From a53619f10f88dcb177dede28e1ace1f5891fb23d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 5 Jan 2026 12:22:01 -0600 Subject: [PATCH 1/5] update kratos index template --- salt/elasticsearch/defaults.yaml | 42 -------------------------------- salt/manager/tools/sbin/soup | 16 ++++++++++++ 2 files changed, 16 insertions(+), 42 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c9f77aa7d..38559e68c 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -857,53 +857,11 @@ elasticsearch: composed_of: - agent-mappings - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - container-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - host-mappings - dtc-host-mappings - http-mappings - dtc-http-mappings - - log-mappings - metadata-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - common-settings - common-dynamic-mappings data_stream: diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 06fdbd70f..c8627ab46 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -427,6 +427,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.170 ]] && up_to_2.4.180 [[ "$INSTALLEDVERSION" == 2.4.180 ]] && up_to_2.4.190 [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200 + [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.210 true } @@ -459,6 +460,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.170 ]] && post_to_2.4.180 [[ "$POSTVERSION" == 2.4.180 ]] && post_to_2.4.190 [[ "$POSTVERSION" == 2.4.190 ]] && post_to_2.4.200 + [[ "$POSTVERSION" == 2.4.200 ]] && post_to_2.4.210 true } @@ -645,6 +647,14 @@ post_to_2.4.200() { POSTVERSION=2.4.200 } +post_to_2.4.210() { + echo "Rolling over Kratos index to apply new index template" + + rollover_index "logs-kratos-so" + + POSTVERSION=2.4.210 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -921,6 +931,12 @@ up_to_2.4.200() { INSTALLEDVERSION=2.4.200 } +up_to_2.4.210() { + echo "Nothing to do for 2.4.210" + + INSTALLEDVERSION=2.4.210 +} + add_hydra_pillars() { mkdir -p /opt/so/saltstack/local/pillar/hydra touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls From 3a410eed1ac8e16d9f6ac9d7b05e7d5ba7c741dd Mon Sep 17 00:00:00 2001 From: Matthew Wright Date: Mon, 5 Jan 2026 14:45:02 -0500 Subject: [PATCH 2/5] assistant session reports --- .../standard/assistant_session_report.md | 91 +++++++++++++++++++ salt/sensoroni/soc_sensoroni.yaml | 9 +- 2 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 salt/sensoroni/files/templates/reports/standard/assistant_session_report.md diff --git a/salt/sensoroni/files/templates/reports/standard/assistant_session_report.md b/salt/sensoroni/files/templates/reports/standard/assistant_session_report.md new file mode 100644 index 000000000..7879a7db0 --- /dev/null +++ b/salt/sensoroni/files/templates/reports/standard/assistant_session_report.md @@ -0,0 +1,91 @@ +Onion AI Session Report +========================== + +## Session Details + +**Session ID:** {{.Session.SessionId}} + +**Title:** {{.Session.Title}} + +**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Session.CreateTime}} + +**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Session.UpdateTime}} + +{{ if .Session.DeleteTime }} +**Deleted:** {{ formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Session.DeleteTime}} +{{ end }} + +**User ID:** {{getUserDetail "email" .Session.UserId}} + +## Session Usage + +**Total Input Tokens** {{.Session.Usage.TotalInputTokens}} + +**Total Output Tokens** {{.Session.Usage.TotalOutputTokens}} + +**Total Credits:** {{.Session.Usage.TotalCredits}} + +**Total Messages:** {{.Session.Usage.TotalMessages}} + +## Messages + +{{ range $index, $msg := sortAssistantMessages "CreateTime" "asc" .History }} +#### Message {{ add $index 1 }} + +**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" $msg.CreateTime}} + +**User ID:** {{getUserDetail "email" $msg.UserId}} + +**Role:** {{$msg.Message.Role}} + +{{ range $i, $block := $msg.Message.ContentBlocks }} + +--- + +{{ if eq $block.Type "text" }} +**Text:** {{ stripEmoji $block.Text }} +{{ else if eq $block.Type "tool_use" }} +**Tool:** {{ $block.Name }} +{{ if $block.Input }} +**Parameters:** +{{ range $key, $value := parseJSON $block.Input }} +{{ if eq $key "limit" }}- {{ $key }}: {{ $value }} +{{ else }}- {{ $key }}: "{{ $value }}" +{{ end }}{{ end }}{{ end }} +{{ else if $block.ToolResult }} +**Tool Result:** +{{ if $block.ToolResult.Content }} +{{ range $j, $contentBlock := $block.ToolResult.Content }} +{{ if gt $j 0 }} + +--- + +{{ end }} +{{ if $contentBlock.Text }} +{{ if $block.ToolResult.IsError }} +**Error:** {{ $contentBlock.Text }} +{{ else }} +{{ $contentBlock.Text }} +{{ end }} +{{ else if $contentBlock.Json }} +```json +{{ toJSON $contentBlock.Json }} +``` +{{ end }}{{ end }} +{{ end }}{{ end }}{{ end }} + +{{ if eq $msg.Message.Role "assistant" }}{{ if $msg.Message.Usage }} + +--- + +**Message Usage:** + +- Input Tokens: {{$msg.Message.Usage.InputTokens}} +- Output Tokens: {{$msg.Message.Usage.OutputTokens}} +- Credits: {{$msg.Message.Usage.Credits}} + +{{end}}{{end}} + +--- + +{{end}} \ No newline at end of file diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index cf69ec52a..aca6c8e3f 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -357,7 +357,7 @@ sensoroni: reports: standard: case_report__md: - title: Case report Template + title: Case Report Template description: The template used when generating a case report. Supports markdown format. file: True global: True @@ -370,6 +370,13 @@ sensoroni: global: True syntax: md helpLink: reports.html + assistant_session_report__md: + title: Assistant Session Report Template + description: The template used when generating an assistant session report. Supports markdown format. + file: True + global: True + syntax: md + helplink: reports.html custom: generic_report1__md: title: Custom Report 1 From f2b7ffe0ebdeba70654bcf133e3bee8a3776368f Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 5 Jan 2026 14:48:10 -0600 Subject: [PATCH 3/5] align with ECS fieldnames --- salt/elasticsearch/files/ingest/kratos | 95 ++++++++++++++++++++++++-- salt/soc/defaults.yaml | 14 ++-- 2 files changed, 95 insertions(+), 14 deletions(-) diff --git a/salt/elasticsearch/files/ingest/kratos b/salt/elasticsearch/files/ingest/kratos index 9551dad24..d59f45587 100644 --- a/salt/elasticsearch/files/ingest/kratos +++ b/salt/elasticsearch/files/ingest/kratos @@ -1,9 +1,90 @@ { - "description" : "kratos", - "processors" : [ - {"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}}, - {"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"kratos.{{{audience}}}","media_type":"text/plain"}}, - {"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg" }}, - { "pipeline": { "name": "common" } } - ] + "description": "kratos", + "processors": [ + { + "set": { + "field": "audience", + "value": "access", + "override": false, + "ignore_failure": true + } + }, + { + "set": { + "field": "event.dataset", + "ignore_empty_value": true, + "ignore_failure": true, + "value": "kratos.{{{audience}}}", + "media_type": "text/plain" + } + }, + { + "set": { + "field": "event.action", + "ignore_failure": true, + "copy_from": "msg" + } + }, + { + "rename": { + "field": "http_request", + "target_field": "http.request", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http_response", + "target_field": "http.response", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.path", + "target_field": "http.uri", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.method", + "target_field": "http.method", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.method", + "target_field": "http.method", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.query", + "target_field": "http.query", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "rename": { + "field": "http.request.headers.user-agent", + "target_field": "http.useragent", + "ignore_failure": true, + "ignore_missing": true + } + }, + { + "pipeline": { + "name": "common" + } + } + ] } \ No newline at end of file diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 28db2ef5f..6f9fc0226 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -115,16 +115,16 @@ soc: ':kratos:': - soc_timestamp - event.dataset - - http_request.headers.x-real-ip + - http.request.headers.x-real-ip - user.name - - http_request.headers.user-agent + - http.useragent - msg ':hydra:': - soc_timestamp - event.dataset - - http_request.headers.x-real-ip + - http.request.headers.x-real-ip - user.name - - http_request.headers.user-agent + - http.useragent - msg '::conn': - soc_timestamp @@ -1747,7 +1747,7 @@ soc: showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity - query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip user.name' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip user.name' showSubtitle: true - name: SOC - App description: Logs generated by the Security Onion Console (SOC) server and modules @@ -2027,10 +2027,10 @@ soc: query: '* | groupby event.category | groupby -sankey event.category event.module | groupby event.module | groupby -sankey event.module event.dataset | groupby event.dataset | groupby observer.name | groupby host.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: SOC Logins description: SOC (Security Onion Console) logins - query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip user.name | groupby user.name | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip user.name | groupby user.name | groupby http.useragent' - name: SOC Login Failures description: SOC (Security Onion Console) login failures - query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http_request.headers.x-real-ip | groupby -sankey http_request.headers.x-real-ip http_request.headers.user-agent | groupby http_request.headers.user-agent' + query: 'event.dataset:kratos.audit AND msg:*Encountered*self-service*login*error* | groupby user.name | groupby http.request.headers.x-real-ip | groupby -sankey http.request.headers.x-real-ip http.useragent | groupby http.useragent' - name: Alerts description: Overview of all alerts query: 'tags:alert | groupby event.module* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby rule.name | groupby event.severity | groupby destination.as.organization.name' From 2d705e7caa7fee11968964f9d2493b6e8beea03c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 6 Jan 2026 09:47:35 -0500 Subject: [PATCH 4/5] exempt kratos online check --- salt/common/tools/sbin/so-log-check | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check index 5960a7946..decb52abb 100755 --- a/salt/common/tools/sbin/so-log-check +++ b/salt/common/tools/sbin/so-log-check @@ -129,6 +129,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|responded with status-code 503" # telegraf getting 503 from ES during startup EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process_cluster_event_timeout_exception" # logstash waiting for elasticsearch to start EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not configured for GeoIP" # SO does not bundle the maxminddb with Zeek + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found" # Salt loops until Kratos returns 200, during startup Kratos may not be ready fi if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then From 5028729e4cadd9749746cbcb77c19ec45f0403e5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 6 Jan 2026 12:50:18 -0500 Subject: [PATCH 5/5] suppress config diffs to avoid false positive errors --- salt/kratos/config.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/kratos/config.sls b/salt/kratos/config.sls index b9f5142f1..622522e0b 100644 --- a/salt/kratos/config.sls +++ b/salt/kratos/config.sls @@ -75,6 +75,7 @@ kratosconfig: - group: 928 - mode: 600 - template: jinja + - show_changes: False - defaults: KRATOSMERGED: {{ KRATOSMERGED }}