weslambert and GitHub
5c9c95ba1f
Merge pull request #8622 from Security-Onion-Solutions/fix/strelka_yara_gen_webshells_ignore
...
Ignore gen_webshells.yar
2022-08-29 09:40:51 -04:00
weslambert and GitHub
8a0e92cc6f
Add 'gen_webshells.yar' and re-arrange to put ignored rules in alphabetical order
2022-08-29 09:37:29 -04:00
weslambert and GitHub
616bc40412
Merge pull request #8558 from Security-Onion-Solutions/fix/soup_local_mods_check_skip_prompt
...
Allow local modification acceptance prompt to be skipped when passing 'skip-prompt' as a parameter value to check_local_mods() function
2022-08-19 16:11:23 -04:00
weslambert and GitHub
f00d9074ff
Allow local modification acceptance prompt to be skipped when passing 'skip-prompt' as a parameter value to check_local_mods() function
2022-08-19 16:07:14 -04:00
weslambert and GitHub
c17f0081ef
Merge pull request #8550 from Security-Onion-Solutions/fix/soup_elastalert_indices_check_delete_if_less_than_es_8
...
SOUP: Ensure Elastalert indices are not deleted for major Elasticsearch version 8 or greater
2022-08-18 09:45:00 -04:00
weslambert and GitHub
fbf0803906
Update verbiage around major Elasticsearch version and not requiring Elastalert index maintenance
2022-08-18 09:16:22 -04:00
weslambert and GitHub
5deda45b66
Update elastalert_indices_check() function to only delete Elastalert indices if major Elasticsearch version is less than 8
...
Update elastalert_indices_check() function to only delete Elastalert indices if major Elasticsearch version is less than 8. Also clean up the output to only emit one notification regarding index deletion, and additional verbiage around function operation.
2022-08-18 09:11:38 -04:00
weslambert and GitHub
e950d865d8
Merge pull request #8485 from Security-Onion-Solutions/foxtrot
...
Improve local file modification check in SOUP
2022-08-08 10:06:13 -04:00
weslambert and GitHub
fd7a118664
Invoke check_local_mods() function earlier so we don't have to wait for Docker image downloads or OS updates before checking and potentially exiting SOUP
2022-08-08 08:58:19 -04:00
weslambert and GitHub
d7906945df
Add extra set of brackets for comparison of integers
2022-08-08 08:24:38 -04:00
weslambert and GitHub
cb384ae024
Ensure check_local_mods() runs at the beginning of SOUP, in addition to the end, and also that it prompts (forces) the user to accept/review local modifications.
2022-08-05 11:25:33 -04:00
weslambert and GitHub
7caead2387
Merge pull request #8476 from Security-Onion-Solutions/dev
...
Merge dev into foxtrot
2022-08-05 11:11:51 -04:00
weslambert and GitHub
ee654f767a
Merge pull request #8453 from Security-Onion-Solutions/fix/elasticsearch_geoip_local
...
Configure Elasticsearch to use local GeoLite2 databases by default
2022-08-03 09:40:23 -04:00
weslambert and GitHub
8c694a7ca3
Disable ingest.geoip.downloader by default
2022-08-03 09:21:40 -04:00
weslambert and GitHub
9ac640fa67
Remove airgap-specific logic for ingest.geoip.downloader
2022-08-03 09:21:03 -04:00
weslambert and GitHub
811063268f
Merge pull request #8447 from Security-Onion-Solutions/feature/kibana_version_8_3_3
...
Update Kibana version to 8.3.3
2022-08-02 15:27:22 -04:00
weslambert and GitHub
f2b10a5a86
Update Kibana version to 8.3.3
2022-08-02 11:32:01 -04:00
weslambert and GitHub
c69cac0e5f
Update Kibana version to 8.3.3
2022-08-02 11:31:35 -04:00
weslambert and GitHub
fed4433088
Merge pull request #8446 from Security-Onion-Solutions/fix/airgap_elasticsearch_geoip
...
Update Elasticsearch defaults file and config.map.jinja to allow for local GeoIP database use when airgap is enabled
2022-08-02 11:20:35 -04:00
Wes Lambert
839cfcaefa
Update Elasticsearch defaults file and config.map.jinja to allow for local GeoIP database use when airgap is enabled
2022-08-02 14:32:17 +00:00
weslambert and GitHub
3123407ef0
Update Elastic version to 8.3.3
2022-08-01 10:41:39 -04:00
weslambert and GitHub
d24125c9e6
Update Elastic version to 8.3.3
2022-08-01 10:40:57 -04:00
weslambert and GitHub
64dc278c95
Merge pull request #8432 from Security-Onion-Solutions/dev
...
Merge dev into foxtrot
2022-08-01 10:12:35 -04:00
weslambert and GitHub
c795a70e9c
Merge pull request #8329 from Security-Onion-Solutions/fix/elastalert_stop_check_enabled
...
Check to ensure Elastalert is enabled and suppress missing container error output
2022-07-19 13:27:35 -04:00
weslambert and GitHub
340dbe8547
Check to see if Elastalert is enabled before trying to run 'so-elastalert-stop'. Also suppress error output for when so-elastalert container is not present.
2022-07-19 13:25:09 -04:00
Wes Lambert
5ceff52796
Move Elastalert indices check to function and call from beginning of soup and during pre-upgrade to 2.3.140
2022-07-19 14:54:39 +00:00
Wes Lambert
f3a0ab0b2d
Perform Elastalert index check twice
2022-07-19 14:48:19 +00:00
Wes Lambert
4a7c994b66
Revise Elastalert index check deletion logic
2022-07-19 14:31:45 +00:00
weslambert and GitHub
8099b1688b
Merge pull request #8319 from Security-Onion-Solutions/fix/elasticsearch_query_missing_query_path
...
Fix missing query path for so-elasticsearch-query
2022-07-18 09:47:16 -04:00
weslambert and GitHub
2914007393
Add forward slash to fix issue with missing query path
2022-07-18 09:07:34 -04:00
weslambert and GitHub
f5e10430ed
Add forward slash to fix issue with missing query path
2022-07-18 09:07:13 -04:00
weslambert and GitHub
52ebbf8ff3
Merge pull request #8304 from Security-Onion-Solutions/fix/kibana_space_defaults_web_response_url
...
Change web_response to evaluate the response from the Spaces API and the default space query
2022-07-14 12:08:02 -04:00
weslambert and GitHub
2443e8b97e
Change web_response to evaluate the response from the Spaces API and the default space query
2022-07-14 12:04:56 -04:00
weslambert and GitHub
4241eb4b29
Merge pull request #8298 from Security-Onion-Solutions/fix/kibana_space_defaults_shebang
...
Add shebang so that so-kibana-space-defaults will work correctly on Ubuntu
2022-07-13 16:50:21 -04:00
weslambert and GitHub
0fd4f34b5b
Add shebang so that so-kibana-space-defaults will work correctly on Ubuntu
2022-07-13 16:48:39 -04:00
weslambert and GitHub
4a5664db7b
Merge pull request #8289 from Security-Onion-Solutions/fix/soup_unsupported_indices_check
...
Add missing 'fi' to if/then for unsupported indices check
2022-07-13 09:15:22 -04:00
weslambert and GitHub
513c7ae56c
Add missing 'fi' to if/then for unsupported indices check
2022-07-13 09:13:28 -04:00
weslambert and GitHub
fa894cf83b
Merge pull request #8288 from Security-Onion-Solutions/fix/soup_elastalert_indices_deletion_check
...
Ensure Elastalert indices are deleted before continuing with SOUP
2022-07-13 08:44:04 -04:00
weslambert and GitHub
8e92060c29
Ensure Elastalert indices are deleted before continuing with SOUP -- if they are not, generate a failure condition
2022-07-13 08:38:55 -04:00
weslambert and GitHub
d7eb8b9bcb
Merge pull request #8281 from Security-Onion-Solutions/fix/soup_elasticsearch8_index_compatibility
...
SOUP - Check for indices created by Elasticsearch 6
2022-07-12 16:20:47 -04:00
weslambert and GitHub
d0a0ca8458
Update exit code for ES checks
2022-07-12 16:15:44 -04:00
weslambert and GitHub
4502182b53
Typo - Ensure Elasticsearch version 6 indices are checked
2022-07-12 15:35:46 -04:00
weslambert and GitHub
0fc6f7b022
Add check for Elasticsearch 6 indices
2022-07-12 15:34:24 -04:00
weslambert and GitHub
e9a22d0aff
Merge pull request #8275 from Security-Onion-Solutions/fix/filebeat_es_output_additions
...
Specify outputs for Elasticsearch and Kibana for Eval and Import Mode
2022-07-11 19:03:07 -04:00
weslambert and GitHub
11d3ed36b7
Specify outputs for Elasticsearch and Kibana for Eval and Import Mode
...
Add outputs for Elasticsearch and Kibana for Eval/Import Mode, since Logstash is not used in Eval Mode or Import Mode. Otherwise, logs from these inputs end up in a filebeat-prefixed index.
2022-07-11 17:22:09 -04:00
weslambert and GitHub
d828bbfe47
Merge pull request #8273 from Security-Onion-Solutions/fix/kibana_space_defaults_cases
...
Add securitySolutionCases feature to ensure Cases are disabled by default
2022-07-11 16:39:30 -04:00
weslambert and GitHub
bd32394560
Add securitySolutionCases feature to ensure Cases are disabled by default
2022-07-11 16:38:05 -04:00
weslambert and GitHub
6f4f050a96
Merge pull request #8272 from Security-Onion-Solutions/fix/soup_kibana_space_defaults
...
Run so-kibana-space-defaults when upgrading to 2.3.140
2022-07-11 14:47:11 -04:00
weslambert and GitHub
f77edaa5c9
Run so-kibana-space-defaults to re-establish the default enabled features since Fleet feature name changed
2022-07-11 14:41:23 -04:00
weslambert and GitHub
dd1d5b1a83
Merge pull request #8270 from Security-Onion-Solutions/fix/curator_actions_delete_kratos
...
Add delete and warm action for Kratos indices in applicable Curator delete/warm scripts
2022-07-11 11:39:43 -04:00
weslambert and GitHub
e82b6fcdec
Typo - Change 'delete' to 'warm'
2022-07-11 11:34:53 -04:00
weslambert and GitHub
8c8ac41b36
Add action for Kratos indices
2022-07-11 11:32:03 -04:00
weslambert and GitHub
b611dda143
Add delete action for Kratos indices
2022-07-11 11:31:22 -04:00
weslambert and GitHub
3f5b98d14d
Merge pull request #8269 from Security-Onion-Solutions/fix/curator_actions_kratos
...
Add Curator actions and adjust Curator close scripts to account for so-kibana and so-kratos indices
2022-07-11 11:21:20 -04:00
Wes Lambert
0b6219d95f
Adjust Curator close scripts to include Kibana and Kratos indices
2022-07-11 14:51:33 +00:00
Wes Lambert
2f729e24d9
Add Curator action files for Kratos indices
2022-07-11 14:34:10 +00:00
weslambert and GitHub
992b6e14de
Merge pull request #8268 from Security-Onion-Solutions/fix/kibana_disable_fleetv2
...
Disable fleetv2 because it is now used to control Fleet visibility and 'fleet' is now used for 'Integrations'
2022-07-11 10:09:12 -04:00
weslambert and GitHub
09a1d8c549
Disable fleetv2 because it is now used to control Fleet visibility and 'fleet' is now used for 'Integrations'
2022-07-11 10:06:24 -04:00
weslambert and GitHub
2903bdbc7e
Merge pull request #8260 from Security-Onion-Solutions/fix/kratos_dedicated_index_and_filestream_id_additions
...
Add dedicated index for Kratos and IDs for all filestream inputs
2022-07-08 12:04:40 -04:00
Wes Lambert
5c90fce3a1
Add Kratos Logstash output to search pipeline for Logstash
2022-07-08 15:58:00 +00:00
Wes Lambert
26698cfd07
Add Logstash output for dedicated Kratos index
2022-07-08 15:55:55 +00:00
Wes Lambert
764e8688b1
Modify Kratos input to use dedicated index and add filestream ID for all applicable inputs
2022-07-08 15:53:55 +00:00
Wes Lambert
b06c16f750
Add ingest node pipeline for Kratos
2022-07-08 15:53:00 +00:00
weslambert and GitHub
42cfab4544
Merge pull request #8256 from Security-Onion-Solutions/fix/kibana_restart_after_role_sync
...
Restart Kibana in case it times out before being able to read role update
2022-07-07 17:44:47 -04:00
weslambert and GitHub
4bbc901860
Restart Kibana in case it times out before being able to read in new role configuration
2022-07-07 17:19:02 -04:00
weslambert and GitHub
a343f8ced0
Merge pull request #8255 from Security-Onion-Solutions/fix/so_kibana_user_role
...
Force so-user to sync roles to ensure so_kibana role change
2022-07-07 16:19:30 -04:00
weslambert and GitHub
85be2f4f99
Force so-user to sync roles to ensure so_kibana role change from superuser to kibana_system
2022-07-07 15:55:44 -04:00
weslambert and GitHub
8b3fa0c4c6
Merge pull request #8252 from Security-Onion-Solutions/feature/elastic_8_3_2
...
Update to Elastic 8.3.2
2022-07-07 11:14:14 -04:00
weslambert and GitHub
ede845ce00
Update to Kibana 8.3.2
2022-07-07 11:05:44 -04:00
weslambert and GitHub
42c96553c5
Update to Kibana 8.3.2
2022-07-07 11:04:43 -04:00
weslambert and GitHub
2b73cd1156
Merge pull request #8236 from Security-Onion-Solutions/fix/localfile_analyzer
...
Strip quotes and ensure file_path is typed as a list (localfile analyzer)
2022-07-05 16:28:56 -04:00
weslambert and GitHub
77ee30f31a
Merge pull request #8237 from Security-Onion-Solutions/feature/elastic_8_3_1
...
Bump Elastic to 8.3.1
2022-07-05 14:50:24 -04:00
weslambert and GitHub
2938464501
Update to Kibana 8.3.1
2022-07-05 14:46:02 -04:00
weslambert and GitHub
79e88c9ca3
Update to Kibana 8.3.1
2022-07-05 14:45:30 -04:00
Wes Lambert
e96206d065
Strip quotes and ensure file_path is typed as a list
2022-07-05 14:25:54 +00:00
weslambert and GitHub
3552dfac03
Merge pull request #8199 from Security-Onion-Solutions/fix/filebeat_filestream_elastic8
...
Change type from 'log' to 'filestream' to ensure compatibility with E…
2022-06-27 14:58:54 -04:00
weslambert and GitHub
85f790b28a
Change type from 'log' to 'filestream' to ensure compatibility with Elastic 8
2022-06-27 10:39:58 -04:00
weslambert and GitHub
d0818e83c9
Merge pull request #8197 from Security-Onion-Solutions/fix/localfile_analyzer_csv_path
...
Ensure file_path uses jinja to derive the value(s) from the pillar
2022-06-27 10:36:59 -04:00
weslambert and GitHub
568b43d0af
Ensure file_path uses jinja to derive the value(s) from the pillar
2022-06-27 10:10:13 -04:00
weslambert and GitHub
10bcc43e85
Merge pull request #8167 from Security-Onion-Solutions/feature/update_es_8_2_3
...
Update to Elastic 8.2.3
2022-06-21 16:11:39 -04:00
weslambert and GitHub
af687fb2b5
Update config_saved_objects.ndjson
2022-06-21 16:06:28 -04:00
weslambert and GitHub
776cc30a8e
Update to ES 8.2.3
2022-06-21 16:06:01 -04:00
weslambert and GitHub
44595cb333
Merge pull request #8123 from Security-Onion-Solutions/foxtrot
...
Merge foxtrot into dev
2022-06-14 15:44:13 -04:00
weslambert and GitHub
959cec1845
Delete Elastalert indices before upgrading to Elastic 8
2022-06-14 11:40:11 -04:00
weslambert and GitHub
151a42734c
Update Elastic version to 8.2.2
2022-06-08 15:07:45 -04:00
weslambert and GitHub
11e3576e0d
Update Elastic version to 8.2.2
2022-06-08 15:07:07 -04:00
weslambert and GitHub
adeccd0e7f
Merge pull request #8097 from Security-Onion-Solutions/dev
...
Merge latest dev into foxtrot
2022-06-08 15:01:09 -04:00
weslambert and GitHub
aadf391e5a
Temporarily downgrade version for merge
2022-06-08 14:59:01 -04:00
weslambert and GitHub
47f74fa5c6
Temporarily downgrade version for merge
2022-06-08 14:58:05 -04:00
weslambert and GitHub
494ce0756d
Merge pull request #8045 from Security-Onion-Solutions/fix/mhr_naming
...
Fix naming for Malware Hash Registry analyzer
2022-05-31 07:52:48 -04:00
Wes Lambert
7f30a364ee
Make sure everything is added back after renaming mhr to malwarehashregistry
2022-05-31 11:44:35 +00:00
Wes Lambert
c82aa89497
Fix Malware Hash Registry naming so it's more descriptive in SOC
2022-05-31 11:41:48 +00:00
weslambert and GitHub
a59ada695b
Merge pull request #8031 from Security-Onion-Solutions/fix/screenshots
...
Fix/screenshots
2022-05-27 17:05:51 -04:00
weslambert and GitHub
1a0ac4d253
Merge pull request #8007 from Security-Onion-Solutions/fix/filestream-id
...
Add filestream input ID for RITA logs
2022-05-25 10:11:36 -04:00
weslambert and GitHub
44622350ea
Add ID for RITA filestream inputs
2022-05-25 10:09:01 -04:00
weslambert and GitHub
99864f4787
Merge pull request #8001 from Security-Onion-Solutions/feature/analyzer_readme
...
Add configuration requirements for various analyzers
2022-05-25 09:33:07 -04:00
Wes Lambert
b93512eb01
Adjust verbiage around pillar configuration
2022-05-24 12:36:32 +00:00
Wes Lambert
92dee14ee8
Add configuration requirements for various analyzers
2022-05-24 12:29:14 +00:00
weslambert and GitHub
3e6dfcfaca
Merge pull request #7996 from Security-Onion-Solutions/weslambert-patch-2
...
Create Virustotal README
2022-05-23 11:43:43 -04:00
weslambert and GitHub
a6f1bf3aef
Create Virustotal README
2022-05-23 11:39:44 -04:00