diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 85ca755fa..c98b7db22 100644 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -20,7 +20,7 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fle printf "\n\n" # Create Logstash Output payload -mkdir /opt/so/conf/elastic-fleet/certs +mkdir -p /opt/so/conf/elastic-fleet/certs cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/elasticfleet.crt) @@ -85,4 +85,4 @@ wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https: #docker build -t so-elastic-agent-builder . so-elastic-agent-gen-installers -salt-call state.apply elastic-fleet.install_agent_grid \ No newline at end of file +salt-call state.apply elastic-fleet.install_agent_grid diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx index 522816df7..bd9421897 100755 --- a/salt/common/tools/sbin/so-import-evtx +++ b/salt/common/tools/sbin/so-import-evtx @@ -158,11 +158,11 @@ cat << EOF Import complete! You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser: -https://{{ URLBASE }}/#/hunt?q=import.id:${RUNID}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC +https://{{ URLBASE }}/#/dashboards?q=import.id:${RUNID}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC or you can manually set your Time Range to be (in UTC): From: $START_OLDEST_FORMATTED To: $END_NEWEST -Please note that it may take 30 seconds or more for events to appear in Hunt. +Please note that it may take 30 seconds or more for events to appear in Security Onion Console. EOF fi diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 4dad845f0..dd1bb2774 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -206,11 +206,11 @@ cat << EOF Import complete! You can use the following hyperlink to view data in the time range of your import. You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser: -https://{{ URLBASE }}/#/hunt?q=import.id:${HASH}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC +https://{{ URLBASE }}/#/dashboards?q=import.id:${HASH}%20%7C%20groupby%20event.module%20event.dataset&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC or you can manually set your Time Range to be (in UTC): From: $START_OLDEST To: $END_NEWEST -Please note that it may take 30 seconds or more for events to appear in Hunt. +Please note that it may take 30 seconds or more for events to appear in Security Onion Console. EOF fi diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index fd5c65e78..298795039 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -212,6 +212,24 @@ soc: - destination.port - dnp3.fc_reply - log.id.uid + '::dnp3_control': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.function_code + - dnp3.block_type + - log.id.uid + '::dnp3_objects': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.function_code + - dnp3.object_type + - log.id.uid '::dns': - soc_timestamp - source.ip @@ -1119,22 +1137,6 @@ soc: description: Show all Osquery Live Query results query: 'event.dataset: osquery_manager.result | groupby action_data.id action_data.query | groupby host.hostname' showSubtitle: true - - name: Wazuh/OSSEC Alerts - description: Show all Wazuh alerts at Level 5 or higher grouped by category - query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name' - showSubtitle: true - - name: Wazuh/OSSEC Alerts - description: Show all Wazuh alerts at Level 4 or lower grouped by category - query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name' - showSubtitle: true - - name: Wazuh/OSSEC Users and Commands - description: Show all Wazuh alerts grouped by username and command line - query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line' - showSubtitle: true - - name: Wazuh/OSSEC Processes - description: Show all Wazuh alerts grouped by process name - query: 'event.module:ossec AND event.dataset:alert | groupby process.name' - showSubtitle: true - name: Sysmon Events description: Show all Sysmon logs grouped by event type query: 'event.module:sysmon | groupby event.dataset' @@ -1415,6 +1417,24 @@ soc: - destination.port - dnp3.fc_reply - log.id.uid + '::dnp3_control': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.function_code + - dnp3.block_type + - log.id.uid + '::dnp3_objects': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.function_code + - dnp3.object_type + - log.id.uid '::dns': - soc_timestamp - source.ip @@ -2298,20 +2318,17 @@ soc: description: Overview of all events query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SOC Auth - description: Show all SOC authentication logs + description: SOC (Security Onion Console) authentication logs query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' - name: Elastalerts description: Elastalert logs query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' - name: Alerts - description: Show all alerts + description: Overview of all alerts query: 'event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port' - name: NIDS Alerts - description: NIDS alerts + description: NIDS (Network Intrusion Detection System) alerts query: 'event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port' - - name: Wazuh/OSSEC - description: Wazuh/OSSEC HIDS alerts and logs - query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full' - name: Sysmon Overview description: Overview of all Sysmon data types query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port' @@ -2331,116 +2348,104 @@ soc: description: Network activity captured by Sysmon query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Strelka - description: Strelka logs + description: Strelka file analysis query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source' - name: Zeek Notice - description: Zeek Notice logs + description: Zeek notice logs query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Connections - description: Connection logs + description: Network connection metadata query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes' - name: DCE_RPC - description: DCE_RPC logs + description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata query: 'event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port' - name: DHCP - description: Dynamic Host Configuration Protocol leases + description: DHCP (Dynamic Host Configuration Protocol) leases query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address' - - name: DNP3 - description: DNP3 logs - query: 'event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port' - name: DNS - description: Domain Name System queries + description: DNS (Domain Name System) queries query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: DPD - description: Dynamic Protocol Detection errors + description: DPD (Dynamic Protocol Detection) errors query: 'event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol' - name: Files description: Files seen in network traffic query: 'event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip' - name: FTP - description: File Transfer Protocol logs + description: FTP (File Transfer Protocol) network metadata query: 'event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port' - name: HTTP - description: Hyper Text Transport Protocol logs + description: HTTP (Hyper Text Transport Protocol) network metadata query: 'event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Intel description: Zeek Intel framework hits query: 'event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port' - name: IRC - description: Internet Relay Chat logs + description: IRC (Internet Relay Chat) network metadata query: 'event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Kerberos - description: Kerberos logs + description: Kerberos network metadata query: 'event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port' - - name: MODBUS - description: MODBUS logs - query: 'event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port' - - name: MYSQL - description: MYSQL logs + - name: MySQL + description: MySQL network metadata query: 'event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port' - - name: NOTICE - description: Zeek notice logs - query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port' - name: NTLM - description: NTLM logs + description: NTLM (New Technology LAN Manager) network metadata query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port' - name: PE - description: PE files list + description: PE (Portable Executable) files transferred via network traffic query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit' - name: RADIUS - description: RADIUS logs + description: RADIUS (Remote Authentication Dial-In User Service) network metadata query: 'event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port' - name: RDP - description: RDP logs + description: RDP (Remote Desktop Protocol) network metadata query: 'event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: RFB - description: RFB logs + description: RFB (Remote Frame Buffer) network metadata query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Signatures description: Zeek signatures query: 'event.dataset:signatures | groupby signature_id' - name: SIP - description: SIP logs + description: SIP (Session Initiation Protocol) network metadata query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SMB_Files - description: SMB files + description: Files transferred via SMB (Server Message Block) query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SMB_Mapping - description: SMB mapping logs + description: SMB (Server Message Block) mapping network metadata query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SMTP - description: SMTP logs + description: SMTP (Simple Mail Transfer Protocol) network metadata query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SNMP - description: SNMP logs + description: SNMP (Simple Network Management Protocol) network metadat query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Software - description: List of software seen on the network by Zeek + description: Software seen by Zeek via network traffic query: 'event.dataset:software | groupby software.type | groupby software.name | groupby source.ip' - name: SSH - description: SSH connections seen by Zeek + description: SSH (Secure Shell) connections seen by Zeek query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SSL - description: SSL logs + description: SSL/TLS network metadata query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port' - name: STUN description: STUN (Session Traversal Utilities for NAT) network metadata query: 'event.dataset:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset' - - name: SYSLOG - description: SYSLOG logs + - name: Syslog + description: Syslog logs query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port' - name: TDS description: TDS (Tabular Data Stream) network metadata - query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupbytds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query' + query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query' - name: Tunnel description: Tunnels seen by Zeek query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Weird description: Weird network traffic seen by Zeek query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port ' - - name: TDS - description: TDS (Tabular Data Stream) network metadata - query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupbytds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query' - name: WireGuard description: WireGuard VPN network metadata query: 'event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port' diff --git a/setup/so-whiptail b/setup/so-whiptail index 0df694f17..7b9cf8505 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -14,9 +14,9 @@ whiptail_airgap() { [[ $is_manager || $is_import ]] && node_str='manager' INTERWEBS=$(whiptail --title "$whiptail_title" --menu \ - "How should this $node_str be installed?" 10 60 2 \ - "Standard " "This $node_str has internet accesss" \ - "Airgap " "This $node_str does not have internet access" 3>&1 1>&2 2>&3 ) + "How should this $node_str be installed?" 10 70 2 \ + "Standard " "This $node_str has access to the Internet" \ + "Airgap " "This $node_str does not have access to the Internet" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus