From cc56dc5a7f2e7fbaffa411b23838f3d4b510e576 Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Thu, 15 Oct 2020 19:05:47 -0400
Subject: [PATCH] Update changes.json

---
 salt/soc/files/soc/changes.json | 45 +++++++++++++++------------------
 1 file changed, 21 insertions(+), 24 deletions(-)

diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json
index 7a2115b99..2b1ed31fb 100644
--- a/salt/soc/files/soc/changes.json
+++ b/salt/soc/files/soc/changes.json
@@ -1,28 +1,25 @@
 {
-  "title": "Security Onion 2.2.0 RC3 is here!",
+  "title": "Security Onion 2.3.0 is here!",
   "changes": [
-    { "summary": "Known Issues <ul><li>Installing in VMware Fusion using Fusion's internal DNS server may result in Setup incorrectly claiming that the installation failed. To avoid this, configure the VM to bypass Fusion's internal DNS server and go directly to an upstream DNS server instead. <a href=https://github.com/Security-Onion-Solutions/securityonion/issues/1333>https://github.com/Security-Onion-Solutions/securityonion/issues/1333</a></li><li>Once you update your grid to RC3, any new nodes that join the grid must be RC3 so if you try to join a new RC1 node it will fail. For best results, use the latest RC3 ISO (or RC3 installer from github) when joining to an RC3 grid.</li><li>Shipping Windows Eventlogs with Osquery will fail intermittently with utf8 errors logged in the Application log. This is scheduled to be fixed in Osquery 4.5.</li><li>When running soup to upgrade from RC1/RC2 to RC3, there is a Salt error that occurs during the final highstate. This error is related to the patch_os_schedule and can be ignored as it will not occur again in subsequent highstates.</li><li>When Search Nodes are upgraded from RC1 to RC3, there is a chance of a race condition where certificates are missing. This will show errors in the manager log to the remote node. To fix this run the following on the search node that is having the issue:<ol><li>Stop elasticsearch - <i>sudo so-elasticsearch-stop</i></li><li>Run the SSL state - <i>sudo salt-call state.apply ssl</i></li><li>Restart elasticsearch - <i>sudo so-elasticsearch-restart</i></li></ol></li></ul>" },
-    { "summary": "Setup now includes an option for airgap installations" },
-    { "summary": "Playbook now works properly when installed in airgap mode" },
-    { "summary": "Added so-analyst script to create an analyst workstation with GNOME desktop, Chromium browser, Wireshark, and NetworkMiner" },
-    { "summary": "Upgraded Zeek to version 3.0.10 to address a recent security issue" },
-    { "summary": "Upgraded Docker to latest version" },
-    { "summary": "Re-worked IDSTools to make it easier to modify" },
-    { "summary": "Added so-* tools to the default path so you can now tab complete" },
-    { "summary": "so-status can now be run from a manager node to get the status of a remote node. Run salt <target> so.status" },
-    { "summary": "Salt now prevents states from running on a node that it shouldn't so you can't, for example, accidentally apply the elasticsearch state on a forward node" },
-    { "summary": "Added logic to check for Salt mine corruption and recover automatically" },
-    { "summary": "Collapsed Hunt filter icons and action links into a new quick action bar that will appear when a field value is clicked; actions include:<ul><li>Filtering the hunt query</li><li>Pivot to PCAP</li><li>Create an alert in TheHive</li><li>Google search for the value</li><li>Analyze the value on VirusTotal.com</li></ul>" },
-    { "summary": "Fixed minor bugs in Hunt user interface relating to most-recently used queries, tooltips, and more" },
-    { "summary": "so-user-add now automatically adds users to Fleet and TheHive (in addition to SOC)" },
-    { "summary": "Introduced so-user-disable and so-user-enable commands which allows administrators to lock out users that are no longer permitted to use Security Onion" },
-    { "summary": "Added icon to SOC Users list representing their active or locked out status" },
-    { "summary": "Removed User delete action from SOC interface in favor of disabling users for audit purposes" },
-    { "summary": "Prune old PCAP job data from sensors once the results are streamed back to the manager node" },
-    { "summary": "Hunt filtering to a specific value will search across all fields instead of only the field that was originally clicked" },
-    { "summary": "Limiting PCAP jobs to extract at most 2GB from a sensor to avoid users accidentally requesting unreasonably large PCAP via the web interface" },
-    { "summary": "so-test is back - run it to easily replay PCAPs and verify that all the components are working as expected (Requires Internet Access)" },
-    { "summary": "New Elasticsearch subfield (.security) based on the new community-driven analyzer from @neu5ron - <a href=https://github.com/neu5ron/es_stk>https://github.com/neu5ron/es_stk</a>" },
-    { "summary": "Playbook now uses the new .security subfield for case-insensitive wildcard searches" }     
+    { "summary": "Known Issues <ul><li>It is still possible to update your grid from any release candidate to 2.3. However, if you have a true production deployment, then we recommend a fresh image and install for best results.</li><li>In 2.3.0 we made some changes to data types in the elastic index templates. This will cause some errors in Kibana around field conflicts. You can address this in 2 ways:<ol><li>Delete all the data on the ES nodes preserving all of your other settings suchs as BPFs by running sudo so-elastic-clear on all the search nodes</li><li>Re-Index the data. This is not a quick process but you can find more information at <a href="https://docs.securityonion.net/en/2.3/elasticsearch.html#re-indexing">https://docs.securityonion.net/en/2.3/elasticsearch.html#re-indexing</a></li></ol><li>Please be patient as we update our documentation. We have made a concerted effort to update as much as possible but some things still may be incorrect or ommited. If you have questions or feedback, please start a discussion at https://securityonion.net/discuss.</li><li>Once you update your grid to 2.3.0, any new nodes that join the grid must be 2.3.0. If you try to join a new RC1 node it will fail. For best results, use the latest ISO (or 2.3.0 installer from github) when joining to an 2.3.0 grid.</li><li>Shipping Windows Eventlogs with Osquery will fail intermittently with utf8 errors logged in the Application log. This is scheduled to be fixed in Osquery 4.5.</li><li>When running soup to upgrade from RC1/RC2/RC3 to 2.3.0, there is a Salt error that occurs during the final highstate. This error is related to the patch_os_schedule and can be ignored as it will not occur again in subsequent highstates.</li><li>When Search Nodes are upgraded from RC1 to 2.3.0, there is a chance of a race condition where certificates are missing. This will show errors in the manager log to the remote node. To fix this run the following on the search node that is having the issue:<ol><li>Stop elasticsearch - <i>sudo so-elasticsearch-stop</i></li><li>Run the SSL state - <i>sudo salt-call state.apply ssl</i></li><li>Restart elasticsearch - <i>sudo so-elasticsearch-restart</i></li></ol></li><li>If you are upgrading from RC1 you might see errors around registry:2 missing. This error does not break the actual upgrade. To fix, run the following on the manager:</li><ol><li>Stop the Docker registry - sudo docker stop so-dockerregistry</li><li>Remove the container - sudo docker rm so-dockerregistry</li><li>Run the registry state = sudo salt-call state.apply registry</li></ol></ul>" },
+    { "summary": "We have a new Alerts interface for reviewing alerts and acknowledging or escalating them. Escalating creates a new case in TheHive. Please note that TheHive no longer receives alerts directly." },
+    { "summary": "Kibana no longer presents the option to create alerts from events, but instead allows creation of cases from events." },
+    { "summary": "Our Security Onion ISO now works for UEFI as well as Secure Boot." },
+    { "summary": "Airgap deployments can now be updated using the latest ISO. Please read this documentation carefully." },
+    { "summary": "Suricata has been updated to version 5.0.4." },
+    { "summary": "Zeek has been updated to version 3.0.11." },
+    { "summary": "Stenographer has been updated to the latest version." },
+    { "summary": "soup will now attempt to clean up old docker images to free up space." },
+    { "summary": "Hunt actions can be customized via hunt.actions.json." },
+    { "summary": "Hunt queries can be customized via hunt.queries.json." },
+    { "summary": "Hunt event fields can be customized via hunt.eventfields.json." },
+    { "summary": "Alerts actions can be customized via alerts.actions.json." },
+    { "summary": "Alerts queries can be customized via alerts.queries.json." },
+    { "summary": "Alerts event fields can be customized via alerts.eventfields.json." },
+    { "summary": "The help documentation is now viewable offline for airgap installations." },
+    { "summary": "The script so-user-add will now validate the password is acceptable before attempting to create the user." },
+    { "summary": "Playbook and Grafana no longer use static passwords for their admin accounts." },
+    { "summary": "Analyst VM now comes with NetworkMiner 2.6 installed." },
+    { "summary": "Strelka YARA matches now generate alerts that can be viewed through the Alerts interface." }
   ]
 }