From d28a9ecec240dfd5cd2434b2e3755bcdd172ec11 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 19 Sep 2022 13:32:04 -0400 Subject: [PATCH 01/17] Set Dashboard UUID --- salt/grafana/dashboards/common_template.json.jinja | 2 ++ salt/grafana/init.sls | 1 + 2 files changed, 3 insertions(+) diff --git a/salt/grafana/dashboards/common_template.json.jinja b/salt/grafana/dashboards/common_template.json.jinja index 23060a2fb..4c6745c3c 100644 --- a/salt/grafana/dashboards/common_template.json.jinja +++ b/salt/grafana/dashboards/common_template.json.jinja @@ -57,6 +57,8 @@ "title": "{{ TITLE }}", {% if TITLE | lower == 'security onion grid overview' %} "uid": "so_overview", + {% else %} + "uid": "{{ UID }}", {% endif %} "version": 1 } diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index f71bc3acb..584219906 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -117,6 +117,7 @@ so-grafana-dashboard-folder-delete: TEMPLATES: {{GRAFANA_SETTINGS.dashboards[dashboard].templating.list}} TITLE: {{ GRAFANA_SETTINGS.dashboards[dashboard].get('title', dashboard| capitalize) }} ID: {{ loop.index }} + UID: {{ dashboard }} {% endfor %} so-grafana: From f7e614f35859edc8809c81d3867351b856dcdc2b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 14:06:30 -0400 Subject: [PATCH 02/17] Add NTP --- salt/ntp/chrony.conf | 11 +++++++++++ salt/ntp/config.map.jinja | 3 +++ salt/ntp/defaults.yaml | 4 ++++ salt/ntp/init.sls | 19 +++++++++++++++++++ salt/ntp/soc_ntp.yaml | 4 ++++ 5 files changed, 41 insertions(+) create mode 100644 salt/ntp/chrony.conf create mode 100644 salt/ntp/config.map.jinja create mode 100644 salt/ntp/defaults.yaml create mode 100644 salt/ntp/init.sls create mode 100644 salt/ntp/soc_ntp.yaml diff --git a/salt/ntp/chrony.conf b/salt/ntp/chrony.conf new file mode 100644 index 000000000..3f9a06d46 --- /dev/null +++ b/salt/ntp/chrony.conf @@ -0,0 +1,11 @@ + +# NTP server list +{% for SERVER in NTPCONFIG.ntp.servers %} +server {{ SERVER }} iburst +{% endfor %} + +# Config options +driftfile /var/lib/chrony/drift +makestep 1.0 3 +rtcsync +logdir /var/log/chrony diff --git a/salt/ntp/config.map.jinja b/salt/ntp/config.map.jinja new file mode 100644 index 000000000..11d7a0ae7 --- /dev/null +++ b/salt/ntp/config.map.jinja @@ -0,0 +1,3 @@ +{% import_yaml 'ntp/defaults.yaml' as NTP with context %} + +{% set NTPCONFIG = salt['pillar.get']('ntp', default=NTP, merge=True) %} diff --git a/salt/ntp/defaults.yaml b/salt/ntp/defaults.yaml new file mode 100644 index 000000000..2886f4c69 --- /dev/null +++ b/salt/ntp/defaults.yaml @@ -0,0 +1,4 @@ +ntp: + servers: + - 0.pool.ntp.org + - 1.pool.ntp.org \ No newline at end of file diff --git a/salt/ntp/init.sls b/salt/ntp/init.sls new file mode 100644 index 000000000..0939b52dd --- /dev/null +++ b/salt/ntp/init.sls @@ -0,0 +1,19 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. +{% from 'ntp/config.map.jinja' import NTPCONFIG %} + +chronyconf: + file.managed: + - name: /etc/chrony.conf + - source: salt://ntp/chrony.conf + - template: jinja + - defaults: + - NTPCONFIG: {{ NTPCONFIG.ntp }} + +chronyd: + service.running: + - enable: True + - watch: + - file: chronyconf \ No newline at end of file diff --git a/salt/ntp/soc_ntp.yaml b/salt/ntp/soc_ntp.yaml new file mode 100644 index 000000000..70ea8d7ae --- /dev/null +++ b/salt/ntp/soc_ntp.yaml @@ -0,0 +1,4 @@ +ntp: + servers: + description: NTP Server List + title: NTP Servers From 03ea714dc14b59f722158f9c4691c2e0f232ba0f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 14:06:46 -0400 Subject: [PATCH 03/17] Add NTP --- setup/so-variables | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-variables b/setup/so-variables index 5acbc01bc..f29d9ae55 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -81,7 +81,7 @@ export whiptail_title mkdir -p $local_salt_dir/pillar/minions -for THEDIR in bpf pcap elasticsearch firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert +for THEDIR in bpf pcap elasticsearch ntp firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert do mkdir -p $local_salt_dir/pillar/$THEDIR touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls From 44be7b49693c1e21ad60ec95f110cd8dc57d82bc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 14:26:16 -0400 Subject: [PATCH 04/17] Add NTP --- salt/ntp/chrony.conf | 4 ++-- salt/ntp/init.sls | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/ntp/chrony.conf b/salt/ntp/chrony.conf index 3f9a06d46..46432915f 100644 --- a/salt/ntp/chrony.conf +++ b/salt/ntp/chrony.conf @@ -1,8 +1,8 @@ # NTP server list -{% for SERVER in NTPCONFIG.ntp.servers %} +{%- for SERVER in NTPCONFIG.servers %} server {{ SERVER }} iburst -{% endfor %} +{%- endfor %} # Config options driftfile /var/lib/chrony/drift diff --git a/salt/ntp/init.sls b/salt/ntp/init.sls index 0939b52dd..5f66ac4a7 100644 --- a/salt/ntp/init.sls +++ b/salt/ntp/init.sls @@ -10,7 +10,7 @@ chronyconf: - source: salt://ntp/chrony.conf - template: jinja - defaults: - - NTPCONFIG: {{ NTPCONFIG.ntp }} + NTPCONFIG: {{ NTPCONFIG.ntp }} chronyd: service.running: From 74ccf333e0788fdb6414a7f48efb68c01c95e3c7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 14:30:23 -0400 Subject: [PATCH 05/17] Add NTP --- pillar/top.sls | 1 + salt/top.sls | 1 + 2 files changed, 2 insertions(+) diff --git a/pillar/top.sls b/pillar/top.sls index e8bcabca3..0cead8851 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -1,6 +1,7 @@ base: '*': - patch.needs_restarting + - ntp - logrotate - docker.soc_docker - docker.adv_docker diff --git a/salt/top.sls b/salt/top.sls index e12a3a22e..481a741b0 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -22,6 +22,7 @@ base: '*': - cron.running - repo.client + - ntp 'not G@saltversion:{{saltversion}}': - match: compound From 17cbe38c259bb4f718fe0500bd86288468c90423 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 14:32:29 -0400 Subject: [PATCH 06/17] Add NTP --- pillar/top.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pillar/top.sls b/pillar/top.sls index 0cead8851..63bcbbaaf 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -1,7 +1,8 @@ base: '*': - patch.needs_restarting - - ntp + - ntp.soc_ntp + - ntp.adv_ntp - logrotate - docker.soc_docker - docker.adv_docker From 2abfcdc0427b9e00f47bc97d05c1531b8b116f39 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 14:48:40 -0400 Subject: [PATCH 07/17] Add NTP --- salt/ntp/config.map.jinja | 2 +- salt/ntp/defaults.yaml | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/salt/ntp/config.map.jinja b/salt/ntp/config.map.jinja index 11d7a0ae7..62714abfc 100644 --- a/salt/ntp/config.map.jinja +++ b/salt/ntp/config.map.jinja @@ -1,3 +1,3 @@ {% import_yaml 'ntp/defaults.yaml' as NTP with context %} -{% set NTPCONFIG = salt['pillar.get']('ntp', default=NTP, merge=True) %} +{% set NTPCONFIG = salt['pillar.get']('ntp:config', default=NTP.ntp.config, merge=True) %} diff --git a/salt/ntp/defaults.yaml b/salt/ntp/defaults.yaml index 2886f4c69..9b58ad380 100644 --- a/salt/ntp/defaults.yaml +++ b/salt/ntp/defaults.yaml @@ -1,4 +1,5 @@ ntp: - servers: - - 0.pool.ntp.org - - 1.pool.ntp.org \ No newline at end of file + config: + servers: + - 0.pool.ntp.org + - 1.pool.ntp.org \ No newline at end of file From 22e8c7ef3e7c20508dd1c11761d0895c6ae2e8c8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 15:10:11 -0400 Subject: [PATCH 08/17] Add NTP --- salt/ntp/init.sls | 2 +- salt/ntp/soc_ntp.yaml | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/salt/ntp/init.sls b/salt/ntp/init.sls index 5f66ac4a7..42840d6ec 100644 --- a/salt/ntp/init.sls +++ b/salt/ntp/init.sls @@ -10,7 +10,7 @@ chronyconf: - source: salt://ntp/chrony.conf - template: jinja - defaults: - NTPCONFIG: {{ NTPCONFIG.ntp }} + NTPCONFIG: {{ NTPCONFIG }} chronyd: service.running: diff --git a/salt/ntp/soc_ntp.yaml b/salt/ntp/soc_ntp.yaml index 70ea8d7ae..01484d714 100644 --- a/salt/ntp/soc_ntp.yaml +++ b/salt/ntp/soc_ntp.yaml @@ -1,4 +1,5 @@ ntp: - servers: - description: NTP Server List - title: NTP Servers + config: + servers: + description: NTP Server List + title: NTP Servers From ea7979cfdde0c20f433361d832eebdd1eed42d1c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 19 Sep 2022 15:33:15 -0400 Subject: [PATCH 09/17] Add Elastic Agent datastreams to SOC index --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 7c0f78f96..10ef4cb8d 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -64,7 +64,7 @@ soc: remoteHostUrls: [] username: password: - index: '*:so-*,*:endgame-*' + index: '*:so-*,*:endgame-*,.ds-logs*' cacheMs: 300000 verifyCert: false casesEnabled: true From 30afc88322fb2148214ea496a4e294764b0185e1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 19 Sep 2022 15:51:29 -0400 Subject: [PATCH 10/17] fix some soc defaults --- salt/soc/defaults.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 31a35a618..e25a25b5f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -649,7 +649,7 @@ soc: queryBaseFilter: queryToggleFilters: - name: caseExcludeToggle - filter: NOT _index:\"*:so-case*\" + filter: 'NOT _index:"*:so-case*"' enabled: true queries: - name: Default Query @@ -1365,7 +1365,7 @@ soc: - source.ip queryBaseFilter: queryToggleFilters: - - name: caseExcludeToggle, + - name: caseExcludeToggle filter: 'NOT _index:"*:so-case*"' enabled: true queries: @@ -1591,7 +1591,7 @@ soc: - so_case.severity - so_case.assigneeId - so_case.createTime - queryBaseFilter: '_index:\"*:so-case\" AND so_kind:case' + queryBaseFilter: '_index:"*:so-case" AND so_kind:case' queryToggleFilters: [] queries: - name: Open Cases From 80919827c6bb45425005b07b052369f484fb49d0 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 19 Sep 2022 15:55:23 -0400 Subject: [PATCH 11/17] Fixup index patterns --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 10ef4cb8d..401d7fc21 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -64,7 +64,7 @@ soc: remoteHostUrls: [] username: password: - index: '*:so-*,*:endgame-*,.ds-logs*' + index: '*:so-*,*:endgame-*,*:logs-*' cacheMs: 300000 verifyCert: false casesEnabled: true From cb2e46f275b913726a4f32c82fc08e8fd944dee5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 16:11:49 -0400 Subject: [PATCH 12/17] NGINX fun --- salt/nginx/config/ssl.crt | 1 + salt/nginx/config/ssl.key | 1 + salt/nginx/defaults.yaml | 3 +++ salt/nginx/etc/nginx.conf | 34 ++++++++++++++-------------------- salt/nginx/init.sls | 11 ++--------- salt/nginx/soc_nginx.yaml | 16 ++++++++++++++++ 6 files changed, 37 insertions(+), 29 deletions(-) create mode 100644 salt/nginx/config/ssl.crt create mode 100644 salt/nginx/config/ssl.key create mode 100644 salt/nginx/defaults.yaml create mode 100644 salt/nginx/soc_nginx.yaml diff --git a/salt/nginx/config/ssl.crt b/salt/nginx/config/ssl.crt new file mode 100644 index 000000000..16878f704 --- /dev/null +++ b/salt/nginx/config/ssl.crt @@ -0,0 +1 @@ +# Replace this text with the text from the .crt \ No newline at end of file diff --git a/salt/nginx/config/ssl.key b/salt/nginx/config/ssl.key new file mode 100644 index 000000000..16878f704 --- /dev/null +++ b/salt/nginx/config/ssl.key @@ -0,0 +1 @@ +# Replace this text with the text from the .crt \ No newline at end of file diff --git a/salt/nginx/defaults.yaml b/salt/nginx/defaults.yaml new file mode 100644 index 000000000..cf051274b --- /dev/null +++ b/salt/nginx/defaults.yaml @@ -0,0 +1,3 @@ +nginx: + config: + replace_cert: False \ No newline at end of file diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 623dae701..d09325f0e 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,11 +1,5 @@ +{%- from 'vars/globals.map.jinja' import GLOBALS %} {%- set role = grains.id.split('_') | last %} - -{%- set manager_ip = salt['pillar.get']('global:managerip', '') %} -{%- set url_base = salt['pillar.get']('global:url_base') %} - -{%- set airgap = salt['pillar.get']('global:airgap', 'False') %} - - worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; @@ -42,13 +36,13 @@ http { server { listen 80 default_server; server_name _; - return 307 https://{{ url_base }}$request_uri; + return 307 https://{{ GLOBALS.url_base }}$request_uri; } server { listen 443 ssl http2 default_server; server_name _; - return 307 https://{{ url_base }}$request_uri; + return 307 https://{{ GLOBALS.url_base }}$request_uri; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; @@ -66,7 +60,7 @@ http { server { listen 7788; - server_name {{ url_base }}; + server_name {{ GLOBALS.url_base }}; root /opt/socore/html/repo; location /rules/ { allow all; @@ -81,7 +75,7 @@ http { server { listen 443 ssl http2; - server_name {{ url_base }}; + server_name {{ GLOBALS.url_base }}; root /opt/socore/html; index index.html; @@ -100,7 +94,7 @@ http { ssl_protocols TLSv1.2; location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ manager_ip }}:9822; + proxy_pass http://{{ GLOBALS.manager_ip }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header x-user-id ""; @@ -117,7 +111,7 @@ http { auth_request /auth/sessions/whoami; auth_request_set $userid $upstream_http_x_kratos_authenticated_identity_id; proxy_set_header x-user-id $userid; - proxy_pass http://{{ manager_ip }}:9822/; + proxy_pass http://{{ GLOBALS.manager_ip }}:9822/; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header Host $host; @@ -131,7 +125,7 @@ http { location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ manager_ip }}:4433; + proxy_pass http://{{ GLOBALS.manager_ip }}:4433; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -188,7 +182,7 @@ http { location /grafana/ { auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ manager_ip }}:3000/; + proxy_pass http://{{ GLOBALS.manager_ip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -201,7 +195,7 @@ http { location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ manager_ip }}:5601/; + proxy_pass http://{{ GLOBALS.manager_ip }}:5601/; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header Host $host; @@ -213,7 +207,7 @@ http { location /nodered/ { auth_request /auth/sessions/whoami; - proxy_pass http://{{ manager_ip }}:1880/; + proxy_pass http://{{ GLOBALS.manager_ip }}:1880/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -227,7 +221,7 @@ http { location /playbook/ { auth_request /auth/sessions/whoami; - proxy_pass http://{{ manager_ip }}:3200/playbook/; + proxy_pass http://{{ GLOBALS.manager_ip }}:3200/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -240,7 +234,7 @@ http { location /soctopus/ { auth_request /auth/sessions/whoami; - proxy_pass http://{{ manager_ip }}:7000/; + proxy_pass http://{{ GLOBALS.manager_ip }}:7000/; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header Host $host; @@ -262,7 +256,7 @@ http { if ($http_authorization = "") { return 403; } - proxy_pass http://{{ manager_ip }}:9822/; + proxy_pass http://{{ GLOBALS.manager_ip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header x-user-id ""; diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index f5791fdd6..122093337 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,11 +1,7 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set MANAGER = salt['grains.get']('master') %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap') %} - include: - ssl @@ -85,7 +81,7 @@ navigatorenterpriseattack: so-nginx: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-nginx:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }} - hostname: so-nginx - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro @@ -108,9 +104,6 @@ so-nginx: - port_bindings: - 80:80 - 443:443 - {% if ISAIRGAP is sameas true %} - - 7788:7788 - {% endif %} - watch: - file: nginxconf - file: nginxconfdir diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml new file mode 100644 index 000000000..3fedc0208 --- /dev/null +++ b/salt/nginx/soc_nginx.yaml @@ -0,0 +1,16 @@ +nginx: + config: + replace_cert: + description: Replace the Security Onion Certigicate with your own? + global: True + advanced: True + ssl__key: + description: Paste your .key file here + file: True + title: SSL Key File + advanced: True + ssl__crt: + description: Paste your .crt file here + file: True + title: SSL Cert File + advanced: True \ No newline at end of file From fad0e0a1458be6e89061bd07cefe37e4a4ad1f08 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 16:14:37 -0400 Subject: [PATCH 13/17] NGINX fun --- salt/nginx/soc_nginx.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 3fedc0208..70b71de4a 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -1,9 +1,10 @@ nginx: config: replace_cert: - description: Replace the Security Onion Certigicate with your own? + description: Replace the Security Onion Certificate with your own? global: True advanced: True + title: Replace Default Cert ssl__key: description: Paste your .key file here file: True From e72eae2e8a55d2a6864b2a424aa761a1b06b1cac Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 16:23:46 -0400 Subject: [PATCH 14/17] NGINX fun --- salt/nginx/soc_nginx.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/nginx/soc_nginx.yaml b/salt/nginx/soc_nginx.yaml index 70b71de4a..d5811654e 100644 --- a/salt/nginx/soc_nginx.yaml +++ b/salt/nginx/soc_nginx.yaml @@ -10,8 +10,10 @@ nginx: file: True title: SSL Key File advanced: True + global: True ssl__crt: description: Paste your .crt file here file: True title: SSL Cert File - advanced: True \ No newline at end of file + advanced: True + global: True \ No newline at end of file From 509c32482f7f9ac69943b845252ebff11ab0f28d Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 19 Sep 2022 16:39:49 -0400 Subject: [PATCH 15/17] Update so-elasticsearch-templates-load to allow for proper loading of differently formatted Elastic Agent index templates --- salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index cb727a5d3..aa9502396 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -58,7 +58,7 @@ echo cd ${ELASTICSEARCH_TEMPLATES}/index echo "Loading Security Onion index templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '-' -f2); echo "so-$TEMPLATE"; so-elasticsearch-query _index_template/so-$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done +for i in *; do TEMPLATE=${i::-14}; echo "$TEMPLATE"; so-elasticsearch-query _index_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done echo cd - >/dev/null From 3eb4adc5c373274f1efe4ee3a6958441a29c8a9a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 19 Sep 2022 20:12:47 -0400 Subject: [PATCH 16/17] Hunt Query - Elastic Agent Live Osquery Logs --- salt/soc/defaults.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9da87a898..7ba352e34 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -680,6 +680,9 @@ soc: - name: NIDS Alerts description: Show all NIDS alerts grouped by alert query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' + - name: Osquery - Live Query + description: Show all Osquery Live Query results + query: 'event.dataset: osquery_manager.result | groupby action_data.id action_data.query | groupby host.hostname' - name: Wazuh/OSSEC Alerts description: Show all Wazuh alerts at Level 5 or higher grouped by category query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name' From 120fdef17353e9a549585c1e67523dd21a279016 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 20 Sep 2022 08:27:47 -0400 Subject: [PATCH 17/17] Hunt Query - Elastic Agent Live Osquery Logs --- salt/soc/defaults.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 7ba352e34..44e75feca 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -797,9 +797,6 @@ soc: - name: NTLM description: NTLM grouped by computer name query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' - - name: Osquery Live Queries - description: Osquery Live Query results grouped by computer name - query: 'event.dataset:live_query | groupby host.hostname' - name: PE description: PE files list query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' @@ -1457,9 +1454,6 @@ soc: - name: NTLM description: NTLM logs query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port' - - name: Osquery Live Queries - description: Osquery Live Query results - query: 'event.dataset:live_query | groupby host.hostname' - name: PE description: PE files list query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'