +26,7 @@ elasticfleet:
        - stderr
        - stdout
  packages:
+    - apache
    - auditd
    - aws
    - azure
@@ -40,6 +41,7 @@ elasticfleet:
    - fleet_server
    - fim
    - fortinet
+    - fortinet_fortigate
    - gcp
    - github
    - google_workspace
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -286,6 +286,42 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
+    so-logs-apache_x_access:
+      index_sorting: False
+      index_template:
+        index_patterns:
+          - "logs-apache.access-*"
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+        composed_of:
+          - "logs-apache.access@package"
+          - "logs-apache.access@custom"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+    so-logs-apache_x_error:
+      index_sorting: False
+      index_template:
+        index_patterns:
+          - "logs-apache.error-*"
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+        composed_of:
+          - "logs-apache.error@package"
+          - "logs-apache.error@custom"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
    so-logs-auditd_x_log:
      index_sorting: False
      index_template:
@@ -934,18 +970,18 @@ elasticsearch:
        data_stream:
          hidden: false
          allow_custom_routing: false
-    so-logs-fortinet_x_fortigate:
+    so-logs-fortinet_fortigate_x_log:
      index_sorting: False
      index_template:
        index_patterns:
-          - "logs-fortinet.fortigate-*"
+          - "logs-fortinet_fortigate.log-*"
        template:
          settings:
            index:
              number_of_replicas: 0
        composed_of:
-          - "logs-fortinet.fortigate@package"
-          - "logs-fortinet.fortigate@custom"
+          - "logs-fortinet_fortigate.log@package"
+          - "logs-fortinet_fortigate.log@custom"
          - "so-fleet_globals-1"
          - "so-fleet_agent_id_verification-1"
        priority: 501
@@ -4151,6 +4187,7 @@ elasticsearch:
    so-syslog:
      index_sorting: False
      index_template:
+        data_stream: {}
        index_patterns:
          - logs-syslog-so*
        template:
--- a/salt/elasticsearch/soc_elasticsearch.yaml
+++ b/salt/elasticsearch/soc_elasticsearch.yaml
@@ -201,6 +201,8 @@ elasticsearch:
    so-logs-windows_x_powershell: *indexSettings
    so-logs-windows_x_powershell_operational: *indexSettings
    so-logs-windows_x_sysmon_operational: *indexSettings
+    so-logs-apache_x_access: *indexSettings
+    so-logs-apache_x_error: *indexSettings
    so-logs-auditd_x_log: *indexSettings
    so-logs-aws_x_cloudtrail: *indexSettings
    so-logs-aws_x_cloudwatch_logs: *indexSettings
--- a/salt/firewall/defaults.yaml
+++ b/salt/firewall/defaults.yaml
@@ -1141,6 +1141,12 @@ firewall:
            localhost:
              portgroups:
                - all
+            self:
+              portgroups:
+                - syslog
+            syslog:
+              portgroups:
+                - syslog
            customhostgroup0:
              portgroups: []
            customhostgroup1:
--- a/salt/sensoroni/defaults.yaml
+++ b/salt/sensoroni/defaults.yaml
@@ -8,3 +8,31 @@ sensoroni:
    node_checkin_interval_ms: 10000
    sensoronikey:
    soc_host:
+  analyzers:
+      emailrep:
+        base_url: https://emailrep.io/
+        api_key:
+      greynoise:
+        base_url: https://api.greynoise.io/
+        api_key:
+        api_version: community
+      localfile:
+        file_path: []
+      otx:
+        base_url: https://otx.alienvault.com/api/v1/
+        api_key:
+      pulsedive:
+        base_url: https://pulsedive.com/api/ 
+        api_key:
+      spamhaus:
+        lookup_host: zen.spamhaus.org
+        nameservers: []
+      urlscan:
+        base_url: https://urlscan.io/api/v1/
+        api_key:
+        enabled: False
+        visibility: public
+        timeout: 180
+      virustotal:
+        base_url: https://www.virustotal.com/api/v3/search?query=
+        api_key:
--- a/salt/sensoroni/soc_sensoroni.yaml
+++ b/salt/sensoroni/soc_sensoroni.yaml
@@ -37,3 +37,145 @@ sensoroni:
      helpLink: sensoroni.html
      global: True
      advanced: True
+  analyzers:
+    emailrep:
+      api_key:
+        description: API key for the EmailRep analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: True
+        advanced: True
+        forcedType: string
+      base_url:
+        description: Base URL for the EmailRep analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: string
+    greynoise:
+      api_key:
+        description: API key for the GreyNoise analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: True
+        advanced: True
+        forcedType: string
+      api_version:
+        description: API version for the GreyNoise analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: string
+      base_url:
+        description: Base URL for the GreyNoise analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: string
+    localfile:
+      file_path:
+        description: File path for the LocalFile analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: "[]string"
+    otx:
+      api_key:
+        description: API key for the OTX analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: True
+        advanced: True
+        forcedType: string
+      base_url:
+        description: Base URL for the OTX analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: string
+    pulsedive:
+      api_key:
+        description: API key for the Pulsedive analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: True
+        advanced: True
+        forcedType: string
+      base_url:
+        description: Base URL for the Pulsedive analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: string
+    spamhaus:
+      lookup_host:
+        description: Host to use for lookups.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: string
+      nameservers:
+        description: Nameservers used for queries.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedTypes: "[]string"
+    urlscan:
+      api_key:
+        description: API key for the Urlscan analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: True
+        advanced: True
+        forcedType: string
+      base_url:
+        description: Base URL for the Urlscan analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: string
+      enabled:
+        description: Analyzer enabled
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: bool
+      timeout:
+        description: Timeout for the Urlscan analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: int
+      visibility:
+        description: Type of visibility.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: string
+    virustotal:
+      api_key:
+        description: API key for the VirusTotal analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: True
+        advanced: True
+        forcedType: string
+      base_url:
+        description: Base URL for the VirusTotal analyzer.
+        helpLink: sensoroni.html
+        global: False
+        sensitive: False
+        advanced: True
+        forcedType: string
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1012,6 +1012,7 @@ soc:
          verifyCert: false
        salt:
          queueDir: /opt/sensoroni/queue
+          longRelayTimeoutMs: 120000
        sostatus:
          refreshIntervalMs: 30000
          offlineThresholdMs: 900000
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -111,6 +111,11 @@ soc:
            description: Duration (in milliseconds) that must elapse after a grid node fails to check-in before the node will be marked offline (fault).
            global: True
            advanced: True
+        salt:
+          longRelayTimeoutMs:
+            description: Duration (in milliseconds) to wait for a response from the Salt API when executing tasks known for being long running before giving up and showing an error on the SOC UI.
+            global: True
+            advanced: True
      client:
        enableReverseLookup:
          description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.