diff --git a/salt/common/init.sls b/salt/common/init.sls index 8723cc3c5..c23e82543 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -10,6 +10,10 @@ include: - manager.elasticsearch # needed for elastic_curl_config state {% endif %} +net.core.wmem_default: + sysctl.present: + - value: 26214400 + # Remove variables.txt from /tmp - This is temp rmvariablesfile: file.absent: diff --git a/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json index d585c587b..5bebfd54d 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json @@ -7,6 +7,7 @@ "namespace": "so", "description": "Import Windows EVTX logs", "policy_id": "so-grid-nodes", + "vars": {}, "inputs": { "logs-logfile": { "enabled": true, @@ -15,12 +16,14 @@ "enabled": true, "vars": { "paths": [ - "/nsm/import/*/evtx/data.json" + "/nsm/import/*/evtx/*.json" ], "data_stream.dataset": "import", - "tags": [], - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- add_fields:\n target: event\n fields:\n module: windows_eventlog\n imported: true", - "custom": "pipeline: import.wel" + "custom": "", + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n namespace: default\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows", + "tags": [ + "import" + ] } } } diff --git a/salt/elasticsearch/files/ingest-dynamic/common b/salt/elasticsearch/files/ingest-dynamic/common index 8c8de0da1..b2c13f983 100644 --- a/salt/elasticsearch/files/ingest-dynamic/common +++ b/salt/elasticsearch/files/ingest-dynamic/common @@ -57,8 +57,11 @@ { "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "agent.id", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, - { "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from":"event.dataset_temp" }}, - { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } + { "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from": "event.dataset_temp" }}, + { "set": { "if": "ctx.event?.dataset != null && !ctx.event.dataset.contains('.')", "field": "event.dataset", "value": "{{event.module}}.{{event.dataset}}" } }, + { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } }, + { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" }}, + { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } {%- endraw %} {%- if HIGHLANDER %} , diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 index cf36bc798..d6f5b65aa 100644 --- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -71,8 +71,10 @@ }, { "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, - { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" }}, - { "remove": { "field": [ "module_temp" ], "ignore_missing": true, "ignore_failure": true } } + { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, + { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } }, + { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } }, + { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } ], "on_failure": [ { diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index 4dea07b8b..e12fea0be 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -1,20 +1,21 @@ { "description" : "suricata.common", "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, - { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, - { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, - { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, - { "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, - { "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, - { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } }, - { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, - { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, - { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, - { "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, + { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, + { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, + { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, + { "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, + { "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, + { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } }, + { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, + { "rename": { "field": "message2.xff", "target_field": "xff.ip", "ignore_missing": true } }, + { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, + { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, + { "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } }, - { "remove":{ "field": "agent", "ignore_failure": true } }, + { "remove":{ "field": "agent", "ignore_failure": true } }, { "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } } ] } diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml index e0317ed37..3f5370dde 100644 --- a/salt/kratos/defaults.yaml +++ b/salt/kratos/defaults.yaml @@ -7,6 +7,14 @@ kratos: required_aal: highest_available selfservice: methods: + webauthn: + enabled: true + config: + passwordless: true + rp: + id: URL_BASE + origin: https://URL_BASE + display_name: Security Onion (URL_BASE) password: enabled: true config: diff --git a/salt/kratos/files/schema.json b/salt/kratos/files/schema.json index 610c250d8..647c5ce24 100644 --- a/salt/kratos/files/schema.json +++ b/salt/kratos/files/schema.json @@ -1,12 +1,12 @@ { - "$id": "securityonion.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { + "$id": "securityonion.schema.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "Person", + "type": "object", + "properties": { + "traits": { + "type": "object", + "properties": { "email": { "type": "string", "format": "email", @@ -20,6 +20,9 @@ }, "totp": { "account_name": true + }, + "webauthn": { + "identifier": true } }, "verification": { diff --git a/salt/kratos/map.jinja b/salt/kratos/map.jinja index 1cdc4337b..6a2b1e0c9 100644 --- a/salt/kratos/map.jinja +++ b/salt/kratos/map.jinja @@ -6,6 +6,9 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %} +{% do KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.update({'origin': KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.origin | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.update({'id': KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.id | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.update({'display_name': KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.display_name | replace("URL_BASE", GLOBALS.url_base)}) %} {% do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} {% do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} {% do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index 1eb9bef40..b580e9611 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -30,9 +30,8 @@ kratos: helpLink: kratos.html totp: enabled: - description: Set to True to enable Time-based One-Time Password (TOTP) MFA authentication. Leave as default to ensure proper security protections remain in place. + description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA). Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in. global: True - advanced: True helpLink: kratos.html config: issuer: @@ -40,6 +39,32 @@ kratos: global: True advanced: True helpLink: kratos.html + webauthn: + enabled: + description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in. + global: True + helpLink: kratos.html + config: + passwordless: + description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in. + global: True + helpLink: kratos.html + rp: + id: + description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly. + global: True + advanced: True + helpLink: kratos.html + origin: + description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly. + global: True + advanced: True + helpLink: kratos.html + display_name: + description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations. + global: True + advanced: True + helpLink: kratos.html flows: settings: privileged_session_max_age: diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user index 8234f7ae5..50836e94c 100755 --- a/salt/manager/tools/sbin/so-user +++ b/salt/manager/tools/sbin/so-user @@ -235,8 +235,8 @@ function updatePassword() { # Update DB with new hash echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" # Deactivate MFA - echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" - echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" + echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" + echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" [[ $? != 0 ]] && fail "Unable to update password" fi } diff --git a/salt/nginx/defaults.yaml b/salt/nginx/defaults.yaml index c82d6b5df..3c520888a 100644 --- a/salt/nginx/defaults.yaml +++ b/salt/nginx/defaults.yaml @@ -2,5 +2,5 @@ nginx: enabled: False config: replace_cert: False - throttle_login_burst: 6 - throttle_login_rate: 10 + throttle_login_burst: 12 + throttle_login_rate: 20 diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 4aeb894dd..456beb451 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -160,7 +160,7 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } - location ~ ^/auth/.*?(whoami|logout|settings) { + location ~ ^/auth/.*?(whoami|logout|settings|webauthn.js) { rewrite /auth/(.*) /$1 break; proxy_pass http://{{ GLOBALS.manager }}:4433; proxy_read_timeout 90; diff --git a/salt/repo/client/files/rocky/yum.conf.jinja b/salt/repo/client/files/rocky/yum.conf.jinja index bd31ac007..118bffeef 100644 --- a/salt/repo/client/files/rocky/yum.conf.jinja +++ b/salt/repo/client/files/rocky/yum.conf.jinja @@ -12,6 +12,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release clean_requirements_on_remove=1 -{% if proxy -%} +{%- if proxy %} proxy={{ proxy }} -{% endif %} +{%- endif %} diff --git a/salt/repo/client/map.jinja b/salt/repo/client/map.jinja index 1e5d9351f..515ec515b 100644 --- a/salt/repo/client/map.jinja +++ b/salt/repo/client/map.jinja @@ -11,6 +11,10 @@ 'Rocky-Sources.repo', 'Rocky-Vault.repo', 'Rocky-x86_64-kernel.repo', + 'rocky-addons.repo', + 'rocky-devel.repo', + 'rocky-extras.repo', + 'rocky.repo', 'docker-ce.repo', 'epel.repo', 'epel-testing.repo', diff --git a/salt/soc/config.sls b/salt/soc/config.sls index 399ff72cd..42c24c9e0 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -1,5 +1,5 @@ # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. @@ -78,7 +78,7 @@ soc_sbin: # - name: /usr/sbin # - source: salt://soc/tools/sbin_jinja # - user: 939 -# - group: 939 +# - group: 939 # - file_mode: 755 # - template: jinja @@ -106,6 +106,13 @@ socusersroles: - require: - sls: manager.sync_es_users +socuploaddir: + file.directory: + - name: /nsm/soc/uploads + - user: 939 + - group: 939 + - makedirs: True + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index adbadc57f..156446b7f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -61,7 +61,7 @@ soc: - log.id.uid - network.community_id - event.dataset - ':kratos:audit': + ':kratos:kratos.audit': - soc_timestamp - http_request.headers.x-real-ip - identity_id @@ -580,18 +580,18 @@ soc: - event.dataset - process.executable - user.name - '::process_terminated': + '::process_terminated': - soc_timestamp - process.executable - process.pid - winlog.computer_name - '::file_create': + '::file_create': - soc_timestamp - file.target - process.executable - process.pid - winlog.computer_name - '::registry_value_set': + '::registry_value_set': - soc_timestamp - winlog.event_data.TargetObject - process.executable @@ -1000,12 +1000,13 @@ soc: - destination.port - tds.header_type - log.id.uid - - event.dataset + - event.dataset server: bindAddress: 0.0.0.0:9822 baseUrl: / maxPacketCount: 5000 htmlDir: html + importUploadDir: /nsm/soc/uploads airgapEnabled: false modules: cases: soc @@ -1033,7 +1034,7 @@ soc: asyncThreshold: 10 influxdb: hostUrl: - token: + token: org: Security Onion bucket: telegraf/so_short_term verifyCert: false @@ -1127,7 +1128,7 @@ soc: showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity - query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' + query: 'event.dataset:kratos.audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' showSubtitle: true - name: SOC - App description: Logs generated by the Security Onion Console (SOC) server and modules @@ -1139,11 +1140,11 @@ soc: showSubtitle: true - name: Alerts description: Show all alerts grouped by alert source - query: 'event.dataset: alert | groupby event.module' + query: 'tags:alert | groupby event.module' showSubtitle: true - name: NIDS Alerts description: Show all NIDS alerts grouped by alert - query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' + query: 'event.category: network AND tags: alert | groupby rule.category rule.gid rule.uuid rule.name' showSubtitle: true - name: Osquery - Live Query description: Show all Osquery Live Query results @@ -1163,207 +1164,207 @@ soc: showSubtitle: true - name: Zeek Notice description: Show notices from Zeek - query: 'event.dataset:notice | groupby notice.note notice.message' + query: 'event.dataset:zeek.notice | groupby notice.note notice.message' showSubtitle: true - name: Connections description: Connections grouped by IP and Port - query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port' + query: 'tags:conn | groupby source.ip destination.ip network.protocol destination.port' showSubtitle: true - name: Connections description: Connections grouped by Service - query: 'event.dataset:conn | groupby network.protocol destination.port' + query: 'tags:conn | groupby network.protocol destination.port' showSubtitle: true - name: Connections description: Connections grouped by destination country - query: 'event.dataset:conn | groupby destination.geo.country_name' + query: 'tags:conn | groupby destination.geo.country_name' showSubtitle: true - name: Connections description: Connections grouped by source country - query: 'event.dataset:conn | groupby source.geo.country_name' + query: 'tags:conn | groupby source.geo.country_name' showSubtitle: true - name: DCE_RPC description: DCE_RPC grouped by operation - query: 'event.dataset:dce_rpc | groupby dce_rpc.operation' + query: 'tags:dce_rpc | groupby dce_rpc.operation' showSubtitle: true - name: DHCP description: DHCP leases - query: 'event.dataset:dhcp | groupby host.hostname client.address' + query: 'tags:dhcp | groupby host.hostname client.address' showSubtitle: true - name: DHCP description: DHCP grouped by message type - query: 'event.dataset:dhcp | groupby dhcp.message_types' + query: 'tags:dhcp | groupby dhcp.message_types' showSubtitle: true - name: DNP3 description: DNP3 grouped by reply - query: 'event.dataset:dnp3 | groupby dnp3.fc_reply' + query: 'tags:dnp3 | groupby dnp3.fc_reply' showSubtitle: true - name: DNS description: DNS queries grouped by port - query: 'event.dataset:dns | groupby dns.query.name destination.port' + query: 'tags:dns | groupby dns.query.name destination.port' showSubtitle: true - name: DNS description: DNS queries grouped by type - query: 'event.dataset:dns | groupby dns.query.type_name destination.port' + query: 'tags:dns | groupby dns.query.type_name destination.port' showSubtitle: true - name: DNS description: DNS queries grouped by response code - query: 'event.dataset:dns | groupby dns.response.code_name destination.port' + query: 'tags:dns | groupby dns.response.code_name destination.port' showSubtitle: true - name: DNS description: DNS highest registered domain - query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port' + query: 'tags:dns | groupby dns.highest_registered_domain.keyword destination.port' showSubtitle: true - name: DNS description: DNS grouped by parent domain - query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port' + query: 'tags:dns | groupby dns.parent_domain.keyword destination.port' showSubtitle: true - name: DPD description: Dynamic Protocol Detection errors - query: 'event.dataset:dpd | groupby error.reason' + query: 'tags:dpd | groupby error.reason' showSubtitle: true - name: Files description: Files grouped by mimetype - query: 'event.dataset:file | groupby file.mime_type source.ip' + query: 'tags:file | groupby file.mime_type source.ip' showSubtitle: true - name: Files description: Files grouped by source - query: 'event.dataset:file | groupby file.source source.ip' + query: 'tags:file | groupby file.source source.ip' showSubtitle: true - name: FTP description: FTP grouped by command and argument - query: 'event.dataset:ftp | groupby ftp.command ftp.argument' + query: 'tags:ftp | groupby ftp.command ftp.argument' showSubtitle: true - name: FTP description: FTP grouped by username and argument - query: 'event.dataset:ftp | groupby ftp.user ftp.argument' + query: 'tags:ftp | groupby ftp.user ftp.argument' showSubtitle: true - name: HTTP description: HTTP grouped by destination port - query: 'event.dataset:http | groupby destination.port' + query: 'tags:http | groupby destination.port' showSubtitle: true - name: HTTP description: HTTP grouped by status code and message - query: 'event.dataset:http | groupby http.status_code http.status_message' + query: 'tags:http | groupby http.status_code http.status_message' showSubtitle: true - name: HTTP description: HTTP grouped by method and user agent - query: 'event.dataset:http | groupby http.method http.useragent' + query: 'tags:http | groupby http.method http.useragent' showSubtitle: true - name: HTTP description: HTTP grouped by virtual host - query: 'event.dataset:http | groupby http.virtual_host' + query: 'tags:http | groupby http.virtual_host' showSubtitle: true - name: HTTP description: HTTP with exe downloads - query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' + query: 'tags:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' showSubtitle: true - name: Intel description: Intel framework hits grouped by indicator - query: 'event.dataset:intel | groupby intel.indicator.keyword' + query: 'tags:intel | groupby intel.indicator.keyword' showSubtitle: true - name: IRC description: IRC grouped by command - query: 'event.dataset:irc | groupby irc.command.type' + query: 'tags:irc | groupby irc.command.type' showSubtitle: true - name: KERBEROS description: KERBEROS grouped by service - query: 'event.dataset:kerberos | groupby kerberos.service' + query: 'tags:kerberos | groupby kerberos.service' showSubtitle: true - name: MODBUS description: MODBUS grouped by function - query: 'event.dataset:modbus | groupby modbus.function' + query: 'tags:modbus | groupby modbus.function' showSubtitle: true - name: MYSQL description: MYSQL grouped by command - query: 'event.dataset:mysql | groupby mysql.command' + query: 'tags:mysql | groupby mysql.command' showSubtitle: true - name: NOTICE description: Zeek notice logs grouped by note and message - query: 'event.dataset:notice | groupby notice.note notice.message' + query: 'event.dataset:zeek.notice | groupby notice.note notice.message' showSubtitle: true - name: NTLM description: NTLM grouped by computer name - query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' + query: 'tags:ntlm | groupby ntlm.server.dns.name' showSubtitle: true - name: PE description: PE files list - query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' + query: 'tags:pe | groupby file.machine file.os file.subsystem' showSubtitle: true - name: RADIUS description: RADIUS grouped by username - query: 'event.dataset:radius | groupby user.name.keyword' + query: 'tags:radius | groupby user.name.keyword' showSubtitle: true - name: RDP description: RDP grouped by client name - query: 'event.dataset:rdp | groupby client.name' + query: 'tags:rdp | groupby client.name' showSubtitle: true - name: RFB description: RFB grouped by desktop name - query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword' + query: 'tags:rfb | groupby rfb.desktop.name.keyword' showSubtitle: true - name: Signatures description: Zeek signatures grouped by signature id - query: 'event.dataset:signatures | groupby signature_id' + query: 'event.dataset:zeek.signatures | groupby signature_id' showSubtitle: true - name: SIP description: SIP grouped by user agent - query: 'event.dataset:sip | groupby client.user_agent' + query: 'tags:sip | groupby client.user_agent' showSubtitle: true - name: SMB_Files description: SMB files grouped by action - query: 'event.dataset:smb_files | groupby file.action' + query: 'tags:smb_files | groupby file.action' showSubtitle: true - name: SMB_Mapping description: SMB mapping grouped by path - query: 'event.dataset:smb_mapping | groupby smb.path' + query: 'tags:smb_mapping | groupby smb.path' showSubtitle: true - name: SMTP description: SMTP grouped by subject - query: 'event.dataset:smtp | groupby smtp.subject' + query: 'tags:smtp | groupby smtp.subject' showSubtitle: true - name: SNMP description: SNMP grouped by version and string - query: 'event.dataset:snmp | groupby snmp.community snmp.version' + query: 'tags:snmp | groupby snmp.community snmp.version' showSubtitle: true - name: Software description: List of software seen on the network - query: 'event.dataset:software | groupby software.type software.name' + query: 'tags:software | groupby software.type software.name' showSubtitle: true - name: SSH description: SSH grouped by version and client - query: 'event.dataset:ssh | groupby ssh.version ssh.client' + query: 'tags:ssh | groupby ssh.version ssh.client' showSubtitle: true - name: SSL description: SSL grouped by version and server name - query: 'event.dataset:ssl | groupby ssl.version ssl.server_name' + query: 'tags:ssl | groupby ssl.version ssl.server_name' showSubtitle: true - name: SYSLOG description: 'SYSLOG grouped by severity and facility ' - query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label' + query: 'tags:syslog | groupby syslog.severity_label syslog.facility_label' showSubtitle: true - name: Tunnel description: Tunnels grouped by type and action - query: 'event.dataset:tunnel | groupby tunnel.type event.action' + query: 'tags:tunnel | groupby tunnel.type event.action' showSubtitle: true - name: Weird description: Zeek weird log grouped by name - query: 'event.dataset:weird | groupby weird.name' + query: 'event.dataset:zeek.weird | groupby weird.name' showSubtitle: true - name: x509 description: x.509 grouped by key length and name - query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns' + query: 'tags:x509 | groupby x509.certificate.key.length x509.san_dns' showSubtitle: true - name: x509 description: x.509 grouped by name and issuer - query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer' + query: 'tags:x509 | groupby x509.san_dns x509.certificate.issuer' showSubtitle: true - name: x509 description: x.509 grouped by name and subject - query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject' + query: 'tags:x509 | groupby x509.san_dns x509.certificate.subject' showSubtitle: true - name: Firewall description: Firewall events grouped by action - query: 'event.dataset:firewall | groupby rule.action' + query: 'tags:firewall | groupby rule.action' showSubtitle: true dashboards: advanced: true @@ -1389,16 +1390,16 @@ soc: query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SOC Auth description: SOC (Security Onion Console) authentication logs - query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' - name: Elastalerts description: Elastalert logs query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' - name: Alerts description: Overview of all alerts - query: 'event.dataset:alert | groupby event.module* | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:alert | groupby event.module* | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: NIDS Alerts description: NIDS (Network Intrusion Detection System) alerts - query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.category:network AND tags:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Sysmon Overview description: Overview of all Sysmon data types query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.category event.action | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port' @@ -1408,7 +1409,7 @@ soc: - name: Host Registry Changes description: Windows Registry changes query: 'event.category: registry | groupby -sankey event.action host.name | groupby event.dataset event.action | groupby host.name | groupby process.executable | groupby registry.path | groupby process.executable registry.path' - - name: Host DNS & Process Mappings + - name: Host DNS & Process Mappings description: DNS queries mapped to originating processes query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' - name: Host Process Activity @@ -1425,145 +1426,145 @@ soc: query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name' - name: Zeek Notice description: Zeek notice logs - query: 'event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.dataset:zeek.notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Connections description: Network connection metadata - query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui' + query: 'tags:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui' - name: DCE_RPC description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata - query: 'event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: DHCP description: DHCP (Dynamic Host Configuration Protocol) leases - query: 'event.dataset:dhcp | groupby host.hostname | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address | groupby host.domain' + query: 'tags:dhcp | groupby host.hostname | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address | groupby host.domain' - name: DNS description: DNS (Domain Name System) queries - query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: DPD description: DPD (Dynamic Protocol Detection) errors - query: 'event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Files description: Files seen in network traffic - query: 'event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name' + query: 'tags:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name' - name: FTP description: FTP (File Transfer Protocol) network metadata - query: 'event.dataset:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: HTTP description: HTTP (Hyper Text Transport Protocol) network metadata - query: 'event.dataset:http | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:http | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Intel description: Zeek Intel framework hits - query: 'event.dataset:intel | groupby intel.indicator | groupby -sankey source.ip intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:intel | groupby intel.indicator | groupby -sankey source.ip intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port' - name: IRC description: IRC (Internet Relay Chat) network metadata - query: 'event.dataset:irc | groupby irc.command.type | groupby -sankey irc.command.type irc.username | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:irc | groupby irc.command.type | groupby -sankey irc.command.type irc.username | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Kerberos description: Kerberos network metadata - query: 'event.dataset:kerberos | groupby kerberos.service | groupby -sankey kerberos.service destination.ip | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:kerberos | groupby kerberos.service | groupby -sankey kerberos.service destination.ip | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port' - name: MySQL description: MySQL network metadata - query: 'event.dataset:mysql | groupby mysql.command | groupby -sankey mysql.command destination.ip | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:mysql | groupby mysql.command | groupby -sankey mysql.command destination.ip | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port' - name: NTLM description: NTLM (New Technology LAN Manager) network metadata - query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby -sankey source.ip destination.ip | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby -sankey source.ip destination.ip | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port' - name: PE description: PE (Portable Executable) files transferred via network traffic - query: 'event.dataset:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit' + query: 'tags:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit' - name: RADIUS description: RADIUS (Remote Authentication Dial-In User Service) network metadata - query: 'event.dataset:radius | groupby -sankey user.name.keyword destination.ip | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:radius | groupby -sankey user.name.keyword destination.ip | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: RDP description: RDP (Remote Desktop Protocol) network metadata - query: 'event.dataset:rdp | groupby client.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:rdp | groupby client.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: RFB description: RFB (Remote Frame Buffer) network metadata - query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:rfb | groupby rfb.desktop.name.keyword | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Signatures description: Zeek signatures - query: 'event.dataset:signatures | groupby signature_id' + query: 'event.dataset:zeek.signatures | groupby signature_id' - name: SIP description: SIP (Session Initiation Protocol) network metadata - query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SMB_Files description: Files transferred via SMB (Server Message Block) - query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SMB_Mapping description: SMB (Server Message Block) mapping network metadata - query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SMTP description: SMTP (Simple Mail Transfer Protocol) network metadata - query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby -sankey source.ip destination.ip | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby -sankey source.ip destination.ip | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SNMP description: SNMP (Simple Network Management Protocol) network metadat - query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:snmp | groupby snmp.community | groupby snmp.version | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Software description: Software seen by Zeek via network traffic - query: 'event.dataset:software | groupby -sankey software.type source.ip | groupby software.type | groupby software.name | groupby source.ip' + query: 'tags:software | groupby -sankey software.type source.ip | groupby software.type | groupby software.name | groupby source.ip' - name: SSH description: SSH (Secure Shell) connections seen by Zeek - query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby -sankey source.ip destination.ip | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:ssh | groupby ssh.client | groupby ssh.server | groupby -sankey source.ip destination.ip | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SSL description: SSL/TLS network metadata - query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey source.ip ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject' + query: 'tags:ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey source.ip ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject' - name: STUN description: STUN (Session Traversal Utilities for NAT) network metadata - query: 'event.dataset:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset' + query: 'tags:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset' - name: Syslog description: Syslog logs - query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol' + query: 'tags:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol' - name: TDS description: TDS (Tabular Data Stream) network metadata - query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query' + query: 'tags:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query' - name: Tunnel description: Tunnels seen by Zeek - query: 'event.dataset:tunnel | groupby -sankey source.ip destination.ip | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name' + query: 'tags:tunnel | groupby -sankey source.ip destination.ip | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name' - name: Weird description: Weird network traffic seen by Zeek - query: 'event.dataset:weird | groupby -sankey weird.name destination.ip | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.dataset:zeek.weird | groupby -sankey weird.name destination.ip | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: WireGuard description: WireGuard VPN network metadata - query: 'event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: x509 description: x.509 certificates seen by Zeek - query: 'event.dataset:x509 | groupby -sankey x509.certificate.key.length x509.san_dns | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer' + query: 'tags:x509 | groupby -sankey x509.certificate.key.length x509.san_dns | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer' - name: ICS Overview description: Overview of ICS (Industrial Control Systems) network metadata query: 'tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac' - name: ICS BACnet description: BACnet (Building Automation and Control Networks) network metadata - query: 'event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS BSAP description: BSAP (Bristol Standard Asynchronous Protocol) network metadata - query: 'event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS CIP description: CIP (Common Industrial Protocol) network metadata - query: 'event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS COTP description: COTP (Connection Oriented Transport Protocol) network metadata - query: 'event.dataset:cotp* | groupby -sankey source.ip destination.ip | groupby cotp.pdu.name | groupby cotp.pdu.code | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:cotp* | groupby -sankey source.ip destination.ip | groupby cotp.pdu.name | groupby cotp.pdu.code | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS DNP3 description: DNP3 (Distributed Network Protocol) network metadata - query: 'event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS ECAT description: ECAT (Ethernet for Control Automation Technology) network metadata - query: 'event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type' + query: 'tags:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type' - name: ICS ENIP description: ENIP (Ethernet Industrial Protocol) network metadata - query: 'event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS Modbus description: Modbus network metadata - query: 'event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS OPC UA description: OPC UA (Unified Architecture) network metadata - query: 'event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS Profinet description: Profinet (Process Field Network) network metadata - query: 'event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS S7 description: S7 (Siemens) network metadata - query: 'event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Firewall description: Firewall logs - query: 'event.dataset:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port' - name: VLAN description: VLAN (Virtual Local Area Network) tagged logs query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name' @@ -1621,7 +1622,7 @@ soc: - user.escalated - location - process.name - queryBaseFilter: event.dataset:alert + queryBaseFilter: tags:alert queryToggleFilters: - name: acknowledged filter: event.acknowledged:true @@ -1685,7 +1686,7 @@ soc: - name: Templates query: 'so_case.category:template' case: - analyzerNodeId: + analyzerNodeId: mostRecentlyUsedLimit: 5 renderAbbreviatedCount: 30 presets: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index bc55f2d94..4169f90ca 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -1,5 +1,5 @@ # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. @@ -23,6 +23,7 @@ so-soc: - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw + - /nsm/soc/uploads:/nsm/soc/uploads:rw - /opt/so/log/soc/:/opt/sensoroni/logs/:rw - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index a98a587a6..22be8d3e4 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -17,7 +17,7 @@ function log() { function make_pipe() { path=$1 - log "Creating pipe: $path" + log "Creating pipe: $path" rm -f "${path}" mkfifo "${path}" chmod 0660 "${path}" @@ -172,6 +172,102 @@ function manage_salt() { fi } +function send_file() { + request=$1 + from=$(echo "$request" | jq -r .from) + to=$(echo "$request" | jq -r .to) + node=$(echo "$request" | jq -r .node) + [ $(echo "$request" | jq -r .cleanup) != "true" ] ; cleanup=$? + + log "From: $from" + log "To: $to" + log "Node: $node" + log "Cleanup: $cleanup" + + log "encrypting..." + response=$(gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from") + log Response:$'\n'"$response" + + fromgpg="$from.gpg" + filename=$(basename "$fromgpg") + + log "sending..." + response=$($CMD_PREFIX salt-cp -C "$node" "$fromgpg" "$to") + # salt-cp returns 0 even if the file transfer fails, so we need to check the response. + # Remove the node and filename from the response on the off-chance they contain + # the word "True" in them + echo $response | sed "s/$node//" | sed "s/$filename//" | grep True + exit_code=$? + + rm -f "$fromgpg" + + log Response:$'\n'"$response" + log "Exit Code: $exit_code" + + if [[ $cleanup -eq 1 ]]; then + log "Cleaning up file $from" + rm -f "$from" + fi + + if [[ exit_code -eq 0 ]]; then + $(echo "true" > "${SOC_PIPE}") + else + $(echo "false" > "${SOC_PIPE}") + fi +} + +function import_file() { + request=$1 + node=$(echo "$request" | jq -r .node) + file=$(echo "$request" | jq -r .file) + importer=$(echo "$request" | jq -r .importer) + + log "Node: $node" + log "File: $file" + log "Importer: $importer" + + filegpg="$file.gpg" + + log "decrypting..." + $CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'" + decrypt_code=$? + + if [[ $decrypt_code -eq 0 ]]; then + log "importing..." + case $importer in + pcap) + response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'") + exit_code=$? + ;; + evtx) + response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'") + exit_code=$? + ;; + *) + response="Unsupported importer: $importer" + exit_code=1 + ;; + esac + else + response="Failed to decrypt file: $file" + exit_code=$decrypt_code + fi + + rm -f "$file" "$filegpg" + + log Response:$'\n'"$response" + log "Exit Code: $exit_code" + + if [[ exit_code -eq 0 ]]; then + # trim off the node header ("manager_standalone:\n") and parse out the URL + url=$(echo "$response" | tail -n +2 | jq -r .url) + $(echo "$url" > "${SOC_PIPE}") + else + log "false" + $(echo "false" > "${SOC_PIPE}") + fi +} + while true; do log "Listening for request" request=$(cat ${SOC_PIPE}) @@ -191,6 +287,12 @@ while true; do manage-salt) manage_salt "${request}" ;; + send-file) + send_file "${request}" + ;; + import-file) + import_file "${request}" + ;; *) log "Unsupported command: $command" $(echo "false" > "${SOC_PIPE}") diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index df120fd81..505d4ec41 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -5,7 +5,7 @@ elasticsearch_host: "{{ GLOBALS.url_base }}:9200" play_title: "" play_id: "" event.module: "playbook" -event.dataset: "alert" +event.dataset: "playbook.alert" event.severity: rule.category: play_url: "https://{{ GLOBALS.url_base }}/playbook/issues/6000" diff --git a/setup/so-functions b/setup/so-functions index 1b15bb140..ef4e44eaa 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2046,8 +2046,8 @@ saltify() { #logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg" - logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg" - echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list + logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg" + echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg" #logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub" @@ -2062,7 +2062,7 @@ saltify() { # Ain't nothing but a GPG retry 150 20 "apt-get update" "" "Err:" || fail_setup - retry 150 20 "apt-get -y install salt-common-$SALTVERSION salt-minion-$SALTVERSION" || fail_setup + retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION" || fail_setup retry 150 20 "apt-mark hold salt-minion salt-common" || fail_setup #retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1 @@ -2402,7 +2402,12 @@ update_sudoers_for_testing() { update_packages() { if [[ $is_rocky ]]; then logCmd "dnf repolist" - logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*" + logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*" + RMREPOFILES=("rocky-addons.repo" "rocky-devel.repo" "rocky-extras.repo" "rocky.repo") + info "Removing repo files added by rocky-repos package update" + for FILE in ${RMREPOFILES[@]}; do + logCmd "rm -f /etc/yum.repos.d/$FILE" + done else info "Running apt-get update" retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup diff --git a/setup/so-verify b/setup/so-verify index 831b0049c..7e010722c 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -31,6 +31,10 @@ log_has_errors() { # Ignore Failed: 0 since that is the salt state output, and we detect state failures # via Result: False already. + + # This is ignored for Ubuntu + # Failed to restart snapd.mounts-pre.target: Operation refused, unit snapd.mounts-pre.target + # may be requested by dependency only (it is configured to refuse manual start/stop). grep -E "FAILED|Failed|failed|ERROR|Result: False" "$setup_log" | \ grep -vE "The Salt Master has cached the public key for this node" | \ @@ -46,6 +50,7 @@ log_has_errors() { grep -vE "code: 100" | \ grep -vE "/nsm/rules/sigma*" | \ grep -vE "/nsm/rules/yara*" | \ + grep -vE "Failed to restart snapd" | \ grep -vE "Running scope as unit" &> "$error_log" if [[ $? -eq 0 ]]; then