From f765dc23ea04645a7adc396db6eaa64dc7f7ba95 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 26 May 2023 09:54:50 -0400 Subject: [PATCH 01/26] kilofy version --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 8e8299dcc..7f2e97617 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.2 +2.4.0-kilo From 21a7b76352938d5825a83b0c3cd41204060145f2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 14 Jun 2023 13:33:31 -0400 Subject: [PATCH 02/26] webauthn --- salt/kratos/defaults.yaml | 8 ++++++++ salt/kratos/files/schema.json | 19 +++++++++++-------- salt/kratos/map.jinja | 3 +++ salt/kratos/soc_kratos.yaml | 29 +++++++++++++++++++++++++++-- salt/manager/tools/sbin/so-user | 4 ++-- salt/nginx/defaults.yaml | 4 ++-- salt/nginx/etc/nginx.conf | 2 +- 7 files changed, 54 insertions(+), 15 deletions(-) diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml index e0317ed37..3f5370dde 100644 --- a/salt/kratos/defaults.yaml +++ b/salt/kratos/defaults.yaml @@ -7,6 +7,14 @@ kratos: required_aal: highest_available selfservice: methods: + webauthn: + enabled: true + config: + passwordless: true + rp: + id: URL_BASE + origin: https://URL_BASE + display_name: Security Onion (URL_BASE) password: enabled: true config: diff --git a/salt/kratos/files/schema.json b/salt/kratos/files/schema.json index 610c250d8..647c5ce24 100644 --- a/salt/kratos/files/schema.json +++ b/salt/kratos/files/schema.json @@ -1,12 +1,12 @@ { - "$id": "securityonion.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "title": "Person", - "type": "object", - "properties": { - "traits": { - "type": "object", - "properties": { + "$id": "securityonion.schema.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "Person", + "type": "object", + "properties": { + "traits": { + "type": "object", + "properties": { "email": { "type": "string", "format": "email", @@ -20,6 +20,9 @@ }, "totp": { "account_name": true + }, + "webauthn": { + "identifier": true } }, "verification": { diff --git a/salt/kratos/map.jinja b/salt/kratos/map.jinja index 1cdc4337b..6a2b1e0c9 100644 --- a/salt/kratos/map.jinja +++ b/salt/kratos/map.jinja @@ -6,6 +6,9 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %} +{% do KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.update({'origin': KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.origin | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.update({'id': KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.id | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.update({'display_name': KRATOSDEFAULTS.kratos.config.selfservice.methods.webauthn.config.rp.display_name | replace("URL_BASE", GLOBALS.url_base)}) %} {% do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} {% do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} {% do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index 1eb9bef40..19487abf8 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -30,9 +30,8 @@ kratos: helpLink: kratos.html totp: enabled: - description: Set to True to enable Time-based One-Time Password (TOTP) MFA authentication. Leave as default to ensure proper security protections remain in place. + description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA). Enable to ensure proper security protections remain in place. global: True - advanced: True helpLink: kratos.html config: issuer: @@ -40,6 +39,32 @@ kratos: global: True advanced: True helpLink: kratos.html + webauthn: + enabled: + description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. + global: True + helpLink: kratos.html + config: + passwordless: + description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. + global: True + helpLink: kratos.html + rp: + id: + description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly. + global: True + advanced: True + helpLink: kratos.html + origin: + description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly. + global: True + advanced: True + helpLink: kratos.html + display_name: + description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations. + global: True + advanced: True + helpLink: kratos.html flows: settings: privileged_session_max_age: diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user index 8234f7ae5..50836e94c 100755 --- a/salt/manager/tools/sbin/so-user +++ b/salt/manager/tools/sbin/so-user @@ -235,8 +235,8 @@ function updatePassword() { # Update DB with new hash echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" # Deactivate MFA - echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" - echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" + echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" + echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" [[ $? != 0 ]] && fail "Unable to update password" fi } diff --git a/salt/nginx/defaults.yaml b/salt/nginx/defaults.yaml index c82d6b5df..3c520888a 100644 --- a/salt/nginx/defaults.yaml +++ b/salt/nginx/defaults.yaml @@ -2,5 +2,5 @@ nginx: enabled: False config: replace_cert: False - throttle_login_burst: 6 - throttle_login_rate: 10 + throttle_login_burst: 12 + throttle_login_rate: 20 diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 4aeb894dd..456beb451 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -160,7 +160,7 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } - location ~ ^/auth/.*?(whoami|logout|settings) { + location ~ ^/auth/.*?(whoami|logout|settings|webauthn.js) { rewrite /auth/(.*) /$1 break; proxy_pass http://{{ GLOBALS.manager }}:4433; proxy_read_timeout 90; From b4e5ac97969dd426cd3475d66d32d4e14732abf3 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 14 Jun 2023 16:11:50 -0400 Subject: [PATCH 03/26] Add note to advise against changing settings --- salt/kratos/soc_kratos.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index 19487abf8..b580e9611 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -30,7 +30,7 @@ kratos: helpLink: kratos.html totp: enabled: - description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA). Enable to ensure proper security protections remain in place. + description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA). Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in. global: True helpLink: kratos.html config: @@ -41,12 +41,12 @@ kratos: helpLink: kratos.html webauthn: enabled: - description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. + description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in. global: True helpLink: kratos.html config: passwordless: - description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. + description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in. global: True helpLink: kratos.html rp: From b5bccc5e058e4574f5ec487b17db5085be3b10c9 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 15 Jun 2023 13:06:57 +0000 Subject: [PATCH 04/26] Use module in dataset name and add dataset tag --- .../elasticsearch/files/ingest-dynamic/common | 7 +- .../files/ingest/.fleet_final_pipeline-1 | 6 +- salt/soc/defaults.yaml | 208 +++++++++--------- .../soctopus/files/templates/generic.template | 2 +- 4 files changed, 114 insertions(+), 109 deletions(-) diff --git a/salt/elasticsearch/files/ingest-dynamic/common b/salt/elasticsearch/files/ingest-dynamic/common index 8c8de0da1..de4832101 100644 --- a/salt/elasticsearch/files/ingest-dynamic/common +++ b/salt/elasticsearch/files/ingest-dynamic/common @@ -57,8 +57,11 @@ { "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "agent.id", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, - { "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from":"event.dataset_temp" }}, - { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } + { "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from": "event.dataset_temp" }}, + { "set": { "if": "ctx.event?.dataset != null && !ctx.event.dataset.contains('.')", "field": "event.dataset", "value": "{{event.module}}.{{event.dataset}}" } }, + { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } }, + { "set": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" }}, + { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } {%- endraw %} {%- if HIGHLANDER %} , diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 index cf36bc798..e9261e96e 100644 --- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -71,8 +71,10 @@ }, { "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, - { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" }}, - { "remove": { "field": [ "module_temp" ], "ignore_missing": true, "ignore_failure": true } } + { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, + { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } }, + { "set": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } }, + { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } }, ], "on_failure": [ { diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index adbadc57f..858801f3a 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1127,7 +1127,7 @@ soc: showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity - query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' + query: 'event.dataset:kratos.audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' showSubtitle: true - name: SOC - App description: Logs generated by the Security Onion Console (SOC) server and modules @@ -1139,11 +1139,11 @@ soc: showSubtitle: true - name: Alerts description: Show all alerts grouped by alert source - query: 'event.dataset: alert | groupby event.module' + query: 'tags:alert | groupby event.module' showSubtitle: true - name: NIDS Alerts description: Show all NIDS alerts grouped by alert - query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' + query: 'event.category: network AND tags: alert | groupby rule.category rule.gid rule.uuid rule.name' showSubtitle: true - name: Osquery - Live Query description: Show all Osquery Live Query results @@ -1163,207 +1163,207 @@ soc: showSubtitle: true - name: Zeek Notice description: Show notices from Zeek - query: 'event.dataset:notice | groupby notice.note notice.message' + query: 'event.dataset:zeek.notice | groupby notice.note notice.message' showSubtitle: true - name: Connections description: Connections grouped by IP and Port - query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port' + query: 'tags:conn | groupby source.ip destination.ip network.protocol destination.port' showSubtitle: true - name: Connections description: Connections grouped by Service - query: 'event.dataset:conn | groupby network.protocol destination.port' + query: 'tags:conn | groupby network.protocol destination.port' showSubtitle: true - name: Connections description: Connections grouped by destination country - query: 'event.dataset:conn | groupby destination.geo.country_name' + query: 'tags:conn | groupby destination.geo.country_name' showSubtitle: true - name: Connections description: Connections grouped by source country - query: 'event.dataset:conn | groupby source.geo.country_name' + query: 'tags:conn | groupby source.geo.country_name' showSubtitle: true - name: DCE_RPC description: DCE_RPC grouped by operation - query: 'event.dataset:dce_rpc | groupby dce_rpc.operation' + query: 'tags:dce_rpc | groupby dce_rpc.operation' showSubtitle: true - name: DHCP description: DHCP leases - query: 'event.dataset:dhcp | groupby host.hostname client.address' + query: 'tags:dhcp | groupby host.hostname client.address' showSubtitle: true - name: DHCP description: DHCP grouped by message type - query: 'event.dataset:dhcp | groupby dhcp.message_types' + query: 'tags:dhcp | groupby dhcp.message_types' showSubtitle: true - name: DNP3 description: DNP3 grouped by reply - query: 'event.dataset:dnp3 | groupby dnp3.fc_reply' + query: 'tags:dnp3 | groupby dnp3.fc_reply' showSubtitle: true - name: DNS description: DNS queries grouped by port - query: 'event.dataset:dns | groupby dns.query.name destination.port' + query: 'tags:dns | groupby dns.query.name destination.port' showSubtitle: true - name: DNS description: DNS queries grouped by type - query: 'event.dataset:dns | groupby dns.query.type_name destination.port' + query: 'tags:dns | groupby dns.query.type_name destination.port' showSubtitle: true - name: DNS description: DNS queries grouped by response code - query: 'event.dataset:dns | groupby dns.response.code_name destination.port' + query: 'tags:dns | groupby dns.response.code_name destination.port' showSubtitle: true - name: DNS description: DNS highest registered domain - query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port' + query: 'tags:dns | groupby dns.highest_registered_domain.keyword destination.port' showSubtitle: true - name: DNS description: DNS grouped by parent domain - query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port' + query: 'tags:dns | groupby dns.parent_domain.keyword destination.port' showSubtitle: true - name: DPD description: Dynamic Protocol Detection errors - query: 'event.dataset:dpd | groupby error.reason' + query: 'tags:dpd | groupby error.reason' showSubtitle: true - name: Files description: Files grouped by mimetype - query: 'event.dataset:file | groupby file.mime_type source.ip' + query: 'tags:file | groupby file.mime_type source.ip' showSubtitle: true - name: Files description: Files grouped by source - query: 'event.dataset:file | groupby file.source source.ip' + query: 'tags:file | groupby file.source source.ip' showSubtitle: true - name: FTP description: FTP grouped by command and argument - query: 'event.dataset:ftp | groupby ftp.command ftp.argument' + query: 'tags:ftp | groupby ftp.command ftp.argument' showSubtitle: true - name: FTP description: FTP grouped by username and argument - query: 'event.dataset:ftp | groupby ftp.user ftp.argument' + query: 'tags:ftp | groupby ftp.user ftp.argument' showSubtitle: true - name: HTTP description: HTTP grouped by destination port - query: 'event.dataset:http | groupby destination.port' + query: 'tags:http | groupby destination.port' showSubtitle: true - name: HTTP description: HTTP grouped by status code and message - query: 'event.dataset:http | groupby http.status_code http.status_message' + query: 'tags:http | groupby http.status_code http.status_message' showSubtitle: true - name: HTTP description: HTTP grouped by method and user agent - query: 'event.dataset:http | groupby http.method http.useragent' + query: 'tags:http | groupby http.method http.useragent' showSubtitle: true - name: HTTP description: HTTP grouped by virtual host - query: 'event.dataset:http | groupby http.virtual_host' + query: 'tags:http | groupby http.virtual_host' showSubtitle: true - name: HTTP description: HTTP with exe downloads - query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' + query: 'tags:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' showSubtitle: true - name: Intel description: Intel framework hits grouped by indicator - query: 'event.dataset:intel | groupby intel.indicator.keyword' + query: 'tags:intel | groupby intel.indicator.keyword' showSubtitle: true - name: IRC description: IRC grouped by command - query: 'event.dataset:irc | groupby irc.command.type' + query: 'tags:irc | groupby irc.command.type' showSubtitle: true - name: KERBEROS description: KERBEROS grouped by service - query: 'event.dataset:kerberos | groupby kerberos.service' + query: 'tags:kerberos | groupby kerberos.service' showSubtitle: true - name: MODBUS description: MODBUS grouped by function - query: 'event.dataset:modbus | groupby modbus.function' + query: 'tags:modbus | groupby modbus.function' showSubtitle: true - name: MYSQL description: MYSQL grouped by command - query: 'event.dataset:mysql | groupby mysql.command' + query: 'tags:mysql | groupby mysql.command' showSubtitle: true - name: NOTICE description: Zeek notice logs grouped by note and message - query: 'event.dataset:notice | groupby notice.note notice.message' + query: 'event.dataset:zeek.notice | groupby notice.note notice.message' showSubtitle: true - name: NTLM description: NTLM grouped by computer name - query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' + query: 'tags:ntlm | groupby ntlm.server.dns.name' showSubtitle: true - name: PE description: PE files list - query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' + query: 'tags:pe | groupby file.machine file.os file.subsystem' showSubtitle: true - name: RADIUS description: RADIUS grouped by username - query: 'event.dataset:radius | groupby user.name.keyword' + query: 'tags:radius | groupby user.name.keyword' showSubtitle: true - name: RDP description: RDP grouped by client name - query: 'event.dataset:rdp | groupby client.name' + query: 'tags:rdp | groupby client.name' showSubtitle: true - name: RFB description: RFB grouped by desktop name - query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword' + query: 'tags:rfb | groupby rfb.desktop.name.keyword' showSubtitle: true - name: Signatures description: Zeek signatures grouped by signature id - query: 'event.dataset:signatures | groupby signature_id' + query: 'event.dataset:zeek.signatures | groupby signature_id' showSubtitle: true - name: SIP description: SIP grouped by user agent - query: 'event.dataset:sip | groupby client.user_agent' + query: 'tags:sip | groupby client.user_agent' showSubtitle: true - name: SMB_Files description: SMB files grouped by action - query: 'event.dataset:smb_files | groupby file.action' + query: 'tags:smb_files | groupby file.action' showSubtitle: true - name: SMB_Mapping description: SMB mapping grouped by path - query: 'event.dataset:smb_mapping | groupby smb.path' + query: 'tags:smb_mapping | groupby smb.path' showSubtitle: true - name: SMTP description: SMTP grouped by subject - query: 'event.dataset:smtp | groupby smtp.subject' + query: 'tags:smtp | groupby smtp.subject' showSubtitle: true - name: SNMP description: SNMP grouped by version and string - query: 'event.dataset:snmp | groupby snmp.community snmp.version' + query: 'tags:snmp | groupby snmp.community snmp.version' showSubtitle: true - name: Software description: List of software seen on the network - query: 'event.dataset:software | groupby software.type software.name' + query: 'tags:software | groupby software.type software.name' showSubtitle: true - name: SSH description: SSH grouped by version and client - query: 'event.dataset:ssh | groupby ssh.version ssh.client' + query: 'tags:ssh | groupby ssh.version ssh.client' showSubtitle: true - name: SSL description: SSL grouped by version and server name - query: 'event.dataset:ssl | groupby ssl.version ssl.server_name' + query: 'tags:ssl | groupby ssl.version ssl.server_name' showSubtitle: true - name: SYSLOG description: 'SYSLOG grouped by severity and facility ' - query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label' + query: 'tags:syslog | groupby syslog.severity_label syslog.facility_label' showSubtitle: true - name: Tunnel description: Tunnels grouped by type and action - query: 'event.dataset:tunnel | groupby tunnel.type event.action' + query: 'tags:tunnel | groupby tunnel.type event.action' showSubtitle: true - name: Weird description: Zeek weird log grouped by name - query: 'event.dataset:weird | groupby weird.name' + query: 'event.dataset:zeek.weird | groupby weird.name' showSubtitle: true - name: x509 description: x.509 grouped by key length and name - query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns' + query: 'tags:x509 | groupby x509.certificate.key.length x509.san_dns' showSubtitle: true - name: x509 description: x.509 grouped by name and issuer - query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer' + query: 'tags:x509 | groupby x509.san_dns x509.certificate.issuer' showSubtitle: true - name: x509 description: x.509 grouped by name and subject - query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject' + query: 'tags:x509 | groupby x509.san_dns x509.certificate.subject' showSubtitle: true - name: Firewall description: Firewall events grouped by action - query: 'event.dataset:firewall | groupby rule.action' + query: 'tags:firewall | groupby rule.action' showSubtitle: true dashboards: advanced: true @@ -1389,16 +1389,16 @@ soc: query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SOC Auth description: SOC (Security Onion Console) authentication logs - query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' - name: Elastalerts description: Elastalert logs query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' - name: Alerts description: Overview of all alerts - query: 'event.dataset:alert | groupby event.module* | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:alert | groupby event.module* | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: NIDS Alerts description: NIDS (Network Intrusion Detection System) alerts - query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.category:network AND tags:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Sysmon Overview description: Overview of all Sysmon data types query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.category event.action | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port' @@ -1425,145 +1425,145 @@ soc: query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name' - name: Zeek Notice description: Zeek notice logs - query: 'event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.dataset:zeek.notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Connections description: Network connection metadata - query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui' + query: 'tags:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui' - name: DCE_RPC description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata - query: 'event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: DHCP description: DHCP (Dynamic Host Configuration Protocol) leases - query: 'event.dataset:dhcp | groupby host.hostname | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address | groupby host.domain' + query: 'tags:dhcp | groupby host.hostname | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address | groupby host.domain' - name: DNS description: DNS (Domain Name System) queries - query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: DPD description: DPD (Dynamic Protocol Detection) errors - query: 'event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Files description: Files seen in network traffic - query: 'event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name' + query: 'tags:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name' - name: FTP description: FTP (File Transfer Protocol) network metadata - query: 'event.dataset:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: HTTP description: HTTP (Hyper Text Transport Protocol) network metadata - query: 'event.dataset:http | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:http | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Intel description: Zeek Intel framework hits - query: 'event.dataset:intel | groupby intel.indicator | groupby -sankey source.ip intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:intel | groupby intel.indicator | groupby -sankey source.ip intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port' - name: IRC description: IRC (Internet Relay Chat) network metadata - query: 'event.dataset:irc | groupby irc.command.type | groupby -sankey irc.command.type irc.username | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:irc | groupby irc.command.type | groupby -sankey irc.command.type irc.username | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Kerberos description: Kerberos network metadata - query: 'event.dataset:kerberos | groupby kerberos.service | groupby -sankey kerberos.service destination.ip | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:kerberos | groupby kerberos.service | groupby -sankey kerberos.service destination.ip | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port' - name: MySQL description: MySQL network metadata - query: 'event.dataset:mysql | groupby mysql.command | groupby -sankey mysql.command destination.ip | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:mysql | groupby mysql.command | groupby -sankey mysql.command destination.ip | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port' - name: NTLM description: NTLM (New Technology LAN Manager) network metadata - query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby -sankey source.ip destination.ip | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby -sankey source.ip destination.ip | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port' - name: PE description: PE (Portable Executable) files transferred via network traffic - query: 'event.dataset:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit' + query: 'tags:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit' - name: RADIUS description: RADIUS (Remote Authentication Dial-In User Service) network metadata - query: 'event.dataset:radius | groupby -sankey user.name.keyword destination.ip | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:radius | groupby -sankey user.name.keyword destination.ip | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: RDP description: RDP (Remote Desktop Protocol) network metadata - query: 'event.dataset:rdp | groupby client.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:rdp | groupby client.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: RFB description: RFB (Remote Frame Buffer) network metadata - query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:rfb | groupby rfb.desktop.name.keyword | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Signatures description: Zeek signatures - query: 'event.dataset:signatures | groupby signature_id' + query: 'event.dataset:zeek.signatures | groupby signature_id' - name: SIP description: SIP (Session Initiation Protocol) network metadata - query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SMB_Files description: Files transferred via SMB (Server Message Block) - query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SMB_Mapping description: SMB (Server Message Block) mapping network metadata - query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SMTP description: SMTP (Simple Mail Transfer Protocol) network metadata - query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby -sankey source.ip destination.ip | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby -sankey source.ip destination.ip | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SNMP description: SNMP (Simple Network Management Protocol) network metadat - query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:snmp | groupby snmp.community | groupby snmp.version | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Software description: Software seen by Zeek via network traffic - query: 'event.dataset:software | groupby -sankey software.type source.ip | groupby software.type | groupby software.name | groupby source.ip' + query: 'tags:software | groupby -sankey software.type source.ip | groupby software.type | groupby software.name | groupby source.ip' - name: SSH description: SSH (Secure Shell) connections seen by Zeek - query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby -sankey source.ip destination.ip | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:ssh | groupby ssh.client | groupby ssh.server | groupby -sankey source.ip destination.ip | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SSL description: SSL/TLS network metadata - query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey source.ip ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject' + query: 'tags:ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey source.ip ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject' - name: STUN description: STUN (Session Traversal Utilities for NAT) network metadata - query: 'event.dataset:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset' + query: 'tags:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset' - name: Syslog description: Syslog logs - query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol' + query: 'tags:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol' - name: TDS description: TDS (Tabular Data Stream) network metadata - query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query' + query: 'tags:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query' - name: Tunnel description: Tunnels seen by Zeek - query: 'event.dataset:tunnel | groupby -sankey source.ip destination.ip | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name' + query: 'tags:tunnel | groupby -sankey source.ip destination.ip | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name' - name: Weird description: Weird network traffic seen by Zeek - query: 'event.dataset:weird | groupby -sankey weird.name destination.ip | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.dataset:zeek.weird | groupby -sankey weird.name destination.ip | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: WireGuard description: WireGuard VPN network metadata - query: 'event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: x509 description: x.509 certificates seen by Zeek - query: 'event.dataset:x509 | groupby -sankey x509.certificate.key.length x509.san_dns | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer' + query: 'tags:x509 | groupby -sankey x509.certificate.key.length x509.san_dns | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer' - name: ICS Overview description: Overview of ICS (Industrial Control Systems) network metadata query: 'tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac' - name: ICS BACnet description: BACnet (Building Automation and Control Networks) network metadata - query: 'event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS BSAP description: BSAP (Bristol Standard Asynchronous Protocol) network metadata - query: 'event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS CIP description: CIP (Common Industrial Protocol) network metadata - query: 'event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS COTP description: COTP (Connection Oriented Transport Protocol) network metadata - query: 'event.dataset:cotp* | groupby -sankey source.ip destination.ip | groupby cotp.pdu.name | groupby cotp.pdu.code | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:cotp* | groupby -sankey source.ip destination.ip | groupby cotp.pdu.name | groupby cotp.pdu.code | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS DNP3 description: DNP3 (Distributed Network Protocol) network metadata - query: 'event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS ECAT description: ECAT (Ethernet for Control Automation Technology) network metadata - query: 'event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type' + query: 'tags:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type' - name: ICS ENIP description: ENIP (Ethernet Industrial Protocol) network metadata - query: 'event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS Modbus description: Modbus network metadata - query: 'event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS OPC UA description: OPC UA (Unified Architecture) network metadata - query: 'event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS Profinet description: Profinet (Process Field Network) network metadata - query: 'event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: ICS S7 description: S7 (Siemens) network metadata - query: 'event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Firewall description: Firewall logs - query: 'event.dataset:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'tags:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port' - name: VLAN description: VLAN (Virtual Local Area Network) tagged logs query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name' @@ -1621,7 +1621,7 @@ soc: - user.escalated - location - process.name - queryBaseFilter: event.dataset:alert + queryBaseFilter: tags:alert queryToggleFilters: - name: acknowledged filter: event.acknowledged:true diff --git a/salt/soctopus/files/templates/generic.template b/salt/soctopus/files/templates/generic.template index df120fd81..505d4ec41 100644 --- a/salt/soctopus/files/templates/generic.template +++ b/salt/soctopus/files/templates/generic.template @@ -5,7 +5,7 @@ elasticsearch_host: "{{ GLOBALS.url_base }}:9200" play_title: "" play_id: "" event.module: "playbook" -event.dataset: "alert" +event.dataset: "playbook.alert" event.severity: rule.category: play_url: "https://{{ GLOBALS.url_base }}/playbook/issues/6000" From 58a63e076547ed67340c78023c6de65e2a55a825 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 15 Jun 2023 14:22:37 +0000 Subject: [PATCH 05/26] Remove extra comma --- salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 index e9261e96e..080c7a8a9 100644 --- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -74,7 +74,7 @@ { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } }, { "set": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } }, - { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } }, + { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } ], "on_failure": [ { From 3a34da354f7a372d1d309f4dbf9d2a51db15ebf9 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 15 Jun 2023 16:35:43 +0000 Subject: [PATCH 06/26] Use append instead of set --- salt/elasticsearch/files/ingest-dynamic/common | 2 +- salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest-dynamic/common b/salt/elasticsearch/files/ingest-dynamic/common index de4832101..b2c13f983 100644 --- a/salt/elasticsearch/files/ingest-dynamic/common +++ b/salt/elasticsearch/files/ingest-dynamic/common @@ -60,7 +60,7 @@ { "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from": "event.dataset_temp" }}, { "set": { "if": "ctx.event?.dataset != null && !ctx.event.dataset.contains('.')", "field": "event.dataset", "value": "{{event.module}}.{{event.dataset}}" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } }, - { "set": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" }}, + { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" }}, { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } {%- endraw %} {%- if HIGHLANDER %} diff --git a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 index 080c7a8a9..d6f5b65aa 100644 --- a/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 +++ b/salt/elasticsearch/files/ingest/.fleet_final_pipeline-1 @@ -73,7 +73,7 @@ { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } }, - { "set": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } }, + { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } }, { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } ], "on_failure": [ From 2334d82d36f0dfd709d4fa20ed0d1e37321c02b4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 16 Jun 2023 11:13:34 -0400 Subject: [PATCH 07/26] fix salt install for ubuntu --- setup/so-functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 1b15bb140..2a69f0d36 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2046,8 +2046,8 @@ saltify() { #logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg" - logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg" - echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list + logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg" + echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg" #logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub" @@ -2062,7 +2062,7 @@ saltify() { # Ain't nothing but a GPG retry 150 20 "apt-get update" "" "Err:" || fail_setup - retry 150 20 "apt-get -y install salt-common-$SALTVERSION salt-minion-$SALTVERSION" || fail_setup + retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION" || fail_setup retry 150 20 "apt-mark hold salt-minion salt-common" || fail_setup #retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1 From 6894fa4e4de480ea367c64a0901249326fe65fc9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 16 Jun 2023 13:09:01 -0400 Subject: [PATCH 08/26] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7f2e97617..35cee72dc 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-kilo +2.4.3 From ed1e2c8908eb2c4d343e57df12658cb8c1725641 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 16 Jun 2023 13:58:45 -0400 Subject: [PATCH 09/26] ignore failure notification for Ubuntu Failed to restart snapd --- setup/so-verify | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/setup/so-verify b/setup/so-verify index 831b0049c..7e010722c 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -31,6 +31,10 @@ log_has_errors() { # Ignore Failed: 0 since that is the salt state output, and we detect state failures # via Result: False already. + + # This is ignored for Ubuntu + # Failed to restart snapd.mounts-pre.target: Operation refused, unit snapd.mounts-pre.target + # may be requested by dependency only (it is configured to refuse manual start/stop). grep -E "FAILED|Failed|failed|ERROR|Result: False" "$setup_log" | \ grep -vE "The Salt Master has cached the public key for this node" | \ @@ -46,6 +50,7 @@ log_has_errors() { grep -vE "code: 100" | \ grep -vE "/nsm/rules/sigma*" | \ grep -vE "/nsm/rules/yara*" | \ + grep -vE "Failed to restart snapd" | \ grep -vE "Running scope as unit" &> "$error_log" if [[ $? -eq 0 ]]; then From 7caa7cec6bd6907735d0d73807c19d11ef2fe60b Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 20 Jun 2023 07:13:33 -0400 Subject: [PATCH 10/26] Fix SOC Auth queries in Dashboards and Hunt Change `event.dataset:audit` to `event.dataset:kratos.audit`. --- salt/soc/defaults.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index adbadc57f..e2e15a5b1 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1127,7 +1127,7 @@ soc: showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity - query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' + query: 'event.module:kratos AND event.dataset:kratos.audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' showSubtitle: true - name: SOC - App description: Logs generated by the Security Onion Console (SOC) server and modules @@ -1389,7 +1389,7 @@ soc: query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SOC Auth description: SOC (Security Onion Console) authentication logs - query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' + query: 'event.module:kratos AND event.dataset:kratos.audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' - name: Elastalerts description: Elastalert logs query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' From fc824359edfcfa11b0a44983e7bf63a2e62e0931 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 20 Jun 2023 07:30:56 -0400 Subject: [PATCH 11/26] Update default fields for kratos.audit --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index e2e15a5b1..9e4c25408 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -61,7 +61,7 @@ soc: - log.id.uid - network.community_id - event.dataset - ':kratos:audit': + ':kratos:kratos.audit': - soc_timestamp - http_request.headers.x-real-ip - identity_id From 0e09d73aa0559779b63facb894913f2ea38e0bf5 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 20 Jun 2023 07:40:10 -0400 Subject: [PATCH 12/26] Resolve conflicts with dataset PR --- salt/soc/defaults.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9e4c25408..0e9e972eb 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1127,7 +1127,7 @@ soc: showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity - query: 'event.module:kratos AND event.dataset:kratos.audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' + query: 'event.dataset:kratos.audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' showSubtitle: true - name: SOC - App description: Logs generated by the Security Onion Console (SOC) server and modules @@ -1389,7 +1389,7 @@ soc: query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SOC Auth description: SOC (Security Onion Console) authentication logs - query: 'event.module:kratos AND event.dataset:kratos.audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' - name: Elastalerts description: Elastalert logs query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' From a465039887bc299be2c8b2a3aab634ee3ae19c32 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Fri, 26 May 2023 15:14:34 -0600 Subject: [PATCH 13/26] 2 new capabilities: send-file and import-file --- salt/soc/files/bin/salt-relay.sh | 76 +++++++++++++++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index a98a587a6..bb0fa82a3 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -17,7 +17,7 @@ function log() { function make_pipe() { path=$1 - log "Creating pipe: $path" + log "Creating pipe: $path" rm -f "${path}" mkfifo "${path}" chmod 0660 "${path}" @@ -172,6 +172,74 @@ function manage_salt() { fi } +function send_file() { + request=$1 + from=$(echo "$request" | jq -r .from) + to=$(echo "$request" | jq -r .to) + node=$(echo "$request" | jq -r .node) + [ $(echo "$request" | jq -r .cleanup) != "true" ] ; cleanup=$? + + log "From: $from" + log "To: $to" + log "Node: $node" + log "Cleanup: $cleanup" + + response=$($CMD_PREFIX salt-cp -C "$node" "$from" "$to") + exit_code=$? + + log Response:$'\n'"$response" + log "Exit Code: $exit_code" + + if [[ exit_code -eq 0 ]]; then + if [[ $cleanup -eq 1 ]]; then + log "Cleaning up file $from" + rm -f "$from" + fi + $(echo "true" > "${SOC_PIPE}") + else + $(echo "false" > "${SOC_PIPE}") + fi +} + +function import_file() { + request=$1 + node=$(echo "$request" | jq -r .node) + file=$(echo "$request" | jq -r .file) + importer=$(echo "$request" | jq -r .importer) + + log "Node: $node" + log "File: $file" + log "Importer: $importer" + + case $importer in + pcap) + response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file'") + exit_code=$? + ;; + evtx) + response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file'") + exit_code=$? + ;; + *) + response="Unsupported importer: $importer" + exit_code=1 + ;; + esac + + rm "$file" + + log Response:$'\n'"$response" + log "Exit Code: $exit_code" + + if [[ exit_code -eq 0 ]]; then + log "true" + $(echo "true" > "${SOC_PIPE}") + else + log "false" + $(echo "false" > "${SOC_PIPE}") + fi +} + while true; do log "Listening for request" request=$(cat ${SOC_PIPE}) @@ -191,6 +259,12 @@ while true; do manage-salt) manage_salt "${request}" ;; + send-file) + send_file "${request}" + ;; + import-file) + import_file "${request}" + ;; *) log "Unsupported command: $command" $(echo "false" > "${SOC_PIPE}") From 49055e260f0d2e5535760934f04c9fdfc6f4d5c4 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 31 May 2023 09:47:52 -0600 Subject: [PATCH 14/26] salt-relay import-file reporting On successful import, return dashboard URL --- salt/soc/files/bin/salt-relay.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index bb0fa82a3..832633c77 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -232,8 +232,8 @@ function import_file() { log "Exit Code: $exit_code" if [[ exit_code -eq 0 ]]; then - log "true" - $(echo "true" > "${SOC_PIPE}") + url=$(echo "$response" | sed ':a;N;$!ba;s/\n//g' | grep -E -o "https://\S*&z=UTC") + $(echo "$url" > "${SOC_PIPE}") else log "false" $(echo "false" > "${SOC_PIPE}") From 89d789fe0f7cfd1707ee2bae7f230ce96b185919 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 31 May 2023 12:47:44 -0600 Subject: [PATCH 15/26] New folder for salt to maintain This folder is where a manager will initially store uploaded PCAP/EVTX files before sending to sensors. Sensors will store uploads in this folder on their own system. --- salt/soc/config.sls | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/salt/soc/config.sls b/salt/soc/config.sls index 399ff72cd..42c24c9e0 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -1,5 +1,5 @@ # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. @@ -78,7 +78,7 @@ soc_sbin: # - name: /usr/sbin # - source: salt://soc/tools/sbin_jinja # - user: 939 -# - group: 939 +# - group: 939 # - file_mode: 755 # - template: jinja @@ -106,6 +106,13 @@ socusersroles: - require: - sls: manager.sync_es_users +socuploaddir: + file.directory: + - name: /nsm/soc/uploads + - user: 939 + - group: 939 + - makedirs: True + {% else %} {{sls}}_state_not_allowed: From 1b7095fa817fae2264139bd897465b69b6d80e3c Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 31 May 2023 16:31:40 -0600 Subject: [PATCH 16/26] Improved import-file url regex sed doesn't remove ALL whitespace, only newlines. It's better to stop at the first whitespace than to stop at a particular, maybe-not-last query string parameter. --- salt/soc/files/bin/salt-relay.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 832633c77..d15b3ee22 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -232,7 +232,7 @@ function import_file() { log "Exit Code: $exit_code" if [[ exit_code -eq 0 ]]; then - url=$(echo "$response" | sed ':a;N;$!ba;s/\n//g' | grep -E -o "https://\S*&z=UTC") + url=$(echo "$response" | sed ':a;N;$!ba;s/\n//g' | grep -E -o "https://\S*") $(echo "$url" > "${SOC_PIPE}") else log "false" From 451a4784a1d21b63cfe0e27466dc7a0f7acd5e4e Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Fri, 2 Jun 2023 13:12:37 -0600 Subject: [PATCH 17/26] send-file and import-file security Encrypt the file with a passphrase before sending and decrypt the file with the same passphrase before importing. --- salt/soc/files/bin/salt-relay.sh | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index d15b3ee22..313a21141 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -184,9 +184,17 @@ function send_file() { log "Node: $node" log "Cleanup: $cleanup" - response=$($CMD_PREFIX salt-cp -C "$node" "$from" "$to") + log "encrypting..." + gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from" + + fromgpg="$from.gpg" + + log "sending..." + response=$($CMD_PREFIX salt-cp -C "$node" "$fromgpg" "$to") exit_code=$? + rm -f "$fromgpg" + log Response:$'\n'"$response" log "Exit Code: $exit_code" @@ -211,6 +219,12 @@ function import_file() { log "File: $file" log "Importer: $importer" + filegpg="$file.gpg" + + log "decrypting..." + gpg --passphrase "infected" --batch --decrypt "$filegpg" > "$file" + + log "importing..." case $importer in pcap) response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file'") @@ -226,7 +240,7 @@ function import_file() { ;; esac - rm "$file" + rm "$file" "$filegpg" log Response:$'\n'"$response" log "Exit Code: $exit_code" From 41951659eced5b46b1f2a0b72f8103a87bc83d7c Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Tue, 13 Jun 2023 14:54:15 -0600 Subject: [PATCH 18/26] Use importer's new --json flag. Using the new --json flag is not only more reliable than using a regex, the way the import script was written even re-imports will provide a url. This means that in more cases we can provide the results to the users (even if nothing changed). --- salt/soc/files/bin/salt-relay.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 313a21141..e59fb41ab 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -227,11 +227,11 @@ function import_file() { log "importing..." case $importer in pcap) - response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file'") + response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'") exit_code=$? ;; evtx) - response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file'") + response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'") exit_code=$? ;; *) @@ -246,7 +246,8 @@ function import_file() { log "Exit Code: $exit_code" if [[ exit_code -eq 0 ]]; then - url=$(echo "$response" | sed ':a;N;$!ba;s/\n//g' | grep -E -o "https://\S*") + # trim off the node header ("manager_standalone:\n") and parse out the URL + url=$(echo "$response" | tail -n +2 | jq -r .url) $(echo "$url" > "${SOC_PIPE}") else log "false" From ad28ea275ff60530c63d57beb83df1cdc12c89a8 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 14 Jun 2023 12:10:34 -0600 Subject: [PATCH 19/26] Better state management When salt-cp runs it's course and finds it can't send a file, it outputs a report saying as much but the exit code will be zero. Now we remove the filename and node from the response and look for `True` to know if it succeeded. Also, respect the cleanup flag on success or failure. Check the status of the decryption process before importing. No longer decrypt locally, issue salt command for the remote client to do the decrypting. --- salt/soc/files/bin/salt-relay.sh | 54 +++++++++++++++++++------------- 1 file changed, 33 insertions(+), 21 deletions(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index e59fb41ab..3e893e64c 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -188,9 +188,14 @@ function send_file() { gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from" fromgpg="$from.gpg" + filename=$(basename "$fromgpg") log "sending..." response=$($CMD_PREFIX salt-cp -C "$node" "$fromgpg" "$to") + # salt-cp returns 0 even if the file transfer fails, so we need to check the response. + # Remove the node and filename from the response on the off-chance they contain + # the word "True" in them + echo $response | sed "s/$node//" | sed "s/$filename//" | grep True exit_code=$? rm -f "$fromgpg" @@ -198,11 +203,12 @@ function send_file() { log Response:$'\n'"$response" log "Exit Code: $exit_code" + if [[ $cleanup -eq 1 ]]; then + log "Cleaning up file $from" + rm -f "$from" + fi + if [[ exit_code -eq 0 ]]; then - if [[ $cleanup -eq 1 ]]; then - log "Cleaning up file $from" - rm -f "$from" - fi $(echo "true" > "${SOC_PIPE}") else $(echo "false" > "${SOC_PIPE}") @@ -222,25 +228,31 @@ function import_file() { filegpg="$file.gpg" log "decrypting..." - gpg --passphrase "infected" --batch --decrypt "$filegpg" > "$file" + $CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'" + decrypt_code=$? - log "importing..." - case $importer in - pcap) - response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'") - exit_code=$? - ;; - evtx) - response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'") - exit_code=$? - ;; - *) - response="Unsupported importer: $importer" - exit_code=1 - ;; - esac + if [[ $decrypt_code -eq 0 ]]; then + log "importing..." + case $importer in + pcap) + response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'") + exit_code=$? + ;; + evtx) + response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'") + exit_code=$? + ;; + *) + response="Unsupported importer: $importer" + exit_code=1 + ;; + esac + else + response="Failed to decrypt file: $file" + exit_code=$decrypt_code + fi - rm "$file" "$filegpg" + rm -f "$file" "$filegpg" log Response:$'\n'"$response" log "Exit Code: $exit_code" From 4497f6561fad1804aeabe580deba1ac90826c5f2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 20 Jun 2023 17:27:02 -0400 Subject: [PATCH 20/26] Salt Defunct Workaround This can be removed once they patch salt --- salt/common/init.sls | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index 8723cc3c5..c23e82543 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -10,6 +10,10 @@ include: - manager.elasticsearch # needed for elastic_curl_config state {% endif %} +net.core.wmem_default: + sysctl.present: + - value: 26214400 + # Remove variables.txt from /tmp - This is temp rmvariablesfile: file.absent: From 6ddf887342834f9871edc91f34cbbad418e9050d Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 21 Jun 2023 09:32:42 -0400 Subject: [PATCH 21/26] Refactor EVTX Import --- .../integrations/grid-nodes/import-evtx-logs.json | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json index d585c587b..5bebfd54d 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes/import-evtx-logs.json @@ -7,6 +7,7 @@ "namespace": "so", "description": "Import Windows EVTX logs", "policy_id": "so-grid-nodes", + "vars": {}, "inputs": { "logs-logfile": { "enabled": true, @@ -15,12 +16,14 @@ "enabled": true, "vars": { "paths": [ - "/nsm/import/*/evtx/data.json" + "/nsm/import/*/evtx/*.json" ], "data_stream.dataset": "import", - "tags": [], - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- add_fields:\n target: event\n fields:\n module: windows_eventlog\n imported: true", - "custom": "pipeline: import.wel" + "custom": "", + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n namespace: default\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows", + "tags": [ + "import" + ] } } } From 1675b787bfacb2b7301f0769287d6e1eecccc5d8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Jun 2023 13:27:34 -0400 Subject: [PATCH 22/26] exclude rocky-repos and remove files --- salt/repo/client/files/rocky/yum.conf.jinja | 5 +++-- salt/repo/client/map.jinja | 4 ++++ setup/so-functions | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/salt/repo/client/files/rocky/yum.conf.jinja b/salt/repo/client/files/rocky/yum.conf.jinja index bd31ac007..54ae35a41 100644 --- a/salt/repo/client/files/rocky/yum.conf.jinja +++ b/salt/repo/client/files/rocky/yum.conf.jinja @@ -12,6 +12,7 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release clean_requirements_on_remove=1 -{% if proxy -%} +exclude=rocky-repos +{%- if proxy %} proxy={{ proxy }} -{% endif %} +{%- endif %} diff --git a/salt/repo/client/map.jinja b/salt/repo/client/map.jinja index 1e5d9351f..515ec515b 100644 --- a/salt/repo/client/map.jinja +++ b/salt/repo/client/map.jinja @@ -11,6 +11,10 @@ 'Rocky-Sources.repo', 'Rocky-Vault.repo', 'Rocky-x86_64-kernel.repo', + 'rocky-addons.repo', + 'rocky-devel.repo', + 'rocky-extras.repo', + 'rocky.repo', 'docker-ce.repo', 'epel.repo', 'epel-testing.repo', diff --git a/setup/so-functions b/setup/so-functions index 2a69f0d36..5ecba8408 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2402,7 +2402,7 @@ update_sudoers_for_testing() { update_packages() { if [[ $is_rocky ]]; then logCmd "dnf repolist" - logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*" + logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*,rocky-repos" else info "Running apt-get update" retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup From 7e37cd0f05e2be9092d9faf8e9a4b6ec792e4014 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 21 Jun 2023 14:29:54 -0400 Subject: [PATCH 23/26] Parse xff --- .../files/ingest/suricata.common | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index 4dea07b8b..e12fea0be 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -1,20 +1,21 @@ { "description" : "suricata.common", "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, - { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, - { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, - { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, - { "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, - { "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, - { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } }, - { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, - { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, - { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, - { "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, + { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, + { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, + { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, + { "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, + { "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, + { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } }, + { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, + { "rename": { "field": "message2.xff", "target_field": "xff.ip", "ignore_missing": true } }, + { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, + { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, + { "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } }, - { "remove":{ "field": "agent", "ignore_failure": true } }, + { "remove":{ "field": "agent", "ignore_failure": true } }, { "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } } ] } From 4e849ecc908770660540720d3192a9e27255c361 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Jun 2023 15:14:53 -0400 Subject: [PATCH 24/26] issues with exclude rocky-repos --- salt/repo/client/files/rocky/yum.conf.jinja | 1 - setup/so-functions | 7 ++++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/salt/repo/client/files/rocky/yum.conf.jinja b/salt/repo/client/files/rocky/yum.conf.jinja index 54ae35a41..118bffeef 100644 --- a/salt/repo/client/files/rocky/yum.conf.jinja +++ b/salt/repo/client/files/rocky/yum.conf.jinja @@ -12,7 +12,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release clean_requirements_on_remove=1 -exclude=rocky-repos {%- if proxy %} proxy={{ proxy }} {%- endif %} diff --git a/setup/so-functions b/setup/so-functions index 5ecba8408..ef4e44eaa 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2402,7 +2402,12 @@ update_sudoers_for_testing() { update_packages() { if [[ $is_rocky ]]; then logCmd "dnf repolist" - logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*,rocky-repos" + logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*" + RMREPOFILES=("rocky-addons.repo" "rocky-devel.repo" "rocky-extras.repo" "rocky.repo") + info "Removing repo files added by rocky-repos package update" + for FILE in ${RMREPOFILES[@]}; do + logCmd "rm -f /etc/yum.repos.d/$FILE" + done else info "Running apt-get update" retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup From b5e5bd57ad9acb0a807d21da6b87d6b811aaa973 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 21 Jun 2023 15:41:16 -0600 Subject: [PATCH 25/26] Fix for Upload Import Needed to mount /nsm/soc/uploads into soc container. Made the upload route configurable. Added gpg logging to salt-relay. --- salt/soc/defaults.yaml | 1 + salt/soc/enabled.sls | 3 ++- salt/soc/files/bin/salt-relay.sh | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index dfc5c3753..8eb222e01 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1006,6 +1006,7 @@ soc: baseUrl: / maxPacketCount: 5000 htmlDir: html + importUploadDir: /opt/sensoroni/uploads airgapEnabled: false modules: cases: soc diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index bc55f2d94..c5e116db2 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -1,5 +1,5 @@ # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. @@ -23,6 +23,7 @@ so-soc: - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw + - /nsm/soc/uploads:/opt/sensoroni/uploads:rw - /opt/so/log/soc/:/opt/sensoroni/logs/:rw - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 3e893e64c..22be8d3e4 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -185,7 +185,8 @@ function send_file() { log "Cleanup: $cleanup" log "encrypting..." - gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from" + response=$(gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from") + log Response:$'\n'"$response" fromgpg="$from.gpg" filename=$(basename "$fromgpg") From 6769386c86e173678b39cb683ea561e5698340dc Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 22 Jun 2023 10:59:24 -0600 Subject: [PATCH 26/26] Change upload path --- salt/soc/defaults.yaml | 16 ++++++++-------- salt/soc/enabled.sls | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 8eb222e01..156446b7f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -580,18 +580,18 @@ soc: - event.dataset - process.executable - user.name - '::process_terminated': + '::process_terminated': - soc_timestamp - process.executable - process.pid - winlog.computer_name - '::file_create': + '::file_create': - soc_timestamp - file.target - process.executable - process.pid - winlog.computer_name - '::registry_value_set': + '::registry_value_set': - soc_timestamp - winlog.event_data.TargetObject - process.executable @@ -1000,13 +1000,13 @@ soc: - destination.port - tds.header_type - log.id.uid - - event.dataset + - event.dataset server: bindAddress: 0.0.0.0:9822 baseUrl: / maxPacketCount: 5000 htmlDir: html - importUploadDir: /opt/sensoroni/uploads + importUploadDir: /nsm/soc/uploads airgapEnabled: false modules: cases: soc @@ -1034,7 +1034,7 @@ soc: asyncThreshold: 10 influxdb: hostUrl: - token: + token: org: Security Onion bucket: telegraf/so_short_term verifyCert: false @@ -1409,7 +1409,7 @@ soc: - name: Host Registry Changes description: Windows Registry changes query: 'event.category: registry | groupby -sankey event.action host.name | groupby event.dataset event.action | groupby host.name | groupby process.executable | groupby registry.path | groupby process.executable registry.path' - - name: Host DNS & Process Mappings + - name: Host DNS & Process Mappings description: DNS queries mapped to originating processes query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' - name: Host Process Activity @@ -1686,7 +1686,7 @@ soc: - name: Templates query: 'so_case.category:template' case: - analyzerNodeId: + analyzerNodeId: mostRecentlyUsedLimit: 5 renderAbbreviatedCount: 30 presets: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index c5e116db2..4169f90ca 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -23,7 +23,7 @@ so-soc: - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw - - /nsm/soc/uploads:/opt/sensoroni/uploads:rw + - /nsm/soc/uploads:/nsm/soc/uploads:rw - /opt/so/log/soc/:/opt/sensoroni/logs/:rw - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro