CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
15,376 Commits 24 Branches 119 Tags
34c3a58efe651b6b04f5890f6d2d0b48494cb15e
Commit Graph

9690 Commits

Author SHA1 Message Date
Corey Ogburn
85c269e697 Added TemplateDetections To Detection ClientParams 
The UI can now insert templates when you select a Detection language. These are those templates, annotated.
 2024-05-30 15:59:03 -06:00
m0duspwnens
6e70268ab9 Merge remote-tracking branch 'origin/2.4/dev' into sotcprp 2024-05-30 16:34:37 -04:00
Josh Patterson
fb8929ea37 Merge pull request #13103 from Security-Onion-Solutions/salt3006.8 
Salt3006.8
 2024-05-30 16:32:05 -04:00
m0duspwnens
debf093c54 Merge remote-tracking branch 'origin/2.4/dev' into salt3006.8 2024-05-30 15:58:10 -04:00
reyesj2
dbb99d0367 Remove bad config 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-30 15:10:15 -04:00
m0duspwnens
7702f05756 upgrade salt 3006.8. soup for 2.4.80 2024-05-30 15:00:32 -04:00
Wes
2c635bce62 Set index for Suricata alerts 2024-05-30 17:02:31 +00:00
Wes
e831354401 Add Suricata alerts setting for configuration 2024-05-30 17:00:11 +00:00
Wes
55c5ea5c4c Add template for Suricata alerts 2024-05-30 16:58:56 +00:00
reyesj2
1fd5165079 Merge remote-tracking branch 'origin/2.4/dev' into reyesj2/kafka 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-29 23:37:40 -04:00
reyesj2
949cea95f4 Update pillarWatch config for global.pipeline 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-29 23:19:44 -04:00
reyesj2
386be4e746 WIP: Manage Kafka nodes pillar role value 
This way when kafka_controllers is updated the pillar value gets updated and any non-controllers get updated to revert to 'broker' only role.
 Needs more testing when a new controller joins in this manner Kafka errors due to cluster metadata being out of sync. One solution is to remove /nsm/kafka/data/__cluster_metadata-0/quorum-state and restart cluster. Alternative is working with Kafka cli tools to inform cluster of new voter, likely best option but requires a wrapper script of some sort to be created for updating cluster in-place.
Easiest option is to have all receivers join grid and then configure Kafka with specific controllers via SOC UI prior to enabling Kafka. This way Kafka cluster comes up in the desired configuration with no need for immediately modifying cluster

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-29 16:48:39 -04:00
reyesj2
d9ec556061 Update some annotations and defaults 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-29 16:41:02 -04:00
reyesj2
876d860488 elastic agent should be able to communicate over 9092 for sending logs to kafka brokers 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-29 16:40:15 -04:00
DefensiveDepth
0d034e7adc fix rsync 2024-05-29 10:55:56 -04:00
reyesj2
59097070ef Revert "Remove unneeded jolokia aggregate metrics to reduce data ingested to influx" 
This reverts commit 1c1a1a1d3f.
 2024-05-28 12:17:43 -04:00
reyesj2
77b5aa4369 Correct dashboard name 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-28 11:34:35 -04:00
reyesj2
0d7c331ff0 only show specific fields when hovering over Kafka influxdb panels 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-28 11:29:38 -04:00
reyesj2
1c1a1a1d3f Remove unneeded jolokia aggregate metrics to reduce data ingested to influx 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-28 11:14:19 -04:00
reyesj2
47efcfd6e2 Add basic Kafka metrics to 'Security Onion Performance' influxdb dashboard 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-28 10:55:11 -04:00
reyesj2
15a0b959aa Add jolokia metrics for influxdb dashboard 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-28 10:51:39 -04:00
DefensiveDepth
ee4ca0d7a2 Check to see if local exists 2024-05-28 10:24:09 -04:00
DefensiveDepth
f68ac23f0e Fix fi 
Signed-off-by: DefensiveDepth <Josh@defensivedepth.com>
 2024-05-28 10:03:31 -04:00
DefensiveDepth
2a2b86ebe6 Dont overwrite 2024-05-28 09:43:45 -04:00
DefensiveDepth
74dfc25376 backup local rules 2024-05-28 09:29:10 -04:00
DefensiveDepth
81ee60e658 Backup .yml files too 2024-05-28 06:42:18 -04:00
reyesj2
fcb6a47e8c Remove redis.sh telegraf script when Kafka is global pipeline 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-26 21:10:41 -04:00
DefensiveDepth
58b565558d Dont bail - just wait for enter 2024-05-24 16:21:59 -04:00
Josh Brower
185fb38b2d Merge pull request #13079 from Security-Onion-Solutions/2.4/sigmapipelineupdates 
Add IDH mappings
 2024-05-24 14:48:22 -04:00
DefensiveDepth
550b3ee92d Add IDH mappings 2024-05-24 14:46:24 -04:00
DefensiveDepth
f90d40b471 Fix typo 2024-05-24 12:56:17 -04:00
DefensiveDepth
4344988abe Add instructions for sigma and yara repos 2024-05-24 12:54:36 -04:00
Josh Brower
979147a111 Merge pull request #13062 from Security-Onion-Solutions/2.4/backupscript 
Detections backup script
 2024-05-24 10:06:56 -04:00
DefensiveDepth
66725b11b3 Added unit tests 2024-05-24 09:55:10 -04:00
Jason Ertel
bd11d59c15 add event.dataset since there are other datasets in soc logs 2024-05-24 08:38:12 -04:00
Jason Ertel
15155613c3 provide default columns when viewing SOC logs 2024-05-24 08:23:45 -04:00
m0duspwnens
b5f656ae58 dont render pillar each time so-tcpreplay runs 2024-05-23 13:22:22 -04:00
Mike Reeves
1e6161f89c Update defaults.yaml 2024-05-23 08:19:43 -04:00
Josh Brower
a8c287c491 Merge pull request #13067 from Security-Onion-Solutions/2.4/fixpipeline 
Fix strelka rule.uuid
 2024-05-23 07:53:14 -04:00
DefensiveDepth
8e7c487cb0 Fix strelka rule.uuid 2024-05-23 05:59:31 -04:00
Doug Burks
3d4f3a04a3 Update defaults.yaml to fix order of groupby tables and eliminate duplicate 2024-05-23 05:56:18 -04:00
DefensiveDepth
a072e34cfe Fix casing issue 2024-05-22 17:12:41 -04:00
DefensiveDepth
d19c1a514b Detections backup script 2024-05-22 15:12:23 -04:00
reyesj2
382cd24a57 Small changes needed for using new Kafka docker image + added Kafka logging output to /opt/so/log/kafka/ 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-22 13:39:21 -04:00
reyesj2
b1beb617b3 Logstash should be disabled when Kafka is enabled except when a minion override exists OR node is a standalone 
- Standalone subscribes to Kafka topics via logstash for ingest

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-22 13:38:09 -04:00
reyesj2
91f8b1fef7 Set default replication factor back to Kafka default 
If replication factor is > 1 Kafka will fail to start until another broker is added
  - For internal automated testing purposes a Standalone will be utilized

Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
 2024-05-22 13:35:09 -04:00
Jason Ertel
ca6e2b8e22 Merge pull request #13054 from Security-Onion-Solutions/jertel/eaconfig 
fix elastalert settings
 2024-05-21 18:38:03 -04:00
Jason Ertel
8af3158ea7 fix elastalert settings 2024-05-21 18:28:21 -04:00
DefensiveDepth
f9e9b825cf Removed unneeded groupby 2024-05-21 17:53:20 -04:00
DefensiveDepth
3992ef1082 Add rule.uuid to default groupbys 2024-05-21 17:45:56 -04:00