From c6df805556ca56e3d6ca252f01ea5dc6cb274e40 Mon Sep 17 00:00:00 2001
From: Wes <wlambertts@gmail.com>
Date: Mon, 18 Mar 2024 14:53:36 +0000
Subject: [PATCH 01/12] Add SOC template

---
 salt/elasticsearch/defaults.yaml | 107 +++++++++++++++++++++++++++++++
 1 file changed, 107 insertions(+)

diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml
index 2274018b1..c70b0419a 100644
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -227,6 +227,113 @@ elasticsearch:
               sort:
                 field: '@timestamp'
                 order: desc
+    so-logs-soc:
+      close: 30
+      delete: 365
+      index_sorting: false
+      index_template:
+        composed_of:
+        - agent-mappings
+        - dtc-agent-mappings
+        - base-mappings
+        - dtc-base-mappings
+        - client-mappings
+        - dtc-client-mappings
+        - container-mappings
+        - destination-mappings
+        - dtc-destination-mappings
+        - pb-override-destination-mappings
+        - dll-mappings
+        - dns-mappings
+        - dtc-dns-mappings
+        - ecs-mappings
+        - dtc-ecs-mappings
+        - error-mappings
+        - event-mappings
+        - dtc-event-mappings
+        - file-mappings
+        - dtc-file-mappings
+        - group-mappings
+        - host-mappings
+        - dtc-host-mappings
+        - http-mappings
+        - dtc-http-mappings
+        - log-mappings
+        - network-mappings
+        - dtc-network-mappings
+        - observer-mappings
+        - dtc-observer-mappings
+        - organization-mappings
+        - package-mappings
+        - process-mappings
+        - dtc-process-mappings
+        - related-mappings
+        - rule-mappings
+        - dtc-rule-mappings
+        - server-mappings
+        - service-mappings
+        - dtc-service-mappings
+        - source-mappings
+        - dtc-source-mappings
+        - pb-override-source-mappings
+        - threat-mappings
+        - tls-mappings
+        - url-mappings
+        - user_agent-mappings
+        - dtc-user_agent-mappings
+        - common-settings
+        - common-dynamic-mappings
+        data_stream: {}
+        index_patterns:
+        - logs-soc-so*
+        priority: 500
+        template:
+          mappings:
+            date_detection: false
+            dynamic_templates:
+            - strings_as_keyword:
+                mapping:
+                  ignore_above: 1024
+                  type: keyword
+                match_mapping_type: string
+          settings:
+            index:
+              lifecycle:
+                name: so-soc-logs
+              mapping:
+                total_fields:
+                  limit: 5000
+              number_of_replicas: 0
+              number_of_shards: 1
+              refresh_interval: 30s
+              sort:
+                field: '@timestamp'
+                order: desc
+      policy:
+        phases:
+          cold:
+            actions:
+              set_priority:
+                priority: 0
+            min_age: 30d
+          delete:
+            actions:
+              delete: {}
+            min_age: 365d
+          hot:
+            actions:
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+              set_priority:
+                priority: 100
+            min_age: 0ms
+          warm:
+            actions:
+              set_priority:
+                priority: 50
+            min_age: 30d
+      warm: 7
     so-common:
       close: 30
       delete: 365

From 778997bed46fc77b876328a6b98ebb477fe97082 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Wed, 20 Mar 2024 17:07:37 -0400
Subject: [PATCH 02/12] FEATURE: Add Events column layout for event.module
 system #12628

---
 salt/soc/defaults.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index de372a98f..30149fdfd 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1064,6 +1064,15 @@ soc:
         -  event.action
         -  event.outcome
         -  event.dataset
+      ':system:':
+        -  soc_timestamp
+        -  process.name
+        -  process.pid
+        -  user.effective.name
+        -  user.name
+        -  system.auth.sudo.command
+        -  event.dataset
+        -  message
     server:
       bindAddress: 0.0.0.0:9822
       baseUrl: /

From f889a089bfd23208ed725d54af39be38cfc9b6b7 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 22 Mar 2024 09:48:27 -0400
Subject: [PATCH 03/12] disregard benign telegraf error

---
 salt/common/tools/sbin/so-log-check | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check
index b8c68ffa1..3bf2bc778 100755
--- a/salt/common/tools/sbin/so-log-check
+++ b/salt/common/tools/sbin/so-log-check
@@ -122,6 +122,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error while communicating"    # Elasticsearch MS -> HN "sensor" temporarily unavailable
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error"          # Docker registry container when new node comes onlines
     EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished"     # Telegraf script finished just as the auto kill timeout kicked in
 fi
 
 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then

From 4e1543b6a889bbaf3ba4cac998337c05b2416435 Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Fri, 22 Mar 2024 09:56:21 -0400
Subject: [PATCH 04/12] Get only code

---
 salt/elasticsearch/files/ingest-dynamic/common | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/salt/elasticsearch/files/ingest-dynamic/common b/salt/elasticsearch/files/ingest-dynamic/common
index b2c13f983..836b8d4af 100644
--- a/salt/elasticsearch/files/ingest-dynamic/common
+++ b/salt/elasticsearch/files/ingest-dynamic/common
@@ -57,10 +57,11 @@
     { "convert":         { "field": "log.id.uid", "type": "string",  "ignore_failure": true,  "ignore_missing": true  } },
     { "convert":         { "field": "agent.id", "type": "string",  "ignore_failure": true,  "ignore_missing": true  } },
     { "convert":         { "field": "event.severity", "type": "integer",  "ignore_failure": true,  "ignore_missing": true  } },
-    { "set":             { "field": "event.dataset", "ignore_empty_value":true, "copy_from": "event.dataset_temp"   }},
+    { "set":             { "field": "event.dataset", "ignore_empty_value":true, "copy_from": "event.dataset_temp"   } },
     { "set":             { "if": "ctx.event?.dataset != null && !ctx.event.dataset.contains('.')", "field": "event.dataset", "value": "{{event.module}}.{{event.dataset}}" } },
-    { "split":      { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } },
-    { "append":        { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  }},
+    { "split":           { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } },
+    { "append":          { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
+    { "grok":            { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} },
     { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
 {%- endraw %}
 {%- if HIGHLANDER %}

From 5ca9ec4b17f0f1f7bdde1fe336d24299b711b192 Mon Sep 17 00:00:00 2001
From: DefensiveDepth <Josh@defensivedepth.com>
Date: Fri, 22 Mar 2024 10:12:26 -0400
Subject: [PATCH 05/12] Enable Detections

---
 salt/soc/defaults.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 8b78f2e91..7d8d8dd25 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1157,7 +1157,7 @@ soc:
         tipTimeoutMs: 6000
         cacheExpirationMs: 300000
         casesEnabled: true
-        detectionsEnabled: false
+        detectionsEnabled: true
         inactiveTools: ['toolUnused']
         tools:
           - name: toolKibana
@@ -1881,8 +1881,9 @@ soc:
             default:
               - so_detection.title
               - so_detection.isEnabled
-              - so_detection.language
               - so_detection.severity
+              - so_detection.language
+              - so_detection.ruleset
           queries:
             - name: "All Detections"
               query: "_id:*"

From a78a304d4f90ac00be74b3a019458aba4286a9fc Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Fri, 22 Mar 2024 13:19:31 -0400
Subject: [PATCH 06/12] FEATURE: Add event.dataset to all Events column layouts
 #12641

---
 salt/soc/defaults.yaml | 97 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 95 insertions(+), 2 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 5905434ed..bab229aeb 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -92,6 +92,7 @@ soc:
         - http_request.headers.x-real-ip
         - identity_id
         - http_request.headers.user-agent
+        - event.dataset
       '::conn':
         - soc_timestamp
         - source.ip
@@ -102,6 +103,7 @@ soc:
         - network.protocol
         - log.id.uid
         - network.community_id
+        - event.dataset
       '::dce_rpc':
         - soc_timestamp
         - source.ip
@@ -112,6 +114,7 @@ soc:
         - dce_rpc.named_pipe
         - dce_rpc.operation
         - log.id.uid
+        - event.dataset
       '::dhcp':
         - soc_timestamp
         - client.address
@@ -120,6 +123,7 @@ soc:
         - host.hostname
         - dhcp.message_types
         - log.id.uid
+        - event.dataset
       '::dnp3':
         - soc_timestamp
         - source.ip
@@ -128,6 +132,7 @@ soc:
         - destination.port
         - dnp3.fc_reply
         - log.id.uid
+        - event.dataset
       '::dnp3_control':
         - soc_timestamp
         - source.ip
@@ -137,6 +142,7 @@ soc:
         - dnp3.function_code
         - dnp3.block_type
         - log.id.uid
+        - event.dataset
       '::dnp3_objects':
         - soc_timestamp
         - source.ip
@@ -146,6 +152,7 @@ soc:
         - dnp3.function_code
         - dnp3.object_type
         - log.id.uid
+        - event.dataset
       '::dns':
         - soc_timestamp
         - source.ip
@@ -158,6 +165,7 @@ soc:
         - dns.response.code_name
         - log.id.uid
         - network.community_id
+        - event.dataset
       '::dpd':
         - soc_timestamp
         - source.ip
@@ -168,6 +176,7 @@ soc:
         - observer.analyser
         - error.reason
         - log.id.uid
+        - event.dataset
       '::file':
         - soc_timestamp
         - source.ip
@@ -178,6 +187,7 @@ soc:
         - file.bytes.total
         - log.id.fuid
         - log.id.uid
+        - event.dataset
       '::ftp':
         - soc_timestamp
         - source.ip
@@ -190,6 +200,7 @@ soc:
         - ftp.reply_code
         - file.size
         - log.id.uid
+        - event.dataset
       '::http':
         - soc_timestamp
         - source.ip
@@ -204,6 +215,7 @@ soc:
         - http.response.body.length
         - log.id.uid
         - network.community_id
+        - event.dataset
       '::intel':
         - soc_timestamp
         - source.ip
@@ -214,6 +226,7 @@ soc:
         - intel.indicator_type
         - intel.seen_where
         - log.id.uid
+        - event.dataset
       '::irc':
         - soc_timestamp
         - source.ip
@@ -226,6 +239,7 @@ soc:
         - irc.command.value
         - irc.command.info
         - log.id.uid
+        - event.dataset
       '::kerberos':
         - soc_timestamp
         - source.ip
@@ -236,6 +250,7 @@ soc:
         - kerberos.service
         - kerberos.request_type
         - log.id.uid
+        - event.dataset
       '::modbus':
         - soc_timestamp
         - source.ip
@@ -244,6 +259,7 @@ soc:
         - destination.port
         - modbus.function
         - log.id.uid
+        - event.dataset
       '::mysql':
         - soc_timestamp
         - source.ip
@@ -255,6 +271,7 @@ soc:
         - mysql.success
         - mysql.response
         - log.id.uid
+        - event.dataset
       '::notice':
         - soc_timestamp
         - source.ip
@@ -266,6 +283,7 @@ soc:
         - log.id.fuid
         - log.id.uid
         - network.community_id
+        - event.dataset
       '::ntlm':
         - soc_timestamp
         - source.ip
@@ -278,6 +296,7 @@ soc:
         - ntlm.server.nb.name
         - ntlm.server.tree.name
         - log.id.uid
+        - event.dataset
       '::pe':
         - soc_timestamp
         - file.is_64bit
@@ -286,6 +305,7 @@ soc:
         - file.os
         - file.subsystem
         - log.id.fuid
+        - event.dataset
       '::radius':
         - soc_timestamp
         - source.ip
@@ -297,6 +317,7 @@ soc:
         - radius.framed_address
         - radius.reply_message
         - radius.result
+        - event.dataset
       '::rdp':
         - soc_timestamp
         - source.ip
@@ -312,6 +333,7 @@ soc:
         - rdp.result
         - rdp.security_protocol
         - log.id.uid
+        - event.dataset
       '::rfb':
         - soc_timestamp
         - source.ip
@@ -323,6 +345,7 @@ soc:
         - rfb.share_flag
         - rfb.desktop.name
         - log.id.uid
+        - event.dataset
       '::signatures':
         - soc_timestamp
         - source.ip
@@ -336,6 +359,7 @@ soc:
         - signature_count
         - host.count
         - log.id.uid
+        - event.dataset
       '::sip':
         - soc_timestamp
         - source.ip
@@ -353,6 +377,7 @@ soc:
         - sip.user_agent
         - sip.status_code
         - log.id.uid
+        - event.dataset
       '::smb_files':
         - soc_timestamp
         - source.ip
@@ -366,6 +391,7 @@ soc:
         - file.size
         - file.prev_name
         - log.id.uid
+        - event.dataset
       '::smb_mapping':
         - soc_timestamp
         - source.ip
@@ -376,6 +402,7 @@ soc:
         - smb.service
         - smb.share_type
         - log.id.uid
+        - event.dataset
       '::smtp':
         - soc_timestamp
         - source.ip
@@ -388,6 +415,7 @@ soc:
         - smtp.useragent
         - log.id.uid
         - network.community_id
+        - event.dataset
       '::snmp':
         - soc_timestamp
         - source.ip
@@ -397,6 +425,7 @@ soc:
         - snmp.community
         - snmp.version
         - log.id.uid
+        - event.dataset
       '::socks':
         - soc_timestamp
         - source.ip
@@ -408,11 +437,13 @@ soc:
         - socks.request.port
         - socks.status
         - log.id.uid
+        - event.dataset
       '::software':
         - soc_timestamp
         - source.ip
         - software.name
         - software.type
+        - event.dataset
       '::ssh':
         - soc_timestamp
         - source.ip
@@ -425,6 +456,7 @@ soc:
         - ssh.client
         - ssh.server
         - log.id.uid
+        - event.dataset
       '::ssl':
         - soc_timestamp
         - source.ip
@@ -436,6 +468,7 @@ soc:
         - ssl.validation_status
         - ssl.version
         - log.id.uid
+        - event.dataset
       ':zeek:syslog':
         - soc_timestamp
         - source.ip
@@ -446,6 +479,7 @@ soc:
         - network.protocol
         - syslog.severity
         - log.id.uid
+        - event.dataset
       '::tunnels':
         - soc_timestamp
         - source.ip
@@ -455,6 +489,7 @@ soc:
         - tunnel_type
         - action
         - log.id.uid
+        - event.dataset
       '::weird':
         - soc_timestamp
         - source.ip
@@ -463,6 +498,7 @@ soc:
         - destination.port
         - weird.name
         - log.id.uid
+        - event.dataset
       '::x509':
         - soc_timestamp
         - x509.certificate.subject
@@ -470,6 +506,7 @@ soc:
         - x509.certificate.key.length
         - x509.certificate.issuer
         - log.id.fuid
+        - event.dataset
       '::firewall':
         - soc_timestamp
         - source.ip
@@ -481,6 +518,7 @@ soc:
         - observer.ingress.interface.name
         - event.action
         - network.community_id
+        - event.dataset
       ':pfsense:':
         - soc_timestamp
         - source.ip
@@ -492,6 +530,7 @@ soc:
         - observer.ingress.interface.name
         - event.action
         - network.community_id
+        - event.dataset
       ':osquery:':
         - soc_timestamp
         - source.ip
@@ -499,9 +538,9 @@ soc:
         - destination.ip
         - destination.port
         - source.hostname
-        - event.dataset
         - process.executable
         - user.name
+        - event.dataset
       ':strelka:file':
         - soc_timestamp
         - file.name
@@ -510,6 +549,7 @@ soc:
         - file.source
         - file.mime_type
         - log.id.fuid
+        - event.dataset
       ':suricata:':
         - soc_timestamp
         - source.ip
@@ -521,9 +561,11 @@ soc:
         - event.severity_label
         - log.id.uid
         - network.community_id
+        - event.dataset
       ':windows_eventlog:':
         - soc_timestamp
         - user.name
+        - event.dataset
       ':elasticsearch:':
         - soc_timestamp
         - agent.name
@@ -545,6 +587,7 @@ soc:
         - real_message
         - syslog.priority
         - syslog.application
+        - event.dataset
       ':aws:':
         - soc_timestamp
         - aws.cloudtrail.event_category
@@ -556,6 +599,7 @@ soc:
         - user.name
         - source.ip
         - source.geo.region_iso_code
+        - event.dataset
       ':squid:':
         - soc_timestamp
         - url.original
@@ -563,6 +607,7 @@ soc:
         - destination.geo.country_iso_code
         - user.name
         - source.ip
+        - event.dataset
       '::sysmon_operational':
         - soc_timestamp
         - event.action
@@ -570,6 +615,7 @@ soc:
         - user.name
         - process.executable
         - process.pid
+        - event.dataset
       '::network_connection':
         - soc_timestamp
         - source.ip
@@ -577,44 +623,50 @@ soc:
         - destination.ip
         - destination.port
         - source.hostname
-        - event.dataset
         - process.executable
         - user.name
+        - event.dataset
       '::process_terminated':
         - soc_timestamp
         - process.executable
         - process.pid
         - winlog.computer_name
+        - event.dataset
       '::file_create':
         - soc_timestamp
         - file.target
         - process.executable
         - process.pid
         - winlog.computer_name
+        - event.dataset
       '::registry_value_set':
         - soc_timestamp
         - winlog.event_data.TargetObject
         - process.executable
         - process.pid
         - winlog.computer_name
+        - event.dataset
       '::process_creation':
         - soc_timestamp
         - process.command_line
         - process.pid
         - process.parent.executable
         - process.working_directory
+        - event.dataset
       '::registry_create_delete':
         - soc_timestamp
         - winlog.event_data.TargetObject
         - process.executable
         - process.pid
         - winlog.computer_name
+        - event.dataset
       '::dns_query':
         - soc_timestamp
         - dns.query.name
         - dns.answers.name
         - process.executable
         - winlog.computer_name
+        - event.dataset
       '::file_create_stream_hash':
         - soc_timestamp
         - file.target
@@ -623,6 +675,7 @@ soc:
         - process.executable
         - process.pid
         - winlog.computer_name
+        - event.dataset
       '::bacnet':
         -  soc_timestamp
         -  source.ip
@@ -632,6 +685,7 @@ soc:
         -  bacnet.bclv.function
         -  bacnet.result.code
         -  log.id.uid
+        -  event.dataset
       '::bacnet_discovery':
         -  soc_timestamp
         -  source.ip
@@ -641,6 +695,7 @@ soc:
         -  bacnet.vendor
         -  bacnet.pdu.service
         -  log.id.uid
+        -  event.dataset
       '::bacnet_property':
         -  soc_timestamp
         -  source.ip
@@ -650,6 +705,7 @@ soc:
         -  bacnet.property
         -  bacnet.pdu.service
         -  log.id.uid
+        -  event.dataset
       '::bsap_ip_header':
         -  soc_timestamp
         -  source.ip
@@ -659,12 +715,14 @@ soc:
         -  bsap.message.type
         -  bsap.number.messages
         -  log.id.uid
+        -  event.dataset
       '::bsap_ip_rdb':
         -  soc_timestamp
         -  bsap.application.function
         -  bsap.application.sub.function
         -  bsap.vector.variables
         -  log.id.uid
+        -  event.dataset
       '::bsap_serial_header':
         -  soc_timestamp
         -  source.ip
@@ -675,11 +733,13 @@ soc:
         -  bsap.destination.function
         -  bsap.message.type
         -  log.id.uid
+        -  event.dataset
       '::bsap_serial_rdb':
         -  soc_timestamp
         -  bsap.rdb.function
         -  bsap.vector.variables
         -  log.id.uid
+        -  event.dataset
       '::cip':
         -  soc_timestamp
         -  source.ip
@@ -699,6 +759,7 @@ soc:
         -  cip.device.type.name
         -  cip.vendor.name
         -  log.id.uid
+        -  event.dataset
       '::cip_io':
         -  soc_timestamp
         -  source.ip
@@ -708,6 +769,7 @@ soc:
         -  cip.connection.id
         -  cip.io.data
         -  log.id.uid
+        -  event.dataset
       '::cotp':
         -  soc_timestamp
         -  source.ip
@@ -716,6 +778,7 @@ soc:
         -  destination.port
         -  cotp.pdu.name
         -  log.id.uid
+        -  event.dataset
       '::ecat_arp_info':
         -  soc_timestamp
         -  source.ip
@@ -723,6 +786,7 @@ soc:
         -  source.mac
         -  destination.mac
         -  ecat.arp.type
+        -  event.dataset
       '::ecat_aoe_info':
         -  soc_timestamp
         -  source.mac
@@ -730,6 +794,7 @@ soc:
         -  destination.mac
         -  destination.port
         -  ecat.command
+        -  event.dataset
       '::ecat_coe_info':
         -  soc_timestamp
         -  ecat.message.number
@@ -737,6 +802,7 @@ soc:
         -  ecat.request.response.type
         -  ecat.index
         -  ecat.sub.index
+        -  event.dataset
       '::ecat_dev_info':
         -  soc_timestamp
         -  ecat.device.type
@@ -744,17 +810,20 @@ soc:
         -  ecat.ram.size
         -  ecat.revision
         -  ecat.slave.address
+        -  event.dataset
       '::ecat_log_address':
         -  soc_timestamp
         -  source.mac
         -  destination.mac
         -  ecat.command
+        -  event.dataset
       '::ecat_registers':
         -  soc_timestamp
         -  source.mac
         -  destination.mac
         -  ecat.command
         -  ecat.register.type
+        -  event.dataset
       '::enip':
         -  soc_timestamp
         -  source.ip
@@ -773,6 +842,7 @@ soc:
         -  destination.port
         -  modbus.function
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary':
         -  soc_timestamp
         -  source.ip
@@ -782,6 +852,7 @@ soc:
         -  opcua.identifier_string
         -  opcua.message_type
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_activate_session':
         -  soc_timestamp
         -  source.ip
@@ -792,6 +863,7 @@ soc:
         -  opcua.identifier_string
         -  opcua.user_name
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_activate_session_diagnostic_info':
         -  soc_timestamp
         -  source.ip
@@ -801,6 +873,7 @@ soc:
         -  opcua.activate_session_diag_info_link_id
         -  opcua.diag_info_link_id
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_activate_session_locale_id':
         -  soc_timestamp
         -  source.ip
@@ -810,6 +883,7 @@ soc:
         -  opcua.local_id
         -  opcua.locale_link_id
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_browse':
         -  soc_timestamp
         -  source.ip
@@ -819,6 +893,7 @@ soc:
         -  opcua.link_id
         -  opcua.service_type
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_browse_description':
         -  soc_timestamp
         -  source.ip
@@ -826,6 +901,7 @@ soc:
         -  destination.ip
         -  destination.port
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_browse_response_references':
         -  soc_timestamp
         -  source.ip
@@ -835,6 +911,7 @@ soc:
         -  opcua.node_class
         -  opcua.display_name_text
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_browse_result':
         -  soc_timestamp
         -  source.ip
@@ -843,6 +920,7 @@ soc:
         -  destination.port
         -  opcua.response_link_id
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_create_session':
         -  soc_timestamp
         -  source.ip
@@ -851,6 +929,7 @@ soc:
         -  destination.port
         -  opcua.link_id
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_create_session_endpoints':
         -  soc_timestamp
         -  source.ip
@@ -860,6 +939,7 @@ soc:
         -  opcua.endpoint_link_id
         -  opcua.endpoint_url
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_create_session_user_token':
         -  soc_timestamp
         -  source.ip
@@ -868,6 +948,7 @@ soc:
         -  destination.port
         -  opcua.user_token_link_id
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_create_subscription':
         -  soc_timestamp
         -  source.ip
@@ -876,6 +957,7 @@ soc:
         -  destination.port
         -  opcua.link_id
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_get_endpoints':
         -  soc_timestamp
         -  source.ip
@@ -885,6 +967,7 @@ soc:
         -  opcua.endpoint_url
         -  opcua.link_id
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_get_endpoints_description':
         -  soc_timestamp
         -  source.ip
@@ -894,6 +977,7 @@ soc:
         -  opcua.endpoint_description_link_id
         -  opcua.endpoint_uri
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_get_endpoints_user_token':
         -  soc_timestamp
         -  source.ip
@@ -903,6 +987,7 @@ soc:
         -  opcua.user_token_link_id
         -  opcua.user_token_type
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_read':
         -  soc_timestamp
         -  source.ip
@@ -912,6 +997,7 @@ soc:
         -  opcua.link_id
         -  opcua.read_results_link_id
         -  log.id.uid
+        -  event.dataset
       '::opcua_binary_status_code_detail':
         -  soc_timestamp
         -  source.ip
@@ -921,6 +1007,7 @@ soc:
         -  opcua.info_type_string
         -  opcua.source_string
         -  log.id.uid
+        -  event.dataset
       '::profinet':
         -  soc_timestamp
         -  source.ip
@@ -930,6 +1017,7 @@ soc:
         -  profinet.index
         -  profinet.operation_type
         -  log.id.uid
+        -  event.dataset
       '::profinet_dce_rpc':
         -  soc_timestamp
         -  source.ip
@@ -938,6 +1026,7 @@ soc:
         -  destination.port
         -  profinet.operation
         -  log.id.uid
+        -  event.dataset
       '::s7comm':
         -  soc_timestamp
         -  source.ip
@@ -947,6 +1036,7 @@ soc:
         -  s7.ros.control.name
         -  s7.function.name
         -  log.id.uid
+        -  event.dataset
       '::s7comm_plus':
         -  soc_timestamp
         -  source.ip
@@ -956,6 +1046,7 @@ soc:
         -  s7.opcode.name
         -  s7.version
         -  log.id.uid
+        -  event.dataset
       '::s7comm_read_szl':
         -  soc_timestamp
         -  source.ip
@@ -965,6 +1056,7 @@ soc:
         -  s7.szl_id_name
         -  s7.return_code_name
         -  log.id.uid
+        -  event.dataset
       '::s7comm_upload_download':
         -  soc_timestamp
         -  source.ip
@@ -974,6 +1066,7 @@ soc:
         -  s7.ros.control.name
         -  s7.function_code
         -  log.id.uid
+        -  event.dataset
       '::tds':
         -  soc_timestamp
         -  source.ip

From 9c6f3f480814f50bea09507a0b3de32645e29820 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Fri, 22 Mar 2024 13:41:44 -0400
Subject: [PATCH 07/12] FIX: Specify that static IP address is recommended
 #12643

---
 setup/so-whiptail | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/setup/so-whiptail b/setup/so-whiptail
index ff8c9fe8d..904654c9b 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -288,9 +288,9 @@ whiptail_dhcp_or_static() {
 	[ -n "$TESTING" ] && return
 
 	address_type=$(whiptail --title "$whiptail_title" --menu \
-	"Choose how to set up your management interface:" 20 78 4 \
-	"STATIC" "Set a static IPv4 address" \
-	"DHCP" "Use DHCP to configure the Management Interface" 3>&1 1>&2 2>&3 )
+	"Choose how to set up your management interface. We recommend using a static IP address." 20 78 4 \
+	"STATIC" "Set a static IPv4 address (recommended)" \
+	"DHCP" "Use DHCP to configure the management interface" 3>&1 1>&2 2>&3 )
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 

From bb0da2a5c5b21e23fe54f18dc78d23bb77f9e963 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 22 Mar 2024 14:34:14 -0400
Subject: [PATCH 08/12] add additional suricata af-packet config items

---
 salt/suricata/defaults.yaml     |  7 +++++++
 salt/suricata/map.jinja         |  7 +++++++
 salt/suricata/soc_suricata.yaml | 35 +++++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+)

diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml
index 0252d3a81..8680fbda2 100644
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -33,6 +33,13 @@ suricata:
       threads: 1
       tpacket-v3: "yes"
       ring-size: 5000
+      mmap-locked: "yes"
+      block-size: 32768
+      block-timeout: 10
+      use-emergency-flush: "yes"
+      buffer-size: 32768
+      disable-promisc: "no"
+      checksum-checks: kernel
     vars:
       address-groups:
         HOME_NET:
diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
index 7f7b04aef..9d5581030 100644
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -37,6 +37,13 @@
   threads: {{ SURICATAMERGED.config['af-packet'].threads }}
   tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}
   ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
+  mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}
+  block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
+  block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
+  use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}
+  buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
+  disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}
+  checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
 {% endload %}
 {% do SURICATAMERGED.config.pop('af-packet') %}
 {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}
diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 13a709c4a..9843d8c97 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -94,6 +94,41 @@ suricata:
         description: Buffer size for packets per thread.
         forcedType: int
         helpLink: suricata.html
+      mmap-locked:
+        description: Prevent swapping by locking the memory map.
+        advanced: True
+        regex: ^(yes|no)$
+        helpLink: suricata.html
+      block-size:
+        description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      block-timeout:
+        description: If a block remains unfilled after the specified block-timeout milliseconds, it is passed to userspace.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      use-emergency-flush:
+        description: In high-traffic environments, enabling this option to 'yes' aids in recovering from packet drop occurrences. However, it may lead to some packets, possibly at max ring flush, not being inspected.
+        advanced: True
+        regex: ^(yes|no)$
+        helpLink: suricata.html
+      buffer-size:
+        description: Increasing the value of the receive buffer may improve performance.
+        advanced: True
+        forcedType: int
+        helpLink: suricata.html
+      disable-promisc:
+        description: Promiscuous mode can be disabled by setting this to "yes".
+        advanced: True
+        regex: ^(yes|no)$
+        helpLink: suricata.html
+      checksum-checks:
+        description: "Opt for the checksum verification mode suitable for the interface. During capture, it's possible that some packets may exhibit invalid checksums due to the network card handling the checksum computation. You have several options: 'kernel': Relies on indications sent by the kernel for each packet (default). 'yes': Enforces checksum validation. 'no': Disables checksum validation. 'auto': Suricata employs a statistical approach to detect checksum offloading."
+        advanced: True
+        regex: ^(kernel|yes|no|auto)$
+        helpLink: suricata.html
     threading:
       set-cpu-affinity:
         description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.

From 3d04d3703036cf883d6a8839e8a91e98316a5c41 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 22 Mar 2024 10:31:09 -0600
Subject: [PATCH 09/12] Update ElastAlert Config with Default Repos

---
 salt/soc/defaults.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index bab229aeb..a7ee65f57 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1186,6 +1186,9 @@ soc:
           denyRegex: ''
           elastAlertRulesFolder: /opt/sensoroni/elastalert
           rulesFingerprintFile: /opt/sensoroni/fingerprints/sigma.fingerprint
+          rulesRepos:
+          - repo: https://github.com/Security-Onion-Solutions/securityonion-resources
+            license: DRL
           sigmaRulePackages:
             - core
             - emerging_threats_addon

From 237946e916ee6bfc9f9967f9244ea0651c8dd755 Mon Sep 17 00:00:00 2001
From: Corey Ogburn <corey.ogburn@securityonionsolutions.com>
Date: Fri, 22 Mar 2024 13:51:59 -0600
Subject: [PATCH 10/12] Specify Folder in Rule Repo

---
 salt/soc/defaults.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index a7ee65f57..4b3d23afe 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1189,6 +1189,7 @@ soc:
           rulesRepos:
           - repo: https://github.com/Security-Onion-Solutions/securityonion-resources
             license: DRL
+            folder: sigma/stable
           sigmaRulePackages:
             - core
             - emerging_threats_addon

From 81f3d69eb9b759bd4b98048d85184d9b3c31ddfb Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 22 Mar 2024 15:55:59 -0400
Subject: [PATCH 11/12] remove mmap-locked.

---
 salt/suricata/defaults.yaml     |  1 -
 salt/suricata/map.jinja         | 11 +++++------
 salt/suricata/soc_suricata.yaml |  5 -----
 3 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml
index 8680fbda2..914c045b1 100644
--- a/salt/suricata/defaults.yaml
+++ b/salt/suricata/defaults.yaml
@@ -33,7 +33,6 @@ suricata:
       threads: 1
       tpacket-v3: "yes"
       ring-size: 5000
-      mmap-locked: "yes"
       block-size: 32768
       block-timeout: 10
       use-emergency-flush: "yes"
diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
index 9d5581030..55c9aab4c 100644
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -32,17 +32,16 @@
 - interface: {{ GLOBALS.sensor.interface }}
   cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
   cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
-  defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}
-  use-mmap: {{ SURICATAMERGED.config['af-packet']['use-mmap'] }}
+  defrag: "{{ SURICATAMERGED.config['af-packet'].defrag }}"
+  use-mmap: "{{ SURICATAMERGED.config['af-packet']['use-mmap'] }}"
   threads: {{ SURICATAMERGED.config['af-packet'].threads }}
-  tpacket-v3: {{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}
+  tpacket-v3: "{{ SURICATAMERGED.config['af-packet']['tpacket-v3'] }}"
   ring-size: {{ SURICATAMERGED.config['af-packet']['ring-size'] }}
-  mmap-locked: {{ SURICATAMERGED.config['af-packet']['mmap-locked'] }}
   block-size: {{ SURICATAMERGED.config['af-packet']['block-size'] }}
   block-timeout: {{ SURICATAMERGED.config['af-packet']['block-timeout'] }}
-  use-emergency-flush: {{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}
+  use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
   buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
-  disable-promisc: {{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}
+  disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
   checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
 {% endload %}
 {% do SURICATAMERGED.config.pop('af-packet') %}
diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml
index 9843d8c97..c9ba80f01 100644
--- a/salt/suricata/soc_suricata.yaml
+++ b/salt/suricata/soc_suricata.yaml
@@ -94,11 +94,6 @@ suricata:
         description: Buffer size for packets per thread.
         forcedType: int
         helpLink: suricata.html
-      mmap-locked:
-        description: Prevent swapping by locking the memory map.
-        advanced: True
-        regex: ^(yes|no)$
-        helpLink: suricata.html
       block-size:
         description: This must be configured to a sufficiently high value to accommodate a significant number of packets, considering byte size and MTU constraints. Ensure it aligns with a power of 2 and is a multiple of the page size.
         advanced: True

From 029d8a0e8fd50c3ffa75a04572d15e6c10c60202 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Mon, 25 Mar 2024 09:30:41 -0400
Subject: [PATCH 12/12] handle yes/no on checksum-checks

---
 salt/suricata/map.jinja | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/suricata/map.jinja b/salt/suricata/map.jinja
index 55c9aab4c..2a3adf5f1 100644
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -42,7 +42,11 @@
   use-emergency-flush: "{{ SURICATAMERGED.config['af-packet']['use-emergency-flush'] }}"
   buffer-size: {{ SURICATAMERGED.config['af-packet']['buffer-size'] }}
   disable-promisc: "{{ SURICATAMERGED.config['af-packet']['disable-promisc'] }}"
+{%   if SURICATAMERGED.config['af-packet']['checksum-checks'] in ['yes', 'no'] %}
+  checksum-checks: "{{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}"
+{%   else %}
   checksum-checks: {{ SURICATAMERGED.config['af-packet']['checksum-checks'] }}
+{%   endif %}
 {% endload %}
 {% do SURICATAMERGED.config.pop('af-packet') %}
 {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}