Merge pull request #9639 from Security-Onion-Solutions/kilo

auto extract source/dest IP on case related event attachments; improve so-verify stream to console

salt/soc/defaults.yaml

@@ -1020,6 +1020,9 @@ soc:
         cacheMs: 300000
         verifyCert: false
         casesEnabled: true
+        extractCommonObservables:
+          - source.ip
+          - destination.ip
         timeoutMs: 300000
         timeShiftMs: 120000
         defaultDurationMs: 1800000

salt/soc/init.sls

@@ -115,7 +115,7 @@ so-soc:
       {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
       - {{ SN.split('_')|first }}:{{ SNDATA.ip }}
       {%- endfor %}
-      {%- endif %}
+    {%- endif %}
     - port_bindings:
       {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
       - {{ BINDING }}

salt/soc/soc_soc.yaml

@@ -69,6 +69,9 @@ soc:
           description: Set to true if the SOC case management module, natively integrated with Elasticsearch, should be enabled.
           global: True
           advanced: True
+        extractCommonObservables:
+          description: List of indexed fields to automatically extract into a case observable, when attaching related events to a case.
+          global: True
         timeShiftMs:
           description: Duration (in milliseconds) to further expand the PCAP time range when querying PCAP data related to an event. This duration is added to the normal duration value (see defaultDurationMs).
           global: True