diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 857f245d1..cec11273b 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1020,6 +1020,9 @@ soc: cacheMs: 300000 verifyCert: false casesEnabled: true + extractCommonObservables: + - source.ip + - destination.ip timeoutMs: 300000 timeShiftMs: 120000 defaultDurationMs: 1800000 diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 40cb4487d..a2ecc610e 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -115,7 +115,7 @@ so-soc: {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} - {{ SN.split('_')|first }}:{{ SNDATA.ip }} {%- endfor %} - {%- endif %} + {%- endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-soc'].port_bindings %} - {{ BINDING }} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 7d96ca46b..e6b43cf0b 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -69,6 +69,9 @@ soc: description: Set to true if the SOC case management module, natively integrated with Elasticsearch, should be enabled. global: True advanced: True + extractCommonObservables: + description: List of indexed fields to automatically extract into a case observable, when attaching related events to a case. + global: True timeShiftMs: description: Duration (in milliseconds) to further expand the PCAP time range when querying PCAP data related to an event. This duration is added to the normal duration value (see defaultDurationMs). global: True diff --git a/setup/so-functions b/setup/so-functions index a046b49ca..683a99933 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2383,9 +2383,10 @@ wait_for_salt_minion() { verify_setup() { info "Verifying setup" - output=$(./so-verify "$setup_type" 2>&1) + set -o pipefail + ./so-verify "$setup_type" 2>&1 | tee -a $setup_log result=$? - echo "$output" >> "$setup_log" + set +o pipefail if [[ $result -eq 0 ]]; then whiptail_setup_complete else