From b0709e93fa1aeaf9d12907d2270dd77481040a37 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 24 Jan 2023 10:50:52 -0500
Subject: [PATCH 1/3] test workflow

---
 salt/soc/init.sls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/soc/init.sls b/salt/soc/init.sls
index 40cb4487d..a2ecc610e 100644
--- a/salt/soc/init.sls
+++ b/salt/soc/init.sls
@@ -115,7 +115,7 @@ so-soc:
       {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
       - {{ SN.split('_')|first }}:{{ SNDATA.ip }}
       {%- endfor %}
-      {%- endif %}
+    {%- endif %}
     - port_bindings:
       {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
       - {{ BINDING }}

From 7b1f867ac3941e20bd471e43abec75e2e4704c18 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Tue, 24 Jan 2023 13:17:50 -0500
Subject: [PATCH 2/3] Add defaults for auto extracted observables

---
 salt/soc/defaults.yaml | 3 +++
 salt/soc/soc_soc.yaml  | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 857f245d1..cec11273b 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1020,6 +1020,9 @@ soc:
         cacheMs: 300000
         verifyCert: false
         casesEnabled: true
+        extractCommonObservables:
+          - source.ip
+          - destination.ip
         timeoutMs: 300000
         timeShiftMs: 120000
         defaultDurationMs: 1800000
diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml
index 7d96ca46b..e6b43cf0b 100644
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -69,6 +69,9 @@ soc:
           description: Set to true if the SOC case management module, natively integrated with Elasticsearch, should be enabled.
           global: True
           advanced: True
+        extractCommonObservables:
+          description: List of indexed fields to automatically extract into a case observable, when attaching related events to a case.
+          global: True
         timeShiftMs:
           description: Duration (in milliseconds) to further expand the PCAP time range when querying PCAP data related to an event. This duration is added to the normal duration value (see defaultDurationMs).
           global: True

From 31d7e05c457e6ce85c486a42ebd1ad7235d23839 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 25 Jan 2023 10:59:50 -0500
Subject: [PATCH 3/3] refactor so-verify to ensure output streams to console

---
 setup/so-functions | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/setup/so-functions b/setup/so-functions
index a046b49ca..683a99933 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -2383,9 +2383,10 @@ wait_for_salt_minion() {
 
 verify_setup() {
 	info "Verifying setup"
-	output=$(./so-verify "$setup_type" 2>&1)
+	set -o pipefail
+	./so-verify "$setup_type" 2>&1 | tee -a $setup_log
 	result=$?
-	echo "$output" >> "$setup_log"
+	set +o pipefail
 	if [[ $result -eq 0 ]]; then
 		whiptail_setup_complete
 	else