Merge pull request #13673 from Security-Onion-Solutions/jertel/wip

Clarify enabled settings

salt/elastalert/soc_elastalert.yaml

@@ -1,6 +1,6 @@
 elastalert:
   enabled:
-    description: You can enable or disable Elastalert.
+    description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery.
     helpLink: elastalert.html
   alerter_parameters:
     title: Custom Configuration Parameters

salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml

@@ -1,4 +1,4 @@
 elastic_fleet_package_registry:
   enabled:
-    description: You can enable or disable Elastic Fleet Package Registry.
+    description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated.
     advanced: True

salt/elasticfleet/soc_elasticfleet.yaml

@@ -1,6 +1,6 @@
 elasticfleet:
   enabled:
-    description: You can enable or disable Elastic Fleet.
+    description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents.
     advanced: True
     helpLink: elastic-fleet.html
   enable_manager_output:

salt/elasticsearch/soc_elasticsearch.yaml

@@ -1,6 +1,7 @@
 elasticsearch:
   enabled:
-    description: You can enable or disable Elasticsearch.
+    description: Enables or disables the Elasticsearch process. This process provides the log event storage system. WARNING: Disabling this process is unsupported.
+    advanced: True
     helpLink: elasticsearch.html
   version:
     description: "This specifies the version of the following containers: so-elastic-fleet-package-registry, so-elastic-agent, so-elastic-fleet, so-kibana, so-logstash and so-elasticsearch. Modifying this value in the Elasticsearch defaults.yaml will result in catastrophic grid failure."

salt/idh/soc_idh.yaml

@@ -1,6 +1,6 @@
 idh:
   enabled:
-    description: You can enable or disable IDH.
+    description: Enables or disables the Intrusion Detection Honeypot (IDH) process. 
     helpLink: idh.html
   opencanary:
     config:

salt/idstools/soc_idstools.yaml

@@ -1,6 +1,6 @@
 idstools:
   enabled:
-    description: You can enable or disable IDSTools.
+    description: Enables or disables the IDStools process which is used by the Detection system.
   config:
     oinkcode:
       description: Enter your registration code or oinkcode for paid NIDS rulesets.

salt/influxdb/soc_influxdb.yaml

@@ -1,6 +1,6 @@
 influxdb:
   enabled:
-    description: You can enable or disable InfluxDB.
+    description: Enables the grid metrics collection storage system. Security Onion grid health monitoring requires this process to remain enabled. WARNING: Disabling the process is unsupported, and will cause unexpected results.
     helpLink: influxdb.html
   config:
     assets-path:

salt/kibana/soc_kibana.yaml

@@ -1,6 +1,6 @@
 kibana:
   enabled: 
-    description: You can enable or disable Kibana.
+    description: Enables or disables the Kibana front-end interface to Elasticsearch. Due to Kibana being used for loading certain configuration details in Elasticsearch, this process should remain enabled. WARNING: Disabling the process is unsupported, and will cause unexpected results.
     helpLink: kibana.html
   config:
     elasticsearch:

salt/kratos/soc_kratos.yaml

@@ -1,6 +1,6 @@
 kratos:
   enabled:
-    description: You can enable or disable Kratos.
+    description: Enables or disables the Kratos authentication system. WARNING: Disabling this process will cause the grid to malfunction. Re-enabling this setting will require manual effort via SSH.
     advanced: True
     helpLink: kratos.html
 

salt/logstash/soc_logstash.yaml

@@ -1,6 +1,6 @@
 logstash:
   enabled: 
-    description: You can enable or disable Logstash.
+    description: Enables or disables the Logstash log event forwarding process. On most grid installations, when this process is disabled log events are unable to be ingested into the SOC backend.
     helpLink: logstash.html
   assigned_pipelines:
     roles:

salt/manager/soc_manager.yaml

@@ -1,7 +1,7 @@
 manager:
   reposync:
     enabled:
-      description: This is the daily task of syncing the Security Onion OS packages. It is recommended that you leave this enabled.
+      description: This is the daily task of syncing the Security Onion OS packages. It is recommended that this setting remain enabled to ensure important updates are applied to the grid on an automated, scheduled basis.
       global: True
       helpLink: soup.html
     hour:

salt/nginx/soc_nginx.yaml

@@ -1,6 +1,6 @@
 nginx:
   enabled: 
-    description: You can enable or disable Nginx.
+    description: Enables or disables the Nginx web server and reverse proxy. WARNING: Disabling this process will prevent access to SOC and other important web interfaces and APIs. Re-enabling the process is a manual effort. Do not change this setting without instruction from Security Onion support.
     advanced: True
     helpLink: nginx.html
   external_suricata:

salt/patch/soc_patch.yaml

@@ -1,7 +1,7 @@
 patch:
   os:
     enabled:
-      description: Enable OS updates. 
+      description: Enable OS updates. WARNING: Disabling this setting will prevent important operating system updates from being applied on a scheduled basis.
       helpLink: soup.html
     schedule_to_run: 
       description: Currently running schedule for updates.

salt/pcap/soc_pcap.yaml

@@ -1,6 +1,6 @@
 pcap:
   enabled: 
-    description: You can enable or disable Stenographer on all sensors or a single sensor.
+    description: Enables or disables the Stenographer packet recording process. This process may already be disabled if Suricata is being used as the packet capture process.
     helpLink: stenographer.html
   config:
     maxdirectoryfiles:

salt/redis/soc_redis.yaml

@@ -1,6 +1,6 @@
 redis:
   enabled: 
-    description: You can enable or disable Redis.
+    description: Enables the log event in-memory buffering process. This process might already be disabled on some installation types. Disabling this process on distributed-capable grids can result in loss of log events.
     helpLink: redis.html
   config:
     bind:

salt/registry/soc_registry.yaml

@@ -1,4 +1,4 @@
 registry:
   enabled:
-    description: You can enable or disable the registry.
+    description: Enables or disables the Docker registry on the manager node. WARNING: If this process is disabled the grid will malfunction and a manual effort may be needed to re-enable the setting.
     advanced: True

salt/sensoroni/soc_sensoroni.yaml

@@ -1,6 +1,6 @@
 sensoroni:
   enabled:
-    description: Enable or disable Sensoroni.
+    description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid.
     advanced: True
     helpLink: grid.html
   config:

salt/soc/soc_soc.yaml

@@ -1,6 +1,6 @@
 soc:
   enabled:
-    description: You can enable or disable SOC.
+    description: Enables or disables SOC. WARNING: Disabling this setting is unsupported and will cause the grid to malfunction. Re-enabling this setting is a manual effort via SSH.
     advanced: True
   telemetryEnabled:
     title: SOC Telemetry

salt/stig/soc_stig.yaml

@@ -1,6 +1,6 @@
 stig:
   enabled:
-    description: You can enable or disable the application of STIGS using oscap. Note that the actions performed by OSCAP are not automatically reversible. Requires a valid Security Onion license key.
+    description: Enables or disables the application of STIGS using oscap. Note that the actions performed by OSCAP are not automatically reversible. Requires a valid Security Onion license key.
     forcedType: bool
     advanced: True
   run_interval:

salt/strelka/soc_strelka.yaml

@@ -1,7 +1,7 @@
 strelka:
   backend:
     enabled: 
-      description: You can enable or disable Strelka backend.
+      description: Enables or disables the Strelka file analysis process.
       helpLink: strelka.html
     config:
       backend:

salt/suricata/soc_suricata.yaml

@@ -1,6 +1,6 @@
 suricata:
   enabled: 
-    description: You can enable or disable Suricata.
+    description: Enables or disables the Suricata process. This process is used for triggering alerts and optionally for protocol metadata collection and full packet capture.
     helpLink: suricata.html
   thresholding:
     sids__yaml:

salt/telegraf/soc_telegraf.yaml

@@ -1,6 +1,7 @@
 telegraf:
   enabled: 
-    description: You can enable or disable Telegraf.
+    description: Enables the grid metrics collection process. WARNING: Security Onion grid health monitoring requires this process to remain enabled. Disabling it will cause unexpected and unsupported results.
+    advanced: True
     helpLink: influxdb.html
   config:
     interval:

salt/zeek/soc_zeek.yaml

@@ -1,6 +1,6 @@
 zeek:
   enabled:
-    description: You can enable or disable ZEEK on all sensors or a single sensor.
+    description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled.
     helpLink: zeek.html
   config:
     local: