CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-27 03:13:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
16,981 Commits 19 Branches 120 Tags
348f9dcaec75bcdbbdfa47dd7d2a86f4d73316df
Commit Graph

282 Commits

Author SHA1 Message Date
Corey Ogburn
2181cddf49 Move EnableReverseLookup 
Move EnableReverseLookup and it's annotation from ClientParams to ServerConfig.
 2025-09-02 14:09:55 -06:00
Jason Ertel
9cb42911dc Merge branch '2.4/dev' into jertel/wip 2025-08-18 09:54:58 -04:00
Jason Ertel
a3cc6f025e reports 2025-08-18 09:54:40 -04:00
reyesj2
84b38daf62 name destination_geo & source_geo to destination.as and source.as better aligning with ECS and linking other log sources already using .as for ASN geo data. 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2025-07-25 16:17:22 -05:00
Doug Burks
6bb6c24641 Simplify UniFi dashboards #14838 2025-07-16 07:20:39 -04:00
Doug Burks
4f8bd16910 FEATURE: Add SOC Dashboards for CEF, iptables, and UniFi logs #14838 2025-07-14 15:37:10 -04:00
Doug Burks
ab9d03bc2e FEATURE: Add SOC Dashboards for UniFi logs #14838 2025-07-14 12:21:08 -04:00
Doug Burks
10bf3e8fab FEATURE: Add SOC default fields for CEF logs #14837 2025-07-14 12:07:02 -04:00
Doug Burks
f8108e93d5 FEATURE: Add SOC default fields for iptables logs #14836 2025-07-14 12:04:46 -04:00
Josh Brower
42552810fb Add user.name to kratos query 2025-07-08 09:50:08 -04:00
Corey Ogburn
33c23c30d3 Refactors playbook repo configuration 
Replaces individual playbook repo fields with an array of repos to support multiple playbook sources. Refactor Jinja.
 2025-06-30 11:43:02 -06:00
Josh Brower
a3b5db5945 Add support for Airgap for Playbooks 2025-06-06 16:17:14 -04:00
Corey Ogburn
fc9107f129 Updated Playbook Repo Config 
The repo and folder have changed. We're splitting out playbooks into their own repo: github.com/security-onion-solutions/securityonion-resources-playbooks.
 2025-06-03 13:33:30 -06:00
Josh Brower
0277891392 Use Stable branch 2025-06-02 13:10:13 -04:00
Corey Ogburn
11fb33fdeb Add RulesetName to Rule Repos 
Fill in `rulesetName` in the rules repos of the ElastAlert and Strelka engines. These will act as an example to anybody adding their repos to these lists. The field is not required, but helps avoid collisions when managing repos as the value is used for the folder name. When not present, the final folder of the repo url is used as the rulesetName and as the folder name on disk.

Note that rulesetNames including a `/` will create extra folders in the path but the rulesetName will contain the slash, i.e. `rulesetName="joesecurity/sigma-rules"` will create the nested structure of `reposFolder/joesecurity/sigma-rules" containing the contents of the repo. All rules imported from this repo will have the ruleset of `joesecurity/sigma-rules`.
 2025-05-19 14:19:56 -06:00
Corey Ogburn
78b7068638 Playbook Settings 
Map a folder from the manager's soc config folder to soc's sensoroni folder for storing the playbook repo.

Added playbook module section with default values.
 2025-05-14 13:19:49 -06:00
Doug Burks
a8cb18bb2e Update defaults.yaml to replace remaining instances of identity_id with user.name 2025-05-08 09:09:26 -04:00
Josh Brower
d47a798645 Show user.name instead of id 2025-05-07 11:17:00 -04:00
Jason Ertel
1ecf2b29fc update default actions for subgrid support 2025-05-06 13:56:16 -04:00
Corey Ogburn
21a64b6c1d Add Client Parameter 
Add groupItemsPerPage so detections groupby tables have proper default value for page size.
 2025-03-05 09:43:21 -07:00
Doug Burks
c6c67f4d06 FEATURE: Add sankey chart to Elastic Agent API dashboard to show relationship between process.name and process.Ext.api.name #14339 2025-03-05 06:31:16 -05:00
Doug Burks
44535cba8c FIX: Elastic Agent Security Events dashboard should reference user.effective.name #14325 2025-03-04 06:46:56 -05:00
Doug Burks
e53f4fd1f1 Update defaults.yaml to quote the process.entity_id value 2025-03-02 05:54:30 -05:00
Corey Ogburn
d0fa6eaf83 New Limit on Bulk Creating Related Events 
Used by the UI and API to hint at a user that not every event will be attached to a case. Supports values up to 10,000 (the default limit on the number of documents returned by a single ES search).
 2025-02-03 14:20:33 -07:00
Jorge Reyes
107ca38268 fix http query for "includes" function 2025-01-14 08:24:07 -06:00
Jorge Reyes
35547b476f update http query 2025-01-14 08:13:27 -06:00
Jorge Reyes
ad765200c3 Merge pull request #14105 from Security-Onion-Solutions/reyesj2/moarzeekparse 
Additional Zeek parsing & cloudflare_logpush integration
 2025-01-13 11:37:21 -06:00
reyesj2
14c920a258 fix hidden ldap menu subtitle 2025-01-13 09:23:32 -06:00
reyesj2
e60a1e4357 zeek ldap & ldap_search parsing 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2025-01-09 16:06:10 -06:00
Joshua Brower
6fa11a38ef Update defaults 2025-01-07 13:14:50 -05:00
Doug Burks
927b618ec9 Update Zeek QUIC dashboard, add Hunt query, add quic.server.name as column in Events table 2025-01-02 06:57:56 -05:00
reyesj2
9f83853922 Zeek QUIC support 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-12-31 13:44:20 -06:00
reyesj2
754d28e95d add openvpn & ipsec support to Zeek 2024-12-05 09:52:55 -06:00
Josh Brower
04ffdf9b15 Merge pull request #13958 from Security-Onion-Solutions/2.4/autoenablesigma 
More flexibility for AutoEnable Sigma rules
 2024-11-21 09:47:49 -05:00
defensivedepth
8958da83b3 Deprecate instead 2024-11-20 18:00:26 -05:00
defensivedepth
3fcf197bc1 Tweak structure 2024-11-19 11:54:15 -05:00
defensivedepth
56d6857cd6 Addl customization for autoenable sigma 2024-11-18 09:03:17 -05:00
reyesj2
1113c3924f zeek http2 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-11-14 09:09:23 -06:00
Jason Ertel
57a9992a3d Merge branch '2.4/dev' into jertel/wip 2024-11-11 10:06:44 -05:00
defensivedepth
28d468dd41 Merge remote-tracking branch 'origin/2.4/dev' into 2.4/templaterepos 2024-11-07 07:25:01 -05:00
Corey Ogburn
5e48ccafce Update Default Value 2024-11-05 11:11:34 -07:00
Corey Ogburn
69dd35c30a Add Option for Ignoring Ranges of SIDs in Suricata Integrity Check 2024-11-04 14:31:53 -07:00
defensivedepth
5406a263d5 Add local custom template 2024-10-29 19:42:06 -04:00
Corey Ogburn
6ce52bf9ab Specify Defaults for detectionEngineStatusQueries 
Specify the defaults as an example to the user.
 2024-10-24 13:11:49 -06:00
Corey Ogburn
f67fcecc6e Clean up StatusQueries String 2024-10-24 11:18:48 -06:00
Corey Ogburn
b7c392a244 Corrected a misspelling 2024-10-24 11:18:48 -06:00
Corey Ogburn
ad0b0a5e95 Refactor to String 
To accomodate the config screen, the annotation now specifies it as a multiline string with a yaml syntax. The user can edit the yaml to add or remove queries. The UI will parse the YAML before use.

Also updated the IntegrityFailure queries to specify table columns more relevant to a sync failure than the default ones.
 2024-10-24 11:18:47 -06:00
Corey Ogburn
c77b0afd8e Move to Client/Detections 
Added a basic annotation.
 2024-10-24 11:18:47 -06:00
Corey Ogburn
04ebe4efea Array to Dictionary 2024-10-24 11:18:46 -06:00
Corey Ogburn
cbb4d6846f Detection Engine Status Queries 
A few for testing
 2024-10-24 11:18:45 -06:00