merge with 2.4/dev

2025-12-06 09:12:45 +01:00 · 2023-01-06 14:01:58 -05:00
parent 4aacc6d1db 2e53476a06
commit d4c6834cd0
40 changed files with 446 additions and 365 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -121,6 +121,7 @@ base:
  '*_heavynode':
    - elasticsearch.auth
    - soc_global
+    - redis.soc_redis
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}

@@ -137,6 +138,7 @@ base:
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
    {% endif %}
+    - redis.soc_redis
    - soc_global
    - adv_global
    - minions.{{ grains.id }}
@@ -149,6 +151,8 @@ base:
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
    {% endif %}
+    - redis.soc_redis
+    - redis.adv_redis
    - soc_global
    - adv_global
    - minions.{{ grains.id }}
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -97,6 +97,8 @@
          'nginx',
          'soc',
          'kratos',
+          'influxdb',
+          'telegraf',
          'firewall',
          'idstools',
          'suricata.manager',
--- a/salt/common/tools/sbin/so-elastic-clear
+++ b/salt/common/tools/sbin/so-elastic-clear
@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common

 SKIP=0
--- a/salt/common/tools/sbin/so-elasticsearch-component-templates-list
+++ b/salt/common/tools/sbin/so-elasticsearch-component-templates-list
@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort
--- a/salt/common/tools/sbin/so-elasticsearch-index-templates-list
+++ b/salt/common/tools/sbin/so-elasticsearch-index-templates-list
@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort
--- a/salt/common/tools/sbin/so-elasticsearch-indices-list
+++ b/salt/common/tools/sbin/so-elasticsearch-indices-list
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}

 . /usr/sbin/so-common

--- a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats
+++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}

 . /usr/sbin/so-common

--- a/salt/common/tools/sbin/so-elasticsearch-pipeline-view
+++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-view
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}

 . /usr/sbin/so-common

--- a/salt/common/tools/sbin/so-elasticsearch-pipelines-list
+++ b/salt/common/tools/sbin/so-elasticsearch-pipelines-list
@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'
--- a/salt/common/tools/sbin/so-elasticsearch-shards-list
+++ b/salt/common/tools/sbin/so-elasticsearch-shards-list
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}

 . /usr/sbin/so-common

--- a/salt/common/tools/sbin/so-elasticsearch-template-remove
+++ b/salt/common/tools/sbin/so-elasticsearch-template-remove
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}

 . /usr/sbin/so-common

--- a/salt/common/tools/sbin/so-elasticsearch-template-view
+++ b/salt/common/tools/sbin/so-elasticsearch-template-view
@@ -5,7 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}

 . /usr/sbin/so-common

--- a/salt/common/tools/sbin/so-elasticsearch-templates-list
+++ b/salt/common/tools/sbin/so-elasticsearch-templates-list
@@ -5,8 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-
-{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
+{%- set NODEIP = salt['pillar.get']('host:mainip', '') %}
 . /usr/sbin/so-common
 if [ "$1" == "" ]; then
    curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys'
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -27,6 +27,7 @@ container_list() {
      "so-elasticsearch"
      "so-filebeat"
      "so-idstools"
+      "so-influxdb"
      "so-kibana"
      "so-kratos"
      "so-nginx"
@@ -34,6 +35,7 @@ container_list() {
      "so-soc"
      "so-steno"
      "so-suricata"
+      "so-telegraf"
      "so-zeek" 
    )
  elif [ $MANAGERCHECK != 'so-helix' ]; then
--- a/salt/common/tools/sbin/so-import-evtx
+++ b/salt/common/tools/sbin/so-import-evtx
@@ -5,15 +5,13 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-
-
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- set VERSION = salt['pillar.get']('global:soversion') %}
 {%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{%- set MANAGERIP = salt['pillar.get']('global:managerip') -%}
+{%- set MANAGERIP = salt['pillar.get']('global:managerip') %}
 {%- set URLBASE = salt['pillar.get']('global:url_base') %}
-{% set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
-{% set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
+{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
+{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}

 INDEX_DATE=$(date +'%Y.%m.%d')
 RUNID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
--- a/salt/common/tools/sbin/so-import-pcap
+++ b/salt/common/tools/sbin/so-import-pcap
@@ -5,12 +5,10 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-
-
 {%- set MANAGER = salt['grains.get']('master') %}
 {%- set VERSION = salt['pillar.get']('global:soversion') %}
 {%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
-{%- set MANAGERIP = salt['pillar.get']('global:managerip') -%}
+{%- set MANAGERIP = salt['pillar.get']('global:managerip') %}
 {%- set URLBASE = salt['pillar.get']('global:url_base') %}

 . /usr/sbin/so-common
--- a/salt/common/tools/sbin/so-kibana-config-export
+++ b/salt/common/tools/sbin/so-kibana-config-export
@@ -1,16 +1,14 @@
 #!/bin/bash
 #
-# {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager', False) -%}
-# {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node', False) -%}
-# {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %}
-# {%- set MANAGER = salt['pillar.get']('global:url_base', '') %}
-#
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-
+{%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager', False) %}
+{%- set FLEET_NODE = salt['pillar.get']('global:fleet_node', False) %}
+{%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %}
+{%- set MANAGER = salt['pillar.get']('global:url_base', '') %}

 KIBANA_HOST={{ MANAGER }}
 KSO_PORT=5601
--- a/salt/common/tools/sbin/so-redis-count
+++ b/salt/common/tools/sbin/so-redis-count
@@ -4,9 +4,7 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
-
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %}

 . /usr/sbin/so-common
-
-docker exec so-redis redis-cli llen logstash:unparsed
+docker exec so-redis /bin/sh -c "export REDISCLI_AUTH={{ REDIS_PASS }} && redis-cli llen logstash:unparsed"
--- a/salt/common/tools/sbin/so-soc-restart
+++ b/salt/common/tools/sbin/so-soc-restart
@@ -9,5 +9,6 @@

 . /usr/sbin/so-common

+rm -f /opt/so/conf/soc/salt/pipe
 pkill salt-relay.sh
 /usr/sbin/so-restart soc $1
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -230,7 +230,7 @@ function updatePassword() {
    # Generate password hash
    passwordHash=$(hashPassword "$password")
    # Update DB with new hash
-    echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
+    echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
    # Deactivate MFA
    echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
    echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
--- a/salt/elasticsearch/files/ingest/rita.beacon
+++ b/salt/elasticsearch/files/ingest/rita.beacon
@@ -17,98 +17,63 @@
          "destination.ip",
          "network.connections",
          "network.average_bytes",
-          "beacon.interval.range",
-          "beacon.size.range",
-          "beacon.interval.top",
-          "beacon.size.top",
-          "beacon.interval.top_count",
-          "beacon.size.top_count",
-          "beacon.interval.skew",
-          "beacon.size.skew",
-          "beacon.interval.dispersion",
-          "beacon.size.dispersion",
-          "network.bytes"
+          "network.bytes",
+          "beacon.ts_score",
+          "beacon.ds_score",
+          "beacon.duration_score",
+          "beacon.historical_score",
+          "beacon.interval.top"
        ]
      }
    },
+    {
+      "convert": {
+        "field": "beacon.ds_score",
+        "type": "float"
+      }
+    },
+    {
+      "convert": {
+        "field": "beacon.duration_score",
+        "type": "float"
+      }
+    },
+    {
+      "convert": {
+        "field": "beacon.historical_score",
+        "type": "float"
+      }
+    },
    {
      "convert": {
        "field": "beacon.score",
        "type": "float"
      }
    },
+    {
+      "convert": {
+        "field": "beacon.ts_score",
+        "type": "float"
+      }
+    },
+    {
+      "convert": {
+        "field": "network.average_bytes",
+        "type": "float"
+      }
+    },
    {
      "convert": {
        "field": "network.connections",
        "type": "integer"
      }
    },
-    {
-      "convert": {
-        "field": "network.average_bytes",
-        "type": "integer"
-      }
-    },
-    {
-      "convert": {
-        "field": "beacon.interval.range",
-        "type": "integer"
-      }
-    },
-    {
-      "convert": {
-        "field": "beacon.size.range",
-        "type": "integer"
-      }
-    },
    {
      "convert": {
        "field": "beacon.interval.top",
        "type": "integer"
      }
    },
-    {
-      "convert": {
-        "field": "beacon.size.top",
-        "type": "integer"
-      }
-    },
-    {
-      "convert": {
-        "field": "beacon.interval.top_count",
-        "type": "integer"
-      }
-    },
-    {
-      "convert": {
-        "field": "beacon.size.top_count",
-        "type": "integer"
-      }
-    },
-    {
-      "convert": {
-        "field": "beacon.interval.skew",
-        "type": "float"
-      }
-    },
-    {
-      "convert": {
-        "field": "beacon.size.skew",
-        "type": "float"
-      }
-    },
-    {
-      "convert": {
-        "field": "beacon.interval.dispersion",
-        "type": "integer"
-      }
-    },
-    {
-      "convert": {
-        "field": "beacon.size.dispersion",
-        "type": "integer"
-      }
-    },
    {
      "convert": {
        "field": "network.bytes",
--- a/salt/elasticsearch/files/ingest/sysmon
+++ b/salt/elasticsearch/files/ingest/sysmon
@@ -4,14 +4,39 @@
    { "set":	{ "field": "event.code", 						"value": "{{winlog.event_id}}",		"override": true	} },     
    { "set":	{ "field": "event.module", 						"value": "sysmon",			"override": true	} },   
    { "set":	{ "if": "ctx.winlog?.computer_name != null",  "field": "observer.name", "value": "{{winlog.computer_name}}",	"override": true 	} },
-    { "set":           { "if": "ctx.event?.code == '3'",   "field": "event.category", "value": "host,process,network", "override": true }  },
    { "set":	{ "if": "ctx.event?.code == '1'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '2'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '3'",	"field": "event.category",	"value": "host,process,network",	"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '4'",	"field": "event.category",	"value": "host",			"override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '5'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '6'",	"field": "event.category",	"value": "host,driver",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '7'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '8'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '9'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '10'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '11'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '12'",	"field": "event.category",	"value": "host,registry",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '13'",	"field": "event.category",	"value": "host,registry",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '14'",	"field": "event.category",	"value": "host,registry",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '15'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '16'",	"field": "event.category",	"value": "host",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '17'",	"field": "event.category",	"value": "host,pipe",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '18'",	"field": "event.category",	"value": "host,pipe",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '19'",	"field": "event.category",	"value": "host,wmi",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '20'",	"field": "event.category",	"value": "host,wmi",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '21'",	"field": "event.category",	"value": "host,wmi",			"override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '22'",	"field": "event.category",	"value": "network",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '23'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '24'",	"field": "event.category",	"value": "host,clipboard",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '25'",	"field": "event.category",	"value": "host,process",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '26'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '27'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '28'",	"field": "event.category",	"value": "host,file",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '255'",	"field": "event.category",	"value": "host",			"override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '1'",	"field": "event.dataset",	"value": "process_creation",		"override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '2'",	"field": "event.dataset",	"value": "process_changed_file",	"override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '3'",	"field": "event.dataset",	"value": "network_connection",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '4'",	"field": "event.dataset",	"value": "service_state_changed",	"override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '5'",	"field": "event.dataset",	"value": "process_terminated",		"override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '6'",	"field": "event.dataset",	"value": "driver_loaded",		"override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '7'",	"field": "event.dataset",	"value": "image_loaded",		"override": true 	} },
@@ -24,12 +49,24 @@
    { "set":	{ "if": "ctx.event?.code == '14'",	"field": "event.dataset",	"value": "registry_key_value_rename",	"override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '15'",	"field": "event.dataset",	"value": "file_create_stream_hash",	"override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '16'",	"field": "event.dataset",	"value": "config_change",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '17'",	"field": "event.dataset",	"value": "pipe_created",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '18'",	"field": "event.dataset",	"value": "pipe_connected",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '19'",	"field": "event.dataset",	"value": "wmi_event_filter",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '20'",	"field": "event.dataset",	"value": "wmi_event_consumer",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '21'",	"field": "event.dataset",	"value": "wmi_event_consumer_to_filter","override": true 	} },
    { "set":	{ "if": "ctx.event?.code == '22'",	"field": "event.dataset",	"value": "dns_query",			"override": true 	} },
-    { "kv":            {"field":  "winlog.event_data.Hashes",  "target_field": "file.hash",    "field_split": ",",     "value_split": "=",     "ignore_missing": true } },
-    { "kv":            {"field":  "winlog.event_data.Hash",  "target_field": "file.hash",    "field_split": ",",     "value_split": "=",     "ignore_missing": true } },
-    { "rename":      { "field": "file.hash.IMPHASH", "target_field": "hash.imphash",	"ignore_missing":true } },
-    { "rename":      { "field": "file.hash.MD5", "target_field": "hash.md5",    "ignore_missing":true } },
-    { "rename":      { "field": "file.hash.SHA256", "target_field": "hash.sha256",    "ignore_missing":true } },
+    { "set":	{ "if": "ctx.event?.code == '23'",	"field": "event.dataset",	"value": "file_delete_archived",	"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '24'",	"field": "event.dataset",	"value": "clipboard_change",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '25'",	"field": "event.dataset",	"value": "process_tampering",		"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '26'",	"field": "event.dataset",	"value": "file_delete",			"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '27'",	"field": "event.dataset",	"value": "file_block_executable",	"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '28'",	"field": "event.dataset",	"value": "file_block_shredding",	"override": true 	} },
+    { "set":	{ "if": "ctx.event?.code == '255'",	"field": "event.dataset",	"value": "error",			"override": true 	} },
+    { "kv":	{ "field": "winlog.event_data.Hashes",  "target_field": "file.hash",    "field_split": ",", "value_split": "=",	"ignore_missing": true 	} },
+    { "kv":	{ "field": "winlog.event_data.Hash",	"target_field": "file.hash",    "field_split": ",", "value_split": "=",	"ignore_missing": true	} },
+    { "rename":	{ "field": "file.hash.IMPHASH",				"target_field": "hash.imphash",				"ignore_missing": true  } },
+    { "rename":	{ "field": "file.hash.MD5",				"target_field": "hash.md5",				"ignore_missing": true  } },
+    { "rename":	{ "field": "file.hash.SHA256",				"target_field": "hash.sha256",				"ignore_missing": true  } },
    { "rename":	{ "field": "winlog.event_data.SubjectUserName",		"target_field": "user.name",				"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.DestinationHostname",	"target_field": "destination.hostname",			"ignore_missing": true 	} },
    { "rename":	{ "field": "winlog.event_data.DestinationIp",		"target_field": "destination.ip",			"ignore_missing": true 	} },
--- a/salt/global/soc_global.yaml
+++ b/salt/global/soc_global.yaml
@@ -0,0 +1,49 @@
+global:
+  soversion:
+    description: Current version of Security Onion. 
+    global: True
+    readonly: True
+  managerip:
+    description: The IP address of the grid manager.
+    global: True
+  mdengine:
+    description: What engine to use for meta data generation. Options are ZEEK and SURICATA.
+    global: True
+  ids:
+    description: Which IDS engine to use. Currently only Suricata is supported.
+    global: True
+    readonly: True
+    advanced: True
+  url_base:
+    description: Used for handling of authentication cookies. 
+    global: True
+  airgap:
+    description: Sets airgap mode.
+    global: True
+    readonly: True
+  imagerepo:
+    description: Image repo to pull image from.
+    global: True
+    advanced: True
+  pipeline:
+    description: Sets which pipeline technology for events to use. Currently only Redis is supported.
+    global: True
+    readonly: True
+    advanced: True
+  repo_host:
+    description: Specify the host where operating system packages will be served from.
+    global: True
+    advanced: True
+  registry_host:
+    description: Specify the host where docker/podman images will be pulled from.
+    global: True
+    advanced: True
+  influxdb_host:
+    description: Specify the host where influxdb is hosted.
+    global: True
+    advanced: True
+  endgamehost:
+    description: Allows use of Endgame with Security Onion. This feature requires a license from Endgame.
+    global: True
+    advanced: True
+
--- a/salt/grafana/etc/datasources/influxdb.yaml
+++ b/salt/grafana/etc/datasources/influxdb.yaml
@@ -9,7 +9,7 @@ datasources:
    type: influxdb
    access: proxy
    database: telegraf
-    url: https://{{ GLOBALS.manager_ip }}:8086
+    url: https://{{ GLOBALS.influxdb_host }}:8086
    jsonData:
      tlsAuth: false
      tlsAuthWithCACert: false
--- a/salt/grafana/init.sls
+++ b/salt/grafana/init.sls
@@ -8,7 +8,7 @@
 {% import_yaml 'grafana/grafana_defaults.yaml' as default_settings %}
 {% set GRAFANA_SETTINGS = salt['grains.filter_by'](default_settings, default='grafana', merge=salt['pillar.get']('grafana', {})) %}

-{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %}
+{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval'] %}

 {% set ALLOWED_DASHBOARDS = ['overview', 'standalone', 'manager', 'managersearch', 'sensor', 'searchnode', 'heavynode', 'eval', 'receiver'] %}
 {% set DASHBOARDS = ['overview'] %}
--- a/salt/influxdb/init.sls
+++ b/salt/influxdb/init.sls
@@ -5,7 +5,7 @@

 {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %}

-{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %}
+{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %}
 {% import_yaml 'influxdb/defaults.yaml' as default_settings %}
 {% set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %}
 {% from 'salt/map.jinja' import PYTHON3INFLUX with context %}
--- a/salt/kibana/bin/so-kibana-config-load
+++ b/salt/kibana/bin/so-kibana-config-load
@@ -63,7 +63,7 @@ update() {

    IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
    for i in "${LINES[@]}"; do
-      RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config-X PUT "localhost:5601/api/saved_objects/config/8.5.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.5.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
      echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
    done
 
--- a/salt/logstash/init.sls
+++ b/salt/logstash/init.sls
@@ -66,8 +66,8 @@ ls_pipeline_{{PL}}_{{CONFIGFILE.split('.')[0] | replace("/","_") }}:
    - template: jinja
    - defaults:
        GLOBALS: {{ GLOBALS }}
-        ES_USER: {{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') }}
-        ES_PASS: {{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') }}
+        ES_USER: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') }}"
+        ES_PASS: "{{ salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') }}"
      {% else %}
    - name: /opt/so/conf/logstash/pipelines/{{PL}}/{{CONFIGFILE.split('/')[1]}}
      {% endif %}
--- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja
@@ -1,9 +1,10 @@
-{% set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') -%}
-{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) -%}
-{% from 'logstash/map.jinja' import REDIS_NODES with context -%}
+{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %}
+{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+{%- from 'logstash/map.jinja' import REDIS_NODES with context %}
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %}

-{% for index in range(REDIS_NODES|length) -%}
-{%   for host in REDIS_NODES[index] -%}
+{%- for index in range(REDIS_NODES|length) %}
+{%-   for host in REDIS_NODES[index] %}
 input {
        redis {
                host => '{{ host }}'
@@ -14,6 +15,7 @@ input {
                type => 'redis-input'
                threads => {{ THREADS }}
                batch_count => {{ BATCH }}
+                password => {{ REDIS_PASS }}
        }
 }
 {%   endfor %}
--- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
+++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja
@@ -4,6 +4,8 @@
  {%- set HOST = GLOBALS.manager %}
 {%- endif %}
 {%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %}
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass') %}
+
 output {
 	redis {
 		host => '{{ HOST }}'
@@ -14,5 +16,6 @@ output {
 		congestion_threshold => 50000000
 		batch => true
 		batch_events => {{ BATCH }}
+		password => {{ REDIS_PASS }}
 	}
 }
--- a/salt/redis/defaults.yaml
+++ b/salt/redis/defaults.yaml
@@ -1,7 +1,7 @@
 redis:
  config:
    bind: '0.0.0.0'
-    protected-mode: 'no'
+    protected-mode: 'yes'
    tls-cert-file: '/certs/redis.crt'
    tls-key-file: '/certs/redis.key'
    tls-ca-cert-file: '/certs/ca.crt'
@@ -29,9 +29,9 @@ redis:
    databases: 16
    always-show-logo: 'yes'
    save:
-      900: 1
-      300: 10
-      60: 1000
+      '900': 1
+      '300': 10
+      '60': 1000
    stop-writes-on-bgsave-error: 'yes'
    rdbcompression: 'yes'
    rdbchecksum: 'yes'
--- a/salt/redis/soc_redis.yaml
+++ b/salt/redis/soc_redis.yaml
@@ -10,6 +10,10 @@ redis:
      global: True
      advanced: True
      helpLink: redis.html
+    requirepass:
+      description: Password for accessing Redis.
+      global: True
+      sensitive: True
    tls-cert-file: 
      description: TLS cert file location.
      global: True
@@ -117,15 +121,15 @@ redis:
      advanced: True
      helpLink: redis.html
    save:
-      900:
+      '900':
        description: Set the amount of keys that need to change to save after 15 minutes.
        global: True
        helpLink: redis.html
-      300: 
+      '300': 
        description: Set the amount of keys that need to change to save after 5 minutes.
        global: True
        helpLink: redis.html
-      60: 
+      '60': 
        description: Set the amount of keys that need to change to save after 1 minute
        global: True
        helpLink: redis.html
--- a/salt/soc/defaults.map.jinja
+++ b/salt/soc/defaults.map.jinja
@@ -16,7 +16,7 @@
 {% do SOCDEFAULTS.soc.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}

 {% if GLOBALS.role != 'so-import' %}
-{%   do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':8086'}) %}
+{%   do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
 {% endif %}

 {% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sosrange, 'apiKey': pillar.sensoroni.sensoronikey}) %}
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -496,16 +496,6 @@ soc:
      - event.severity_label
      - log.id.uid
      - network.community_id
-    ':sysmon:':
-      - soc_timestamp
-      - source.ip
-      - source.port
-      - destination.ip
-      - destination.port
-      - source.hostname
-      - event.dataset
-      - process.executable
-      - user.name
    ':windows_eventlog:':
      - soc_timestamp
      - user.name
@@ -570,6 +560,24 @@ soc:
      - destination.geo.country_iso_code
      - user.name
      - source.ip
+    ':sysmon:':
+      - soc_timestamp
+      - event.dataset
+      - process.executable
+      - user.name
+      - file.target
+      - dns.query.name
+      - winlog.event_data.TargetObject
+    '::network_connection':
+      - soc_timestamp
+      - source.ip
+      - source.port
+      - destination.ip
+      - destination.port
+      - source.hostname
+      - event.dataset
+      - process.executable
+      - user.name
    '::process_terminated': 
      - soc_timestamp
      - process.executable
@@ -1374,19 +1382,19 @@ soc:
        queries:
          - name: Overview
            description: Overview of all events
-            query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: SOC Auth
            description: SOC (Security Onion Console) authentication logs
-            query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
+            query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
          - name: Elastalerts
            description: Elastalert logs
            query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'
          - name: Alerts
            description: Overview of all alerts
-            query: 'event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: NIDS Alerts
            description: NIDS (Network Intrusion Detection System) alerts
-            query: 'event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Sysmon Overview
            description: Overview of all Sysmon data types
            query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port'
@@ -1401,115 +1409,115 @@ soc:
            query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable'
          - name: Sysmon File
            description: File activity captured by Sysmon
-            query: '(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable'
+            query: 'event.module:sysmon AND event.dataset:file_* | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable'
          - name: Sysmon Network
            description: Network activity captured by Sysmon
            query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Strelka
            description: Strelka file analysis
-            query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source'
+            query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name'
          - name: Zeek Notice
            description: Zeek notice logs
-            query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Connections
            description: Network connection metadata
-            query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes'
+            query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui'
          - name: DCE_RPC
            description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata
-            query: 'event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: DHCP
            description: DHCP (Dynamic Host Configuration Protocol) leases
-            query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address'
+            query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address'
          - name: DNS
            description: DNS (Domain Name System) queries
-            query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: DPD
            description: DPD (Dynamic Protocol Detection) errors
-            query: 'event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol'
+            query: 'event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Files
            description: Files seen in network traffic
-            query: 'event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip'
+            query: 'event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name'
          - name: FTP
            description: FTP (File Transfer Protocol) network metadata
-            query: 'event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: HTTP
            description: HTTP (Hyper Text Transport Protocol) network metadata
-            query: 'event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:http | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Intel
            description: Zeek Intel framework hits
-            query: 'event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:intel | groupby intel.indicator | groupby -sankey source.ip intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: IRC
            description: IRC (Internet Relay Chat) network metadata
-            query: 'event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:irc | groupby irc.command.type | groupby -sankey irc.command.type irc.username | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Kerberos
            description: Kerberos network metadata
-            query: 'event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:kerberos | groupby kerberos.service | groupby -sankey kerberos.service destination.ip | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: MySQL
            description: MySQL network metadata
-            query: 'event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:mysql | groupby mysql.command | groupby -sankey mysql.command destination.ip | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: NTLM
            description: NTLM (New Technology LAN Manager) network metadata
-            query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby -sankey source.ip destination.ip | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: PE
            description: PE (Portable Executable) files transferred via network traffic
-            query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
+            query: 'event.dataset:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
          - name: RADIUS
            description: RADIUS (Remote Authentication Dial-In User Service) network metadata
-            query: 'event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:radius | groupby -sankey user.name.keyword destination.ip | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: RDP
            description: RDP (Remote Desktop Protocol) network metadata
-            query: 'event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:rdp | groupby client.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: RFB
            description: RFB (Remote Frame Buffer) network metadata
-            query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Signatures
            description: Zeek signatures
            query: 'event.dataset:signatures | groupby signature_id'
          - name: SIP
            description: SIP (Session Initiation Protocol) network metadata
-            query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: SMB_Files
            description: Files transferred via SMB (Server Message Block)
-            query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: SMB_Mapping
            description: SMB (Server Message Block) mapping network metadata
-            query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: SMTP
            description: SMTP (Simple Mail Transfer Protocol) network metadata
-            query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby -sankey source.ip destination.ip | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: SNMP
            description: SNMP (Simple Network Management Protocol) network metadat
-            query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: Software
            description: Software seen by Zeek via network traffic
-            query: 'event.dataset:software | groupby software.type | groupby software.name | groupby source.ip'
+            query: 'event.dataset:software | groupby -sankey software.type source.ip | groupby software.type | groupby software.name | groupby source.ip'
          - name: SSH
            description: SSH (Secure Shell) connections seen by Zeek
-            query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby -sankey source.ip destination.ip | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: SSL
            description: SSL/TLS network metadata
-            query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey source.ip ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject'
          - name: STUN
            description: STUN (Session Traversal Utilities for NAT) network metadata
            query: 'event.dataset:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset'
          - name: Syslog
            description: Syslog logs
-            query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol'
          - name: TDS
            description: TDS (Tabular Data Stream) network metadata
            query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
          - name: Tunnel
            description: Tunnels seen by Zeek
-            query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:tunnel | groupby -sankey source.ip destination.ip | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name'
          - name: Weird
            description: Weird network traffic seen by Zeek
-            query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port '
+            query: 'event.dataset:weird | groupby -sankey weird.name destination.ip | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: WireGuard
            description: WireGuard VPN network metadata
            query: 'event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: x509
            description: x.509 certificates seen by Zeek
-            query: 'event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer'
+            query: 'event.dataset:x509 | groupby -sankey x509.certificate.key.length x509.san_dns | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer'
          - name: ICS Overview
            description: Overview of ICS (Industrial Control Systems) network metadata
            query: 'tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac'
@@ -1548,7 +1556,7 @@ soc:
            query: 'event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: Firewall
            description: Firewall logs
-            query: 'event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
      job:
      alerts:
        advanced: false
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -42,8 +42,10 @@ soc:
    description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action.
    global: True
  eventFields:
-    description: A map of event metadata groupings to field lists. The field list specifies all the columns to show when displaying individual events (not groups). The event metadata grouping uses the format ":event.module:event.dataset".
+    default:
+      description: The list of fields to show as columns in the Hunt/Dashboards event table, when no other specific mapping applies. Mappings are defined by the format ":event.module:event.dataset".
      global: True
+      advanced: True
  server:
    maxPacketCount:
      description: Maximum number of packets to show in the PCAP viewer. Larger values can cause more resource utilization on both the SOC server and the browser.
@@ -146,6 +148,7 @@ soc:
          global: True
        queries:
          description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key.
+          global: True
      alerts: *appSettings
      cases: *appSettings
      dashboards: *appSettings
--- a/salt/telegraf/etc/telegraf.conf
+++ b/salt/telegraf/etc/telegraf.conf
@@ -1,5 +1,5 @@
 # Telegraf Configuration
-{%- set MANAGER = GLOBALS.manager %}
+{%- set INFLUXDBHOST = GLOBALS.influxdb_host %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 {%- set NODEIP = GLOBALS.node_ip %}
@@ -72,7 +72,7 @@

 # Configuration for sending metrics to InfluxDB
 [[outputs.influxdb]]
-  urls = ["https://{{ MANAGER }}:8086"]
+  urls = ["https://{{ INFLUXDBHOST }}:8086"]

  ## Optional TLS Config for use on HTTP connections.
   tls_ca = "/etc/telegraf/ca.crt"
--- a/salt/telegraf/scripts/redis.sh
+++ b/salt/telegraf/scripts/redis.sh
@@ -4,9 +4,8 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-
-
-
+{%- set REDIS_PASS = salt['pillar.get']('redis:config:requirepass', '0') %}
+export REDISCLI_AUTH={{ REDIS_PASS }}
 # if this script isn't already running
 if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then

--- a/salt/top.sls
+++ b/salt/top.sls
@@ -328,6 +328,8 @@ base:
    - manager
    - nginx
    - soc
+    - influxdb
+    - telegraf
    - kratos
    - firewall
    - idstools
--- a/salt/vars/globals.map.jinja
+++ b/salt/vars/globals.map.jinja
@@ -16,6 +16,7 @@
    'image_repo': INIT.PILLAR.global.imagerepo,
    'repo_host': INIT.PILLAR.global.repo_host,
    'registry_host': INIT.PILLAR.global.registry_host,
+    'influxdb_host': INIT.PILLAR.global.influxdb_host,
    'manager_ip': INIT.PILLAR.global.managerip,
    'md_engine': INIT.PILLAR.global.mdengine,
    'pipeline': INIT.PILLAR.global.pipeline,
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1217,6 +1217,7 @@ generate_passwords(){
  GRAFANAPASS=$(get_random_value)
  SENSORONIKEY=$(get_random_value)
  KRATOSKEY=$(get_random_value)
+  REDISPASS=$(get_random_value)
 }

 generate_interface_vars() {
@@ -1376,6 +1377,13 @@ telegraf_pillar() {
 manager_pillar() {
 	touch $adv_manager_pillar_file
 	title "Create the manager pillar"
+	if [[ $is_import ]]; then
+		GRAFANA=0
+		PLAYBOOK=0
+	else
+		GRAFANA=1
+		PLAYBOOK=1
+	fi
 	printf '%s\n'\
 		"manager:"\
 		"  proxy: '$so_proxy'"\
@@ -1441,8 +1449,9 @@ create_global() {
 	# Continue adding other details	
 	echo "  imagerepo: '$IMAGEREPO'" >> $global_pillar_file
 	echo "  pipeline: 'redis'" >> $global_pillar_file
-	echo "  repo_host: '$MAINIP'" >> $global_pillar_file
-	echo "  registry_host: '$MAINIP'" >> $global_pillar_file
+	echo "  repo_host: '$HOSTNAME'" >> $global_pillar_file
+	echo "  influxdb_host: '$HOSTNAME'" >> $global_pillar_file
+	echo "  registry_host: '$HOSTNAME'" >> $global_pillar_file
 	echo "  endgamehost: '$ENDGAMEHOST'" >> $global_pillar_file
 }

@@ -1508,7 +1517,10 @@ docker_pillar() {
 redis_pillar() {
 	title "Create the redis pillar file"
 	touch $adv_redis_pillar_file
-	touch $redis_pillar_file
+	printf '%s\n'\
+		"redis:"\
+		"  config:"\
+		"    requirepass: '$REDISPASS'" > $redis_pillar_file
 }

 influxdb_pillar() {