merge with 2.4/dev

2025-12-06 09:12:45 +01:00 · 2023-01-06 14:01:58 -05:00
parent 4aacc6d1db 2e53476a06
commit d4c6834cd0
40 changed files with 446 additions and 365 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -121,6 +121,7 @@ base:
  '*_heavynode':
    - elasticsearch.auth
    - soc_global
    - redis.soc_redis
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
@@ -137,6 +138,7 @@ base:
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
    {% endif %}
    - redis.soc_redis
    - soc_global
    - adv_global
    - minions.{{ grains.id }}
@@ -149,6 +151,8 @@ base:
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
    {% endif %}
    - redis.soc_redis
    - redis.adv_redis
    - soc_global
    - adv_global
    - minions.{{ grains.id }}
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -97,6 +97,8 @@
          'nginx',
          'soc',
          'kratos',
          'influxdb',
          'telegraf',
          'firewall',
          'idstools',
          'suricata.manager',
--- a/salt/common/tools/sbin/so-elastic-clear
+++ b/salt/common/tools/sbin/so-elastic-clear
@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
 . /usr/sbin/so-common
 SKIP=0
--- a/salt/common/tools/sbin/so-elasticsearch-component-templates-list
+++ b/salt/common/tools/sbin/so-elasticsearch-component-templates-list
@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort
--- a/salt/common/tools/sbin/so-elasticsearch-index-templates-list
+++ b/salt/common/tools/sbin/so-elasticsearch-index-templates-list
@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort
--- a/salt/common/tools/sbin/so-elasticsearch-indices-list
+++ b/salt/common/tools/sbin/so-elasticsearch-indices-list
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
--- a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats
+++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
--- a/salt/common/tools/sbin/so-elasticsearch-pipeline-view
+++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-view
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
--- a/salt/common/tools/sbin/so-elasticsearch-pipelines-list
+++ b/salt/common/tools/sbin/so-elasticsearch-pipelines-list
@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'
--- a/salt/common/tools/sbin/so-elasticsearch-shards-list
+++ b/salt/common/tools/sbin/so-elasticsearch-shards-list
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
--- a/salt/common/tools/sbin/so-elasticsearch-template-remove
+++ b/salt/common/tools/sbin/so-elasticsearch-template-remove
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
--- a/salt/common/tools/sbin/so-elasticsearch-template-view
+++ b/salt/common/tools/sbin/so-elasticsearch-template-view
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
--- a/salt/common/tools/sbin/so-elasticsearch-templates-list
+++ b/salt/common/tools/sbin/so-elasticsearch-templates-list
@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys'
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -27,6 +27,7 @@ container_list() {
      "so-elasticsearch"
      "so-filebeat"
      "so-idstools"
      "so-influxdb"
      "so-kibana"
      "so-kratos"
      "so-nginx"
@@ -34,6 +35,7 @@ container_list() {
      "so-soc"
      "so-steno"
      "so-suricata"
      "so-telegraf"
      "so-zeek" 
    )
  elif [ $MANAGERCHECK != 'so-helix' ]; then
--- a/salt/common/tools/sbin/so-import-evtx
+++ b/salt/common/tools/sbin/so-import-evtx
@@ -5,15 +5,13 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- set VERSION = salt['pillar.get']('global:soversion') %}
 {%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{%- set MANAGERIP = salt['pillar.get']('global:managerip') -%}
+{%- set MANAGERIP = salt['pillar.get']('global:managerip') %}
 {%- set URLBASE = salt['pillar.get']('global:url_base') %}
-{% set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
-{% set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 INDEX_DATE=$(date +'%Y.%m.%d')
 RUNID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
--- a/salt/common/tools/sbin/so-import-pcap
+++ b/salt/common/tools/sbin/so-import-pcap
@@ -5,12 +5,10 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- set VERSION = salt['pillar.get']('global:soversion') %}
 {%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{%- set MANAGERIP = salt['pillar.get']('global:managerip') -%}
+{%- set MANAGERIP = salt['pillar.get']('global:managerip') %}
 {%- set URLBASE = salt['pillar.get']('global:url_base') %}
 . /usr/sbin/so-common
--- a/salt/common/tools/sbin/so-kibana-config-export
+++ b/salt/common/tools/sbin/so-kibana-config-export
@@ -1,16 +1,14 @@
 #!/bin/bash
 #
 # {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
 # {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node', False) -%}
 # {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %}
 # {%- set MANAGER = salt['pillar.get']('global:url_base', '') %}
 #
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
+{%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager', False) %}
 {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node', False) %}
 {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %}
 {%- set MANAGER = salt['pillar.get']('global:url_base', '') %}
 KIBANA_HOST={{ MANAGER }}
 KSO_PORT=5601
--- a/salt/common/tools/sbin/so-redis-count
+++ b/salt/common/tools/sbin/so-redis-count
@@ -4,9 +4,7 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %}
 . /usr/sbin/so-common
-
+docker exec so-redis /bin/sh -c "export REDISCLI_AUTH={{ REDIS_PASS }} && redis-cli llen logstash:unparsed"
 docker exec so-redis redis-cli llen logstash:unparsed
--- a/salt/common/tools/sbin/so-soc-restart
+++ b/salt/common/tools/sbin/so-soc-restart
@@ -9,5 +9,6 @@
 . /usr/sbin/so-common
 rm -f /opt/so/conf/soc/salt/pipe
 pkill salt-relay.sh
 /usr/sbin/so-restart soc $1
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -230,7 +230,7 @@ function updatePassword() {
    # Generate password hash
    passwordHash=$(hashPassword "$password")
    # Update DB with new hash
-    echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
+    echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
    # Deactivate MFA
    echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
    echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
--- a/salt/elasticsearch/files/ingest/rita.beacon
+++ b/salt/elasticsearch/files/ingest/rita.beacon
@@ -17,98 +17,63 @@
          "destination.ip",
          "network.connections",
          "network.average_bytes",
-          "beacon.interval.range",
+          "network.bytes",
-          "beacon.size.range",
+          "beacon.ts_score",
-          "beacon.interval.top",
+          "beacon.ds_score",
-          "beacon.size.top",
+          "beacon.duration_score",
-          "beacon.interval.top_count",
+          "beacon.historical_score",
-          "beacon.size.top_count",
+          "beacon.interval.top"
          "beacon.interval.skew",
          "beacon.size.skew",
          "beacon.interval.dispersion",
          "beacon.size.dispersion",
          "network.bytes"
        ]
      }
    },
    {
      "convert": {
        "field": "beacon.ds_score",
        "type": "float"
      }
    },
    {
      "convert": {
        "field": "beacon.duration_score",
        "type": "float"
      }
    },
    {
      "convert": {
        "field": "beacon.historical_score",
        "type": "float"
      }
    },
    {
      "convert": {
        "field": "beacon.score",
        "type": "float"
      }
    },
    {
      "convert": {
        "field": "beacon.ts_score",
        "type": "float"
      }
    },
    {
      "convert": {
        "field": "network.average_bytes",
        "type": "float"
      }
    },
    {
      "convert": {
        "field": "network.connections",
        "type": "integer"
      }
    },
    {
      "convert": {
        "field": "network.average_bytes",
        "type": "integer"
      }
    },
    {
      "convert": {
        "field": "beacon.interval.range",
        "type": "integer"
      }
    },
    {
      "convert": {
        "field": "beacon.size.range",
        "type": "integer"
      }
    },
    {
      "convert": {
        "field": "beacon.interval.top",
        "type": "integer"
      }
    },
    {
      "convert": {
        "field": "beacon.size.top",
        "type": "integer"
      }
    },
    {
      "convert": {
        "field": "beacon.interval.top_count",
        "type": "integer"
      }
    },
    {
      "convert": {
        "field": "beacon.size.top_count",
        "type": "integer"
      }
    },
    {
      "convert": {
        "field": "beacon.interval.skew",
        "type": "float"
      }
    },
    {
      "convert": {
        "field": "beacon.size.skew",
        "type": "float"
      }
    },
    {
      "convert": {
        "field": "beacon.interval.dispersion",
        "type": "integer"
      }
    },
    {
      "convert": {
        "field": "beacon.size.dispersion",
        "type": "integer"
      }
    },
    {
      "convert": {
        "field": "network.bytes",
--- a/salt/elasticsearch/files/ingest/sysmon
+++ b/salt/elasticsearch/files/ingest/sysmon
@@ -1,78 +1,115 @@
 {
  "description" : "sysmon",
  "processors" : [
-    { "set":           { "field": "event.code", "value": "{{winlog.event_id}}", "override": true }  },     
+    { "set":	{ "field": "event.code", 						"value": "{{winlog.event_id}}",		"override": true	} },     
-    { "set":           { "field": "event.module", "value": "sysmon", "override": true }  },   
+    { "set":	{ "field": "event.module", 						"value": "sysmon",			"override": true	} },   
-    { "set":           { "if": "ctx.winlog?.computer_name != null",   "field": "observer.name", "value": "{{winlog.computer_name}}", "override": true }  },
+    { "set":	{ "if": "ctx.winlog?.computer_name != null",  "field": "observer.name", "value": "{{winlog.computer_name}}",	"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '3'",   "field": "event.category", "value": "host,process,network", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '1'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '1'",   "field": "event.category", "value": "host,process", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '2'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '5'",   "field": "event.category", "value": "host,process", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '3'",	"field": "event.category",	"value": "host,process,network",	"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '6'",   "field": "event.category", "value": "host,driver", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '4'",	"field": "event.category",	"value": "host",			"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '22'",   "field": "event.category", "value": "network", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '5'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '1'",   "field": "event.dataset", "value": "process_creation", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '6'",	"field": "event.category",	"value": "host,driver",			"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '2'",   "field": "event.dataset", "value": "process_changed_file", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '7'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '3'",   "field": "event.dataset", "value": "network_connection", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '8'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '5'",   "field": "event.dataset", "value": "process_terminated", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '9'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '6'",   "field": "event.dataset", "value": "driver_loaded", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '10'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '7'",   "field": "event.dataset", "value": "image_loaded", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '11'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '8'",   "field": "event.dataset", "value": "create_remote_thread", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '12'",	"field": "event.category",	"value": "host,registry",		"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '9'",   "field": "event.dataset", "value": "raw_file_access_read", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '13'",	"field": "event.category",	"value": "host,registry",		"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '10'",   "field": "event.dataset", "value": "process_access", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '14'",	"field": "event.category",	"value": "host,registry",		"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '11'",   "field": "event.dataset", "value": "file_create", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '15'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '12'",   "field": "event.dataset", "value": "registry_create_delete", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '16'",	"field": "event.category",	"value": "host",			"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '13'",   "field": "event.dataset", "value": "registry_value_set", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '17'",	"field": "event.category",	"value": "host,pipe",			"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '14'",   "field": "event.dataset", "value": "registry_key_value_rename", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '18'",	"field": "event.category",	"value": "host,pipe",			"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '15'",   "field": "event.dataset", "value": "file_create_stream_hash", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '19'",	"field": "event.category",	"value": "host,wmi",			"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '16'",   "field": "event.dataset", "value": "config_change", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '20'",	"field": "event.category",	"value": "host,wmi",			"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '22'",   "field": "event.dataset", "value": "dns_query", "override": true }  },
+    { "set":	{ "if": "ctx.event?.code == '21'",	"field": "event.category",	"value": "host,wmi",			"override": true 	} },
-    { "kv":            {"field":  "winlog.event_data.Hashes",  "target_field": "file.hash",    "field_split": ",",     "value_split": "=",     "ignore_missing": true } },
+    { "set":	{ "if": "ctx.event?.code == '22'",	"field": "event.category",	"value": "network",			"override": true 	} },
-    { "kv":            {"field":  "winlog.event_data.Hash",  "target_field": "file.hash",    "field_split": ",",     "value_split": "=",     "ignore_missing": true } },
+    { "set":	{ "if": "ctx.event?.code == '23'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
-    { "rename":      { "field": "file.hash.IMPHASH", "target_field": "hash.imphash",	"ignore_missing":true } },
+    { "set":	{ "if": "ctx.event?.code == '24'",	"field": "event.category",	"value": "host,clipboard",		"override": true 	} },
-    { "rename":      { "field": "file.hash.MD5", "target_field": "hash.md5",    "ignore_missing":true } },
+    { "set":	{ "if": "ctx.event?.code == '25'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
-    { "rename":      { "field": "file.hash.SHA256", "target_field": "hash.sha256",    "ignore_missing":true } },
+    { "set":	{ "if": "ctx.event?.code == '26'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.SubjectUserName",	"target_field": "user.name",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '27'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.DestinationHostname",	"target_field": "destination.hostname",	"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '28'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.DestinationIp",	"target_field": "destination.ip",	"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '255'",	"field": "event.category",	"value": "host",			"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.DestinationPort",	"target_field": "destination.port",	"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '1'",	"field": "event.dataset",	"value": "process_creation",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.image", 		"target_field": "process.executable",               "ignore_missing": true  } }, 
+    { "set":	{ "if": "ctx.event?.code == '2'",	"field": "event.dataset",	"value": "process_changed_file",	"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.Image", 		"target_field": "process.executable",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '3'",	"field": "event.dataset",	"value": "network_connection",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.processID",          "target_field": "process.pid",          "ignore_missing": true  } }, 
+    { "set":	{ "if": "ctx.event?.code == '4'",	"field": "event.dataset",	"value": "service_state_changed",	"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.ProcessId", 		"target_field": "process.pid",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '5'",	"field": "event.dataset",	"value": "process_terminated",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.processGuid",        "target_field": "process.entity_id",              "ignore_missing": true  } },
+    { "set":	{ "if": "ctx.event?.code == '6'",	"field": "event.dataset",	"value": "driver_loaded",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.ProcessGuid", 	"target_field": "process.entity_id",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '7'",	"field": "event.dataset",	"value": "image_loaded",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.commandLine",        "target_field": "process.command_line",           "ignore_missing": true  } },    
+    { "set":	{ "if": "ctx.event?.code == '8'",	"field": "event.dataset",	"value": "create_remote_thread",	"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.CommandLine", 	"target_field": "process.command_line",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '9'",	"field": "event.dataset",	"value": "raw_file_access_read",	"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.currentDirectory",   "target_field": "process.working_directory",            "ignore_missing": true  } },
+    { "set":	{ "if": "ctx.event?.code == '10'",	"field": "event.dataset",	"value": "process_access",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.CurrentDirectory", 	"target_field": "process.working_directory",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '11'",	"field": "event.dataset",	"value": "file_create",			"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.description",        "target_field": "process.pe.description",         "ignore_missing": true  } },
+    { "set":	{ "if": "ctx.event?.code == '12'",	"field": "event.dataset",	"value": "registry_create_delete",	"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.Description", 	"target_field": "process.pe.description",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '13'",	"field": "event.dataset",	"value": "registry_value_set",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.product",            "target_field": "process.pe.product",         "ignore_missing": true  } },
+    { "set":	{ "if": "ctx.event?.code == '14'",	"field": "event.dataset",	"value": "registry_key_value_rename",	"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.Product", 		"target_field": "process.pe.product",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '15'",	"field": "event.dataset",	"value": "file_create_stream_hash",	"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.company",            "target_field": "process.pe.company",         "ignore_missing": true  } }, 
+    { "set":	{ "if": "ctx.event?.code == '16'",	"field": "event.dataset",	"value": "config_change",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.Company", 		"target_field": "process.pe.company",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '17'",	"field": "event.dataset",	"value": "pipe_created",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.originalFileName",   "target_field": "process.pe.original_file_name",                "ignore_missing": true  } }, 
+    { "set":	{ "if": "ctx.event?.code == '18'",	"field": "event.dataset",	"value": "pipe_connected",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.OriginalFileName", 	"target_field": "process.pe.original_file_name",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '19'",	"field": "event.dataset",	"value": "wmi_event_filter",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.fileVersion",        "target_field": "process.pe.file_version",                "ignore_missing": true  } },
+    { "set":	{ "if": "ctx.event?.code == '20'",	"field": "event.dataset",	"value": "wmi_event_consumer",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.FileVersion", 	"target_field": "process.pe.file_version",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '21'",	"field": "event.dataset",	"value": "wmi_event_consumer_to_filter","override": true 	} },
-    { "rename":      { "field": "winlog.event_data.parentCommandLine",  "target_field": "process.parent.command_line",          "ignore_missing": true  } },
+    { "set":	{ "if": "ctx.event?.code == '22'",	"field": "event.dataset",	"value": "dns_query",			"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.ParentCommandLine", 	"target_field": "process.parent.command_line",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '23'",	"field": "event.dataset",	"value": "file_delete_archived",	"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.parentImage",        "target_field": "process.parent.executable",              "ignore_missing": true  } },
+    { "set":	{ "if": "ctx.event?.code == '24'",	"field": "event.dataset",	"value": "clipboard_change",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.ParentImage", 	"target_field": "process.parent.executable",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '25'",	"field": "event.dataset",	"value": "process_tampering",		"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.parentProcessGuid",  "target_field": "process.parent.entity_id",             "ignore_missing": true  } }, 
+    { "set":	{ "if": "ctx.event?.code == '26'",	"field": "event.dataset",	"value": "file_delete",			"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.ParentProcessGuid", 	"target_field": "process.parent.entity_id",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '27'",	"field": "event.dataset",	"value": "file_block_executable",	"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.parentProcessId",    "target_field": "process.ppid",               "ignore_missing": true  } },
+    { "set":	{ "if": "ctx.event?.code == '28'",	"field": "event.dataset",	"value": "file_block_shredding",	"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.ParentProcessId", 	"target_field": "process.ppid",		"ignore_missing": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '255'",	"field": "event.dataset",	"value": "error",			"override": true 	} },
-    { "rename":      { "field": "winlog.event_data.Protocol", 	        "target_field": "network.transport",	"ignore_missing": true 	} },
+    { "kv":	{ "field": "winlog.event_data.Hashes",  "target_field": "file.hash",    "field_split": ",", "value_split": "=",	"ignore_missing": true 	} },
-    { "rename":      { "field": "winlog.event_data.User", 		"target_field": "user.name",		"ignore_missing": true 	} },
+    { "kv":	{ "field": "winlog.event_data.Hash",	"target_field": "file.hash",    "field_split": ",", "value_split": "=",	"ignore_missing": true	} },
-    { "rename":      { "field": "winlog.event_data.SourceHostname", 	"target_field": "source.hostname",	"ignore_missing": true 	} },
+    { "rename":	{ "field": "file.hash.IMPHASH",				"target_field": "hash.imphash",				"ignore_missing": true  } },
-    { "rename":      { "field": "winlog.event_data.SourceIp", 		"target_field": "source.ip",		"ignore_missing": true 	} },
+    { "rename":	{ "field": "file.hash.MD5",				"target_field": "hash.md5",				"ignore_missing": true  } },
-    { "rename":      { "field": "winlog.event_data.SourcePort", 	"target_field": "source.port",		"ignore_missing": true 	} },   
+    { "rename":	{ "field": "file.hash.SHA256",				"target_field": "hash.sha256",				"ignore_missing": true  } },
-    { "rename":      { "field": "winlog.event_data.targetFilename",	"target_field": "file.target",	"ignore_missing": true 	} },
+    { "rename":	{ "field": "winlog.event_data.SubjectUserName",		"target_field": "user.name",				"ignore_missing": true 	} },
-    { "rename":      { "field": "winlog.event_data.TargetFilename",     "target_field": "file.target",    "ignore_missing": true  } },
+    { "rename":	{ "field": "winlog.event_data.DestinationHostname",	"target_field": "destination.hostname",			"ignore_missing": true 	} },
-    { "rename":      { "field": "winlog.event_data.QueryResults",       "target_field": "dns.answers.name",    "ignore_missing": true  } },
+    { "rename":	{ "field": "winlog.event_data.DestinationIp",		"target_field": "destination.ip",			"ignore_missing": true 	} },
-    { "rename":      { "field": "winlog.event_data.QueryName",          "target_field": "dns.query.name",    "ignore_missing": true  } },
+    { "rename":	{ "field": "winlog.event_data.DestinationPort",		"target_field": "destination.port",			"ignore_missing": true 	} },
-    { "remove":      { "field": "winlog.event_data.Hash",		"ignore_missing": true  } },
+    { "rename":	{ "field": "winlog.event_data.image", 			"target_field": "process.executable",			"ignore_missing": true  } }, 
-    { "remove":      { "field": "winlog.event_data.Hashes",		"ignore_missing": true  } },
+    { "rename":	{ "field": "winlog.event_data.Image", 			"target_field": "process.executable",			"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.processID",		"target_field": "process.pid",				"ignore_missing": true  } }, 
    { "rename":	{ "field": "winlog.event_data.ProcessId",		"target_field": "process.pid",				"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.processGuid",		"target_field": "process.entity_id",			"ignore_missing": true  } },
    { "rename":	{ "field": "winlog.event_data.ProcessGuid",		"target_field": "process.entity_id",			"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.commandLine",		"target_field": "process.command_line",			"ignore_missing": true  } },    
    { "rename":	{ "field": "winlog.event_data.CommandLine",		"target_field": "process.command_line",			"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.currentDirectory",	"target_field": "process.working_directory",		"ignore_missing": true  } },
    { "rename":	{ "field": "winlog.event_data.CurrentDirectory",	"target_field": "process.working_directory",		"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.description",		"target_field": "process.pe.description",		"ignore_missing": true  } },
    { "rename":	{ "field": "winlog.event_data.Description",		"target_field": "process.pe.description",		"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.product",			"target_field": "process.pe.product",			"ignore_missing": true  } },
    { "rename":	{ "field": "winlog.event_data.Product",			"target_field": "process.pe.product",			"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.company",			"target_field": "process.pe.company",			"ignore_missing": true  } }, 
    { "rename":	{ "field": "winlog.event_data.Company",			"target_field": "process.pe.company",			"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.originalFileName",	"target_field": "process.pe.original_file_name",	"ignore_missing": true  } }, 
    { "rename":	{ "field": "winlog.event_data.OriginalFileName",	"target_field": "process.pe.original_file_name",	"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.fileVersion",		"target_field": "process.pe.file_version",		"ignore_missing": true  } },
    { "rename":	{ "field": "winlog.event_data.FileVersion",		"target_field": "process.pe.file_version",		"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.parentCommandLine",	"target_field": "process.parent.command_line",		"ignore_missing": true  } },
    { "rename":	{ "field": "winlog.event_data.ParentCommandLine",	"target_field": "process.parent.command_line",		"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.parentImage",		"target_field": "process.parent.executable",		"ignore_missing": true  } },
    { "rename":	{ "field": "winlog.event_data.ParentImage",		"target_field": "process.parent.executable",		"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.parentProcessGuid",	"target_field": "process.parent.entity_id",		"ignore_missing": true  } }, 
    { "rename":	{ "field": "winlog.event_data.ParentProcessGuid",	"target_field": "process.parent.entity_id",		"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.parentProcessId",		"target_field": "process.ppid",				"ignore_missing": true  } },
    { "rename":	{ "field": "winlog.event_data.ParentProcessId",		"target_field": "process.ppid",				"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.Protocol",		"target_field": "network.transport",			"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.User",			"target_field": "user.name",				"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.SourceHostname",		"target_field": "source.hostname",			"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.SourceIp",		"target_field": "source.ip",				"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.SourcePort",		"target_field": "source.port",				"ignore_missing": true 	} },   
    { "rename":	{ "field": "winlog.event_data.targetFilename",		"target_field": "file.target",				"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.TargetFilename",		"target_field": "file.target",				"ignore_missing": true  } },
    { "rename":	{ "field": "winlog.event_data.QueryResults",		"target_field": "dns.answers.name",			"ignore_missing": true  } },
    { "rename":	{ "field": "winlog.event_data.QueryName",		"target_field": "dns.query.name",			"ignore_missing": true  } },
    { "remove":	{ "field": "winlog.event_data.Hash",										"ignore_missing": true  } },
    { "remove":	{ "field": "winlog.event_data.Hashes",										"ignore_missing": true  } },
    { "community_id": {} }
  ]
 }
--- a/salt/global/soc_global.yaml
+++ b/salt/global/soc_global.yaml
@@ -0,0 +1,49 @@
 global:
  soversion:
    description: Current version of Security Onion. 
    global: True
    readonly: True
  managerip:
    description: The IP address of the grid manager.
    global: True
  mdengine:
    description: What engine to use for meta data generation. Options are ZEEK and SURICATA.
    global: True
  ids:
    description: Which IDS engine to use. Currently only Suricata is supported.
    global: True
    readonly: True
    advanced: True
  url_base:
    description: Used for handling of authentication cookies. 
    global: True
  airgap:
    description: Sets airgap mode.
    global: True
    readonly: True
  imagerepo:
    description: Image repo to pull image from.
    global: True
    advanced: True
  pipeline:
    description: Sets which pipeline technology for events to use. Currently only Redis is supported.
    global: True
    readonly: True
    advanced: True
  repo_host:
    description: Specify the host where operating system packages will be served from.
    global: True
    advanced: True
  registry_host:
    description: Specify the host where docker/podman images will be pulled from.
    global: True
    advanced: True
  influxdb_host:
    description: Specify the host where influxdb is hosted.
    global: True
    advanced: True
  endgamehost:
    description: Allows use of Endgame with Security Onion. This feature requires a license from Endgame.
    global: True
    advanced: True
--- a/salt/grafana/etc/datasources/influxdb.yaml
+++ b/salt/grafana/etc/datasources/influxdb.yaml
@@ -9,7 +9,7 @@ datasources:
    type: influxdb
    access: proxy
    database: telegraf
-    url: https://{{ GLOBALS.manager_ip }}:8086
+    url: https://{{ GLOBALS.influxdb_host }}:8086
    jsonData:
      tlsAuth: false
      tlsAuthWithCACert: false
--- a/salt/grafana/init.sls
+++ b/salt/grafana/init.sls
@@ -8,7 +8,7 @@
 {% import_yaml 'grafana/grafana_defaults.yaml' as default_settings %}
 {% set GRAFANA_SETTINGS = salt['grains.filter_by'](default_settings, default='grafana', merge=salt['pillar.get']('grafana', {})) %}
-{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %}
+{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval'] %}
 {% set ALLOWED_DASHBOARDS = ['overview', 'standalone', 'manager', 'managersearch', 'sensor', 'searchnode', 'heavynode', 'eval', 'receiver'] %}
 {% set DASHBOARDS = ['overview'] %}
--- a/salt/influxdb/init.sls
+++ b/salt/influxdb/init.sls
@@ -5,7 +5,7 @@
 {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}
-{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %}
+{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %}
 {% import_yaml 'influxdb/defaults.yaml' as default_settings %}
 {% set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %}
 {% from 'salt/map.jinja' import PYTHON3INFLUX with context %}
--- a/salt/kibana/bin/so-kibana-config-load
+++ b/salt/kibana/bin/so-kibana-config-load
@@ -63,7 +63,7 @@ update() {
    IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
    for i in "${LINES[@]}"; do
-      RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config-X PUT "localhost:5601/api/saved_objects/config/8.5.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.5.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
      echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
    done
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -66,8 +66,8 @@ ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}:
    - template: jinja
    - defaults:
        GLOBALS: {{ GLOBALS }}
-        ES_USER: {{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') }}
+        ES_USER: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') }}"
-        ES_PASS: {{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') }}
+        ES_PASS: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') }}"
      {% else %}
    - name: /opt/so/conf/logstash/pipelines/{{PL}}/{{CONFIGFILE.split('/')[1]}}
      {% endif %}
--- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
@@ -1,9 +1,10 @@
-{% set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') -%}
+{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
-{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) -%}
+{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
-{% from 'logstash/map.jinja' import REDIS_NODES with context -%}
+{%- from 'logstash/map.jinja' import REDIS_NODES with context %}
 {%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %}
-{% for index in range(REDIS_NODES|length) -%}
+{%- for index in range(REDIS_NODES|length) %}
-{%   for host in REDIS_NODES[index] -%}
+{%-   for host in REDIS_NODES[index] %}
 input {
        redis {
                host => '{{ host }}'
@@ -14,6 +15,7 @@ input {
                type => 'redis-input'
                threads => {{ THREADS }}
                batch_count => {{ BATCH }}
                password => {{ REDIS_PASS }}
        }
 }
 {%   endfor %}
--- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
@@ -4,6 +4,8 @@
  {%- set HOST = GLOBALS.manager %}
 {%- endif %}
 {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
 {%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %}
 output {
 	redis {
 		host => '{{ HOST }}'
@@ -14,5 +16,6 @@ output {
 		congestion_threshold => 50000000
 		batch => true
 		batch_events => {{ BATCH }}
 		password => {{ REDIS_PASS }}
 	}
 }
--- a/salt/redis/defaults.yaml
+++ b/salt/redis/defaults.yaml
@@ -1,7 +1,7 @@
 redis:
  config:
    bind: '0.0.0.0'
-    protected-mode: 'no'
+    protected-mode: 'yes'
    tls-cert-file: '/certs/redis.crt'
    tls-key-file: '/certs/redis.key'
    tls-ca-cert-file: '/certs/ca.crt'
@@ -29,9 +29,9 @@ redis:
    databases: 16
    always-show-logo: 'yes'
    save:
-      900: 1
+      '900': 1
-      300: 10
+      '300': 10
-      60: 1000
+      '60': 1000
    stop-writes-on-bgsave-error: 'yes'
    rdbcompression: 'yes'
    rdbchecksum: 'yes'
--- a/salt/redis/soc_redis.yaml
+++ b/salt/redis/soc_redis.yaml
@@ -10,6 +10,10 @@ redis:
      global: True
      advanced: True
      helpLink: redis.html
    requirepass:
      description: Password for accessing Redis.
      global: True
      sensitive: True
    tls-cert-file: 
      description: TLS cert file location.
      global: True
@@ -117,15 +121,15 @@ redis:
      advanced: True
      helpLink: redis.html
    save:
-      900:
+      '900':
        description: Set the amount of keys that need to change to save after 15 minutes.
        global: True
        helpLink: redis.html
-      300: 
+      '300': 
        description: Set the amount of keys that need to change to save after 5 minutes.
        global: True
        helpLink: redis.html
-      60: 
+      '60': 
        description: Set the amount of keys that need to change to save after 1 minute
        global: True
        helpLink: redis.html
--- a/salt/soc/defaults.map.jinja
+++ b/salt/soc/defaults.map.jinja
@@ -16,7 +16,7 @@
 {% do SOCDEFAULTS.soc.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}
 {% if GLOBALS.role != 'so-import' %}
-{%   do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':8086'}) %}
+{%   do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
 {% endif %}
 {% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sosrange, 'apiKey': pillar.sensoroni.sensoronikey}) %}
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -496,16 +496,6 @@ soc:
      - event.severity_label
      - log.id.uid
      - network.community_id
    ':sysmon:':
      - soc_timestamp
      - source.ip
      - source.port
      - destination.ip
      - destination.port
      - source.hostname
      - event.dataset
      - process.executable
      - user.name
    ':windows_eventlog:':
      - soc_timestamp
      - user.name
@@ -570,6 +560,24 @@ soc:
      - destination.geo.country_iso_code
      - user.name
      - source.ip
    ':sysmon:':
      - soc_timestamp
      - event.dataset
      - process.executable
      - user.name
      - file.target
      - dns.query.name
      - winlog.event_data.TargetObject
    '::network_connection':
      - soc_timestamp
      - source.ip
      - source.port
      - destination.ip
      - destination.port
      - source.hostname
      - event.dataset
      - process.executable
      - user.name
    '::process_terminated': 
      - soc_timestamp
      - process.executable
@@ -1374,19 +1382,19 @@ soc:
        queries:
          - name: Overview
            description: Overview of all events
-            query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: SOC Auth
            description: SOC (Security Onion Console) authentication logs
-            query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
+            query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
          - name: Elastalerts
            description: Elastalert logs
            query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'
          - name: Alerts
            description: Overview of all alerts
-            query: 'event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: NIDS Alerts
            description: NIDS (Network Intrusion Detection System) alerts
-            query: 'event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Sysmon Overview
            description: Overview of all Sysmon data types
            query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port'
@@ -1401,115 +1409,115 @@ soc:
            query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable'
          - name: Sysmon File
            description: File activity captured by Sysmon
-            query: '(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable'
+            query: 'event.module:sysmon AND event.dataset:file_* | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable'
          - name: Sysmon Network
            description: Network activity captured by Sysmon
            query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Strelka
            description: Strelka file analysis
-            query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source'
+            query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name'
          - name: Zeek Notice
            description: Zeek notice logs
-            query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Connections
            description: Network connection metadata
-            query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes'
+            query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui'
          - name: DCE_RPC
            description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata
-            query: 'event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: DHCP
            description: DHCP (Dynamic Host Configuration Protocol) leases
-            query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address'
+            query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address'
          - name: DNS
            description: DNS (Domain Name System) queries
-            query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: DPD
            description: DPD (Dynamic Protocol Detection) errors
-            query: 'event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol'
+            query: 'event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Files
            description: Files seen in network traffic
-            query: 'event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip'
+            query: 'event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name'
          - name: FTP
            description: FTP (File Transfer Protocol) network metadata
-            query: 'event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: HTTP
            description: HTTP (Hyper Text Transport Protocol) network metadata
-            query: 'event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:http | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Intel
            description: Zeek Intel framework hits
-            query: 'event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:intel | groupby intel.indicator | groupby -sankey source.ip intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: IRC
            description: IRC (Internet Relay Chat) network metadata
-            query: 'event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:irc | groupby irc.command.type | groupby -sankey irc.command.type irc.username | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Kerberos
            description: Kerberos network metadata
-            query: 'event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:kerberos | groupby kerberos.service | groupby -sankey kerberos.service destination.ip | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: MySQL
            description: MySQL network metadata
-            query: 'event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:mysql | groupby mysql.command | groupby -sankey mysql.command destination.ip | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: NTLM
            description: NTLM (New Technology LAN Manager) network metadata
-            query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby -sankey source.ip destination.ip | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: PE
            description: PE (Portable Executable) files transferred via network traffic
-            query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
+            query: 'event.dataset:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
          - name: RADIUS
            description: RADIUS (Remote Authentication Dial-In User Service) network metadata
-            query: 'event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:radius | groupby -sankey user.name.keyword destination.ip | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: RDP
            description: RDP (Remote Desktop Protocol) network metadata
-            query: 'event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:rdp | groupby client.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: RFB
            description: RFB (Remote Frame Buffer) network metadata
-            query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Signatures
            description: Zeek signatures
            query: 'event.dataset:signatures | groupby signature_id'
          - name: SIP
            description: SIP (Session Initiation Protocol) network metadata
-            query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: SMB_Files
            description: Files transferred via SMB (Server Message Block)
-            query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: SMB_Mapping
            description: SMB (Server Message Block) mapping network metadata
-            query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: SMTP
            description: SMTP (Simple Mail Transfer Protocol) network metadata
-            query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby -sankey source.ip destination.ip | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: SNMP
            description: SNMP (Simple Network Management Protocol) network metadat
-            query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: Software
            description: Software seen by Zeek via network traffic
-            query: 'event.dataset:software | groupby software.type | groupby software.name | groupby source.ip'
+            query: 'event.dataset:software | groupby -sankey software.type source.ip | groupby software.type | groupby software.name | groupby source.ip'
          - name: SSH
            description: SSH (Secure Shell) connections seen by Zeek
-            query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby -sankey source.ip destination.ip | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: SSL
            description: SSL/TLS network metadata
-            query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey source.ip ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject'
          - name: STUN
            description: STUN (Session Traversal Utilities for NAT) network metadata
            query: 'event.dataset:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset'
          - name: Syslog
            description: Syslog logs
-            query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol'
          - name: TDS
            description: TDS (Tabular Data Stream) network metadata
            query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
          - name: Tunnel
            description: Tunnels seen by Zeek
-            query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:tunnel | groupby -sankey source.ip destination.ip | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name'
          - name: Weird
            description: Weird network traffic seen by Zeek
-            query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port '
+            query: 'event.dataset:weird | groupby -sankey weird.name destination.ip | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: WireGuard
            description: WireGuard VPN network metadata
            query: 'event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: x509
            description: x.509 certificates seen by Zeek
-            query: 'event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer'
+            query: 'event.dataset:x509 | groupby -sankey x509.certificate.key.length x509.san_dns | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer'
          - name: ICS Overview
            description: Overview of ICS (Industrial Control Systems) network metadata
            query: 'tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac'
@@ -1548,7 +1556,7 @@ soc:
            query: 'event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: Firewall
            description: Firewall logs
-            query: 'event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
      job:
      alerts:
        advanced: false
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -42,8 +42,10 @@ soc:
    description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action.
    global: True
  eventFields:
-    description: A map of event metadata groupings to field lists. The field list specifies all the columns to show when displaying individual events (not groups). The event metadata grouping uses the format ":event.module:event.dataset".
+    default:
-    global: True
+      description: The list of fields to show as columns in the Hunt/Dashboards event table, when no other specific mapping applies. Mappings are defined by the format ":event.module:event.dataset".
      global: True
      advanced: True
  server:
    maxPacketCount:
      description: Maximum number of packets to show in the PCAP viewer. Larger values can cause more resource utilization on both the SOC server and the browser.
@@ -96,118 +98,119 @@ soc:
          description: Duration (in milliseconds) that must elapse after a grid node fails to check-in before the node will be marked offline (fault).
          global: True
          advanced: True
-  client:
+    client:
-    apiTimeoutMs:
+      apiTimeoutMs:
-      description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
+        description: Duration (in milliseconds) to wait for a response from the SOC server API before giving up and showing an error on the SOC UI.
      global: True
      advanced: True
    webSocketTimeoutMs:
      description: Duration (in milliseconds) to wait for a response from the SOC server websocket before giving up and reconnecting.
      global: True
      advanced: True
    tipTimeoutMs:
      description: Duration (in milliseconds) to show the popup tips, which typically indicate a successful operation.
      global: True
    cacheExpirationMs:
      description: Duration (in milliseconds) of cached data within the browser, including users and settings.
      global: True
      advanced: True
    casesEnabled:
      description: Set to true to enable case management in SOC.
      global: True
    inactiveTools:
      description: List of external tools to remove from the SOC UI.
      global: True
    tools:
      description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL.
      global: True
      advanced: True
    hunt: &appSettings
      groupItemsPerPage:
        description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI.
        global: True
      groupFetchLimit:
        description: Default maximum number of aggregations to retrieve per search. Larger values consume more bandwidth and server resources.
        global: True
      eventItemsPerPage:
        description: Default number of items to show per page. Larger values consume more vertical area in the SOC UI.
        global: True
      eventFetchLimit:
        description: Default maximum number of items to retrieve per search. Larger values consume more bandwidth and server resources.
        global: True
      relativeTimeValue:
        description: The duration of time to look backwards when searching for items. Used in combination with the relativeTimeUnit setting.
        global: True
      relativeTimeUnit:
        description: The unit of time for the relativeTimeValue setting. Possible values are 10 (seconds), 20 (minutes), 30 (hours), 40 (days), 50 (weeks), and 60 (months).
        global: True
      mostRecentlyUsedLimit:
        description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list.
        global: True
      queries:
        description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key.
    alerts: *appSettings
    cases: *appSettings
    dashboards: *appSettings
    case:
      analyzerNodeId:
        description: The node ID on which analyzers will be executed.
        global: True
        advanced: True
-      mostRecentlyUsedLimit:
+      webSocketTimeoutMs:
-        description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list.
+        description: Duration (in milliseconds) to wait for a response from the SOC server websocket before giving up and reconnecting.
        global: True
      renderAbbreviatedCount:
        description: When the number of case related items exceeds this number, the middle section of the results will be hidden from view, avoiding unnecessary scrolling.
        global: True
        advanced: True
-      presets:
+      tipTimeoutMs:
-        artifactType:
+        description: Duration (in milliseconds) to show the popup tips, which typically indicate a successful operation.
-          labels:
+        global: True
-            description: List of available artifact types. Some of these default types have special characteristics and related functionality, built into SOC.
+      cacheExpirationMs:
-            global: True
+        description: Duration (in milliseconds) of cached data within the browser, including users and settings.
-          customEnabled:
+        global: True
-            description: Set to true to allow users add their own artifact types directly in the SOC UI.
+        advanced: True
-            global: True
+      casesEnabled:
-        category:
+        description: Set to true to enable case management in SOC.
-          labels:
+        global: True
-            description: List of available case categories.
+      inactiveTools:
-            global: True
+        description: List of external tools to remove from the SOC UI.
-          customEnabled:
+        global: True
-            description: Set to true to allow users add their own categories directly in the SOC UI.
+      tools:
-            global: True
+        description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL.
-        pap:
+        global: True
-          labels:
+        advanced: True
-            description: List of available PAP (Permissible Actions Protocol) values.
+      hunt: &appSettings
-            global: True
+        groupItemsPerPage:
-          customEnabled:
+          description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI.
-            description: Set to true to allow users add their own PAP values directly in the SOC UI.
+          global: True
-            global: True
+        groupFetchLimit:
-        severity:
+          description: Default maximum number of aggregations to retrieve per search. Larger values consume more bandwidth and server resources.
-          labels:
+          global: True
-            description: List of available case severities.
+        eventItemsPerPage:
-            global: True
+          description: Default number of items to show per page. Larger values consume more vertical area in the SOC UI.
-          customEnabled:
+          global: True
-            description: Set to true to allow users add their own severities directly in the SOC UI.
+        eventFetchLimit:
-            global: True
+          description: Default maximum number of items to retrieve per search. Larger values consume more bandwidth and server resources.
-        status:
+          global: True
-          labels:
+        relativeTimeValue:
-            description: List of available case statuses. Some statuses have specifial characteristics and related functionality built into SOC.
+          description: The duration of time to look backwards when searching for items. Used in combination with the relativeTimeUnit setting.
-            global: True
+          global: True
-          customEnabled:
+        relativeTimeUnit:
-            description: Set to true to allow users add their own case statuses directly in the SOC UI.
+          description: The unit of time for the relativeTimeValue setting. Possible values are 10 (seconds), 20 (minutes), 30 (hours), 40 (days), 50 (weeks), and 60 (months).
-            global: True
+          global: True
-        tags:
+        mostRecentlyUsedLimit:
-          labels:
+          description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list.
-            description: List of available tags.
+          global: True
-            global: True
+        queries:
-          customEnabled:
+          description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key.
-            description: Set to true to allow users add their own tags directly in the SOC UI.
+          global: True
-            global: True
+      alerts: *appSettings
-        tlp:
+      cases: *appSettings
-          labels:
+      dashboards: *appSettings
-            description: List of available TLP (Traffic Light Protocol) values.
+      case:
-            global: True
+        analyzerNodeId:
-          customEnabled:
+          description: The node ID on which analyzers will be executed.
-            description: Set to true to allow users add their own TLP values directly in the SOC UI.
+          global: True
-            global: True
+          advanced: True
        mostRecentlyUsedLimit:
          description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list.
          global: True
        renderAbbreviatedCount:
          description: When the number of case related items exceeds this number, the middle section of the results will be hidden from view, avoiding unnecessary scrolling.
          global: True
          advanced: True
        presets:
          artifactType:
            labels:
              description: List of available artifact types. Some of these default types have special characteristics and related functionality, built into SOC.
              global: True
            customEnabled:
              description: Set to true to allow users add their own artifact types directly in the SOC UI.
              global: True
          category:
            labels:
              description: List of available case categories.
              global: True
            customEnabled:
              description: Set to true to allow users add their own categories directly in the SOC UI.
              global: True
          pap:
            labels:
              description: List of available PAP (Permissible Actions Protocol) values.
              global: True
            customEnabled:
              description: Set to true to allow users add their own PAP values directly in the SOC UI.
              global: True
          severity:
            labels:
              description: List of available case severities.
              global: True
            customEnabled:
              description: Set to true to allow users add their own severities directly in the SOC UI.
              global: True
          status:
            labels:
              description: List of available case statuses. Some statuses have specifial characteristics and related functionality built into SOC.
              global: True
            customEnabled:
              description: Set to true to allow users add their own case statuses directly in the SOC UI.
              global: True
          tags:
            labels:
              description: List of available tags.
              global: True
            customEnabled:
              description: Set to true to allow users add their own tags directly in the SOC UI.
              global: True
          tlp:
            labels:
              description: List of available TLP (Traffic Light Protocol) values.
              global: True
            customEnabled:
              description: Set to true to allow users add their own TLP values directly in the SOC UI.
              global: True
--- a/salt/telegraf/etc/telegraf.conf
+++ b/salt/telegraf/etc/telegraf.conf
@@ -1,5 +1,5 @@
 # Telegraf Configuration
-{%- set MANAGER = GLOBALS.manager %}
+{%- set INFLUXDBHOST = GLOBALS.influxdb_host %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- set NODEIP = GLOBALS.node_ip %}
@@ -72,7 +72,7 @@
 # Configuration for sending metrics to InfluxDB
 [[outputs.influxdb]]
-  urls = ["https://{{ MANAGER }}:8086"]
+  urls = ["https://{{ INFLUXDBHOST }}:8086"]
  ## Optional TLS Config for use on HTTP connections.
   tls_ca = "/etc/telegraf/ca.crt"
--- a/salt/telegraf/scripts/redis.sh
+++ b/salt/telegraf/scripts/redis.sh
@@ -4,9 +4,8 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %}
-
+export REDISCLI_AUTH={{ REDIS_PASS }}
 # if this script isn't already running
 if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -328,6 +328,8 @@ base:
    - manager
    - nginx
    - soc
    - influxdb
    - telegraf
    - kratos
    - firewall
    - idstools
--- a/salt/vars/globals.map.jinja
+++ b/salt/vars/globals.map.jinja
@@ -16,6 +16,7 @@
    'image_repo': INIT.PILLAR.global.imagerepo,
    'repo_host': INIT.PILLAR.global.repo_host,
    'registry_host': INIT.PILLAR.global.registry_host,
    'influxdb_host': INIT.PILLAR.global.influxdb_host,
    'manager_ip': INIT.PILLAR.global.managerip,
    'md_engine': INIT.PILLAR.global.mdengine,
    'pipeline': INIT.PILLAR.global.pipeline,
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1217,6 +1217,7 @@ generate_passwords(){
  GRAFANAPASS=$(get_random_value)
  SENSORONIKEY=$(get_random_value)
  KRATOSKEY=$(get_random_value)
  REDISPASS=$(get_random_value)
 }
 generate_interface_vars() {
@@ -1376,6 +1377,13 @@ telegraf_pillar() {
 manager_pillar() {
 	touch $adv_manager_pillar_file
 	title "Create the manager pillar"
 	if [[ $is_import ]]; then
 		GRAFANA=0
 		PLAYBOOK=0
 	else
 		GRAFANA=1
 		PLAYBOOK=1
 	fi
 	printf '%s\n'\
 		"manager:"\
 		"  proxy: '$so_proxy'"\
@@ -1441,8 +1449,9 @@ create_global() {
 	# Continue adding other details	
 	echo "  imagerepo: '$IMAGEREPO'" >> $global_pillar_file
 	echo "  pipeline: 'redis'" >> $global_pillar_file
-	echo "  repo_host: '$MAINIP'" >> $global_pillar_file
+	echo "  repo_host: '$HOSTNAME'" >> $global_pillar_file
-	echo "  registry_host: '$MAINIP'" >> $global_pillar_file
+	echo "  influxdb_host: '$HOSTNAME'" >> $global_pillar_file
 	echo "  registry_host: '$HOSTNAME'" >> $global_pillar_file
 	echo "  endgamehost: '$ENDGAMEHOST'" >> $global_pillar_file
 }
@@ -1508,7 +1517,10 @@ docker_pillar() {
 redis_pillar() {
 	title "Create the redis pillar file"
 	touch $adv_redis_pillar_file
-	touch $redis_pillar_file
+	printf '%s\n'\
 		"redis:"\
 		"  config:"\
 		"    requirepass: '$REDISPASS'" > $redis_pillar_file
 }
 influxdb_pillar() {