From f0db5cf6571797937006c3fac88336505f117783 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Sat, 4 Mar 2023 11:50:01 -0500
Subject: [PATCH] Fixup osquery SO Hunt link

---
 salt/kibana/files/live_query_fixup.sh | 6 +++---
 salt/kibana/init.sls                  | 6 ++++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/salt/kibana/files/live_query_fixup.sh b/salt/kibana/files/live_query_fixup.sh
index 5026e3a16..9a03683db 100644
--- a/salt/kibana/files/live_query_fixup.sh
+++ b/salt/kibana/files/live_query_fixup.sh
@@ -13,10 +13,10 @@ docker exec so-kibana grep -q "https://{{ GLOBALS.url_base }}" /usr/share/kibana
 if [ $? -eq 0 ]
 then
   #Do Nothing, pattern has been found
-  echo "Pattern found, exiting..."
+  echo "SO Hunt link found, exiting without changes..."
 else
-  echo "Pattern not found..."
-  docker exec so-kibana sed -i 's|href:h|href:"https://{{ GLOBALS.url_base }}/#/hunt?q=action_id%3A%20"+e+"%20%7C%20groupby%20action_id%20action_data.query%20%7C%20groupby%20host.hostname%20%22metadata.input.beats.host.ip%22"|g' /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js
+  echo "SO Hunt link not found, adding link and restarting Kibana container..."
+  docker exec so-kibana sed -i 's|href:g|href:"https://{{ GLOBALS.url_base }}/#/hunt?q=action_id%3A%20"+e+"%20%7C%20groupby%20action_id%20action_data.query%20%7C%20groupby%20host.hostname%20%22metadata.input.beats.host.ip%22"|g' /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js
   docker exec so-kibana sed -i 's|View in Discover|View in SO - Hunt|g' /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js
   docker exec so-kibana rm /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js.br
   docker exec so-kibana gzip -kf /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js
diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls
index a974dcf48..ba1413c74 100644
--- a/salt/kibana/init.sls
+++ b/salt/kibana/init.sls
@@ -108,6 +108,12 @@ append_so-kibana_so-status.conf:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-kibana
 
+osquery_hunt_link:
+  cmd.script:
+    - source: salt://kibana/files/live_query_fixup.sh
+    - cwd: /root
+    - template: jinja
+
 {% else %}
 
 {{sls}}_state_not_allowed: