weslambert and GitHub
2170d498c5
Merge pull request #9195 from Security-Onion-Solutions/fix/missing_ics_pipelines
...
Add COTP and TDS ingest pipelines
2022-11-22 08:44:02 -05:00
Wes
95a6f9aa7d
Add COTP and TDS ingest pipelines
2022-11-22 13:35:19 +00:00
weslambert and GitHub
ba65b351a2
Merge pull request #9193 from Security-Onion-Solutions/fix/ics_tag_syntax_error
...
Fix syntax error for 'ics' tag logic
2022-11-22 07:32:40 -05:00
weslambert and GitHub
4c09c8856b
Fix syntax error for 'ics' tag logic
2022-11-22 07:23:56 -05:00
weslambert and GitHub
3afa8bd9da
Merge pull request #9188 from Security-Onion-Solutions/feature/filebeat_config_ics_event_tag
...
Add 'ics' tag to events generated from ICS protocol logs
2022-11-21 17:06:25 -05:00
weslambert and GitHub
72eccd2649
Fix indentation
2022-11-21 17:01:16 -05:00
weslambert and GitHub
310ea633b6
Add 'ics' tag to events generated from ICS protocol logs
2022-11-21 16:43:43 -05:00
weslambert and GitHub
089b403a3b
Merge pull request #9166 from Security-Onion-Solutions/foxtrot
...
Merge final protocol analyzers into dev
2022-11-18 08:41:43 -05:00
weslambert and GitHub
78bc2a95e5
Add icsnpp-bsap to enabled plugins
2022-11-17 11:20:24 -05:00
weslambert and GitHub
5bb0e6e8c0
Merge pull request #9160 from Security-Onion-Solutions/feature/additional_ics_scada_ingest_node_pipelines
...
Add additional ICS/SCADA ingest node pipelines
2022-11-17 11:18:15 -05:00
Wes
a278194037
Add additional ICS/SCADA ingest node pipelines
2022-11-17 16:16:33 +00:00
weslambert and GitHub
7319cb07e2
Merge pull request #9153 from Security-Onion-Solutions/fix/ics_scada_ingest_pipeline_updates_2_3
...
Update ingest node pipelines for ICS/SCADA protocols
2022-11-16 16:17:08 -05:00
Wes
35e131b888
Update ingest node pipelines for ICS/SCADA protocols
2022-11-16 21:09:30 +00:00
weslambert and GitHub
8e4d0db738
Merge pull request #9002 from Security-Onion-Solutions/fix/remove_ja3er_references
...
Remove JA3er references
2022-10-26 10:21:54 -04:00
weslambert and GitHub
a170c194c8
Remove JA3er references
2022-10-26 10:18:10 -04:00
weslambert and GitHub
0d71006f40
Merge pull request #8997 from Security-Onion-Solutions/fix/sensoroni_analyzers_pyyaml_wheel_name
...
Fix PyYAML .whl file name and remove JA3er analyzer
2022-10-25 14:57:35 -04:00
Wes
a91e3b601c
Remove JA3er since it is no longer a valid service
2022-10-25 18:48:37 +00:00
Wes
4940421297
Add PyYAML .whl files back since they were 'deleted' in the previous commit
2022-10-25 18:47:51 +00:00
Wes
58b4a8fbab
Change PyYAML .whl file name to comply with Joliet's 240-character limit
2022-10-25 18:47:02 +00:00
weslambert and GitHub
292f66138b
Merge pull request #8983 from Security-Onion-Solutions/revert-8982-fix/sensoroni_analyzers_pyyaml_wheel_name
...
Revert "Change PyYAML .whl file name to comply with Joliet's 240-character limit/threshold"
2022-10-24 16:49:19 -04:00
weslambert and GitHub
0087768946
Revert "Change PyYAML .whl file name to comply with Joliet's 240-character limit/threshold"
2022-10-24 16:47:30 -04:00
weslambert and GitHub
712340a027
Merge pull request #8982 from Security-Onion-Solutions/fix/sensoroni_analyzers_pyyaml_wheel_name
...
Change PyYAML .whl file name to comply with Joliet's 240-character limit/threshold
2022-10-24 14:14:45 -04:00
Wes
1caac3f0b0
Add PyYAML .whl files back since they were 'deleted' in the previous commit.
2022-10-24 18:06:19 +00:00
Wes
54a5dd6cbd
Change name of PyYAML .whl file to remain under Joliet's 240-character limit/threshold
2022-10-24 18:05:15 +00:00
weslambert and GitHub
930620fce6
Merge pull request #8971 from lock-wire/patch-2
...
Add Ingest pipeline for Modbus and DNP3 extensions
2022-10-21 16:28:52 -04:00
weslambert and GitHub
a54fc4cead
Merge pull request #8942 from Security-Onion-Solutions/master
...
Update Foxtrot to .180
2022-10-18 16:39:21 -04:00
weslambert and GitHub
5c9c95ba1f
Merge pull request #8622 from Security-Onion-Solutions/fix/strelka_yara_gen_webshells_ignore
...
Ignore gen_webshells.yar
2022-08-29 09:40:51 -04:00
weslambert and GitHub
8a0e92cc6f
Add 'gen_webshells.yar' and re-arrange to put ignored rules in alphabetical order
2022-08-29 09:37:29 -04:00
weslambert and GitHub
616bc40412
Merge pull request #8558 from Security-Onion-Solutions/fix/soup_local_mods_check_skip_prompt
...
Allow local modification acceptance prompt to be skipped when passing 'skip-prompt' as a parameter value to check_local_mods() function
2022-08-19 16:11:23 -04:00
weslambert and GitHub
f00d9074ff
Allow local modification acceptance prompt to be skipped when passing 'skip-prompt' as a parameter value to check_local_mods() function
2022-08-19 16:07:14 -04:00
weslambert and GitHub
c17f0081ef
Merge pull request #8550 from Security-Onion-Solutions/fix/soup_elastalert_indices_check_delete_if_less_than_es_8
...
SOUP: Ensure Elastalert indices are not deleted for major Elasticsearch version 8 or greater
2022-08-18 09:45:00 -04:00
weslambert and GitHub
fbf0803906
Update verbiage around major Elasticsearch version and not requiring Elastalert index maintenance
2022-08-18 09:16:22 -04:00
weslambert and GitHub
5deda45b66
Update elastalert_indices_check() function to only delete Elastalert indices if major Elasticsearch version is less than 8
...
Update elastalert_indices_check() function to only delete Elastalert indices if major Elasticsearch version is less than 8. Also clean up the output to only emit one notification regarding index deletion, and additional verbiage around function operation.
2022-08-18 09:11:38 -04:00
weslambert and GitHub
e950d865d8
Merge pull request #8485 from Security-Onion-Solutions/foxtrot
...
Improve local file modification check in SOUP
2022-08-08 10:06:13 -04:00
weslambert and GitHub
fd7a118664
Invoke check_local_mods() function earlier so we don't have to wait for Docker image downloads or OS updates before checking and potentially exiting SOUP
2022-08-08 08:58:19 -04:00
weslambert and GitHub
d7906945df
Add extra set of brackets for comparison of integers
2022-08-08 08:24:38 -04:00
weslambert and GitHub
cb384ae024
Ensure check_local_mods() runs at the beginning of SOUP, in addition to the end, and also that it prompts (forces) the user to accept/review local modifications.
2022-08-05 11:25:33 -04:00
weslambert and GitHub
7caead2387
Merge pull request #8476 from Security-Onion-Solutions/dev
...
Merge dev into foxtrot
2022-08-05 11:11:51 -04:00
weslambert and GitHub
ee654f767a
Merge pull request #8453 from Security-Onion-Solutions/fix/elasticsearch_geoip_local
...
Configure Elasticsearch to use local GeoLite2 databases by default
2022-08-03 09:40:23 -04:00
weslambert and GitHub
8c694a7ca3
Disable ingest.geoip.downloader by default
2022-08-03 09:21:40 -04:00
weslambert and GitHub
9ac640fa67
Remove airgap-specific logic for ingest.geoip.downloader
2022-08-03 09:21:03 -04:00
weslambert and GitHub
811063268f
Merge pull request #8447 from Security-Onion-Solutions/feature/kibana_version_8_3_3
...
Update Kibana version to 8.3.3
2022-08-02 15:27:22 -04:00
weslambert and GitHub
f2b10a5a86
Update Kibana version to 8.3.3
2022-08-02 11:32:01 -04:00
weslambert and GitHub
c69cac0e5f
Update Kibana version to 8.3.3
2022-08-02 11:31:35 -04:00
weslambert and GitHub
fed4433088
Merge pull request #8446 from Security-Onion-Solutions/fix/airgap_elasticsearch_geoip
...
Update Elasticsearch defaults file and config.map.jinja to allow for local GeoIP database use when airgap is enabled
2022-08-02 11:20:35 -04:00
Wes Lambert
839cfcaefa
Update Elasticsearch defaults file and config.map.jinja to allow for local GeoIP database use when airgap is enabled
2022-08-02 14:32:17 +00:00
weslambert and GitHub
3123407ef0
Update Elastic version to 8.3.3
2022-08-01 10:41:39 -04:00
weslambert and GitHub
d24125c9e6
Update Elastic version to 8.3.3
2022-08-01 10:40:57 -04:00
weslambert and GitHub
64dc278c95
Merge pull request #8432 from Security-Onion-Solutions/dev
...
Merge dev into foxtrot
2022-08-01 10:12:35 -04:00
weslambert and GitHub
c795a70e9c
Merge pull request #8329 from Security-Onion-Solutions/fix/elastalert_stop_check_enabled
...
Check to ensure Elastalert is enabled and suppress missing container error output
2022-07-19 13:27:35 -04:00
weslambert and GitHub
340dbe8547
Check to see if Elastalert is enabled before trying to run 'so-elastalert-stop'. Also suppress error output for when so-elastalert container is not present.
2022-07-19 13:25:09 -04:00
Wes Lambert
5ceff52796
Move Elastalert indices check to function and call from beginning of soup and during pre-upgrade to 2.3.140
2022-07-19 14:54:39 +00:00
Wes Lambert
f3a0ab0b2d
Perform Elastalert index check twice
2022-07-19 14:48:19 +00:00
Wes Lambert
4a7c994b66
Revise Elastalert index check deletion logic
2022-07-19 14:31:45 +00:00
weslambert and GitHub
8099b1688b
Merge pull request #8319 from Security-Onion-Solutions/fix/elasticsearch_query_missing_query_path
...
Fix missing query path for so-elasticsearch-query
2022-07-18 09:47:16 -04:00
weslambert and GitHub
2914007393
Add forward slash to fix issue with missing query path
2022-07-18 09:07:34 -04:00
weslambert and GitHub
f5e10430ed
Add forward slash to fix issue with missing query path
2022-07-18 09:07:13 -04:00
weslambert and GitHub
52ebbf8ff3
Merge pull request #8304 from Security-Onion-Solutions/fix/kibana_space_defaults_web_response_url
...
Change web_response to evaluate the response from the Spaces API and the default space query
2022-07-14 12:08:02 -04:00
weslambert and GitHub
2443e8b97e
Change web_response to evaluate the response from the Spaces API and the default space query
2022-07-14 12:04:56 -04:00
weslambert and GitHub
4241eb4b29
Merge pull request #8298 from Security-Onion-Solutions/fix/kibana_space_defaults_shebang
...
Add shebang so that so-kibana-space-defaults will work correctly on Ubuntu
2022-07-13 16:50:21 -04:00
weslambert and GitHub
0fd4f34b5b
Add shebang so that so-kibana-space-defaults will work correctly on Ubuntu
2022-07-13 16:48:39 -04:00
weslambert and GitHub
4a5664db7b
Merge pull request #8289 from Security-Onion-Solutions/fix/soup_unsupported_indices_check
...
Add missing 'fi' to if/then for unsupported indices check
2022-07-13 09:15:22 -04:00
weslambert and GitHub
513c7ae56c
Add missing 'fi' to if/then for unsupported indices check
2022-07-13 09:13:28 -04:00
weslambert and GitHub
fa894cf83b
Merge pull request #8288 from Security-Onion-Solutions/fix/soup_elastalert_indices_deletion_check
...
Ensure Elastalert indices are deleted before continuing with SOUP
2022-07-13 08:44:04 -04:00
weslambert and GitHub
8e92060c29
Ensure Elastalert indices are deleted before continuing with SOUP -- if they are not, generate a failure condition
2022-07-13 08:38:55 -04:00
weslambert and GitHub
d7eb8b9bcb
Merge pull request #8281 from Security-Onion-Solutions/fix/soup_elasticsearch8_index_compatibility
...
SOUP - Check for indices created by Elasticsearch 6
2022-07-12 16:20:47 -04:00
weslambert and GitHub
d0a0ca8458
Update exit code for ES checks
2022-07-12 16:15:44 -04:00
weslambert and GitHub
4502182b53
Typo - Ensure Elasticsearch version 6 indices are checked
2022-07-12 15:35:46 -04:00
weslambert and GitHub
0fc6f7b022
Add check for Elasticsearch 6 indices
2022-07-12 15:34:24 -04:00
weslambert and GitHub
e9a22d0aff
Merge pull request #8275 from Security-Onion-Solutions/fix/filebeat_es_output_additions
...
Specify outputs for Elasticsearch and Kibana for Eval and Import Mode
2022-07-11 19:03:07 -04:00
weslambert and GitHub
11d3ed36b7
Specify outputs for Elasticsearch and Kibana for Eval and Import Mode
...
Add outputs for Elasticsearch and Kibana for Eval/Import Mode, since Logstash is not used in Eval Mode or Import Mode. Otherwise, logs from these inputs end up in a filebeat-prefixed index.
2022-07-11 17:22:09 -04:00
weslambert and GitHub
d828bbfe47
Merge pull request #8273 from Security-Onion-Solutions/fix/kibana_space_defaults_cases
...
Add securitySolutionCases feature to ensure Cases are disabled by default
2022-07-11 16:39:30 -04:00
weslambert and GitHub
bd32394560
Add securitySolutionCases feature to ensure Cases are disabled by default
2022-07-11 16:38:05 -04:00
weslambert and GitHub
6f4f050a96
Merge pull request #8272 from Security-Onion-Solutions/fix/soup_kibana_space_defaults
...
Run so-kibana-space-defaults when upgrading to 2.3.140
2022-07-11 14:47:11 -04:00
weslambert and GitHub
f77edaa5c9
Run so-kibana-space-defaults to re-establish the default enabled features since Fleet feature name changed
2022-07-11 14:41:23 -04:00
weslambert and GitHub
dd1d5b1a83
Merge pull request #8270 from Security-Onion-Solutions/fix/curator_actions_delete_kratos
...
Add delete and warm action for Kratos indices in applicable Curator delete/warm scripts
2022-07-11 11:39:43 -04:00
weslambert and GitHub
e82b6fcdec
Typo - Change 'delete' to 'warm'
2022-07-11 11:34:53 -04:00
weslambert and GitHub
8c8ac41b36
Add action for Kratos indices
2022-07-11 11:32:03 -04:00
weslambert and GitHub
b611dda143
Add delete action for Kratos indices
2022-07-11 11:31:22 -04:00
weslambert and GitHub
3f5b98d14d
Merge pull request #8269 from Security-Onion-Solutions/fix/curator_actions_kratos
...
Add Curator actions and adjust Curator close scripts to account for so-kibana and so-kratos indices
2022-07-11 11:21:20 -04:00
Wes Lambert
0b6219d95f
Adjust Curator close scripts to include Kibana and Kratos indices
2022-07-11 14:51:33 +00:00
Wes Lambert
2f729e24d9
Add Curator action files for Kratos indices
2022-07-11 14:34:10 +00:00
weslambert and GitHub
992b6e14de
Merge pull request #8268 from Security-Onion-Solutions/fix/kibana_disable_fleetv2
...
Disable fleetv2 because it is now used to control Fleet visibility and 'fleet' is now used for 'Integrations'
2022-07-11 10:09:12 -04:00
weslambert and GitHub
09a1d8c549
Disable fleetv2 because it is now used to control Fleet visibility and 'fleet' is now used for 'Integrations'
2022-07-11 10:06:24 -04:00
weslambert and GitHub
2903bdbc7e
Merge pull request #8260 from Security-Onion-Solutions/fix/kratos_dedicated_index_and_filestream_id_additions
...
Add dedicated index for Kratos and IDs for all filestream inputs
2022-07-08 12:04:40 -04:00
Wes Lambert
5c90fce3a1
Add Kratos Logstash output to search pipeline for Logstash
2022-07-08 15:58:00 +00:00
Wes Lambert
26698cfd07
Add Logstash output for dedicated Kratos index
2022-07-08 15:55:55 +00:00
Wes Lambert
764e8688b1
Modify Kratos input to use dedicated index and add filestream ID for all applicable inputs
2022-07-08 15:53:55 +00:00
Wes Lambert
b06c16f750
Add ingest node pipeline for Kratos
2022-07-08 15:53:00 +00:00
weslambert and GitHub
42cfab4544
Merge pull request #8256 from Security-Onion-Solutions/fix/kibana_restart_after_role_sync
...
Restart Kibana in case it times out before being able to read role update
2022-07-07 17:44:47 -04:00
weslambert and GitHub
4bbc901860
Restart Kibana in case it times out before being able to read in new role configuration
2022-07-07 17:19:02 -04:00
weslambert and GitHub
a343f8ced0
Merge pull request #8255 from Security-Onion-Solutions/fix/so_kibana_user_role
...
Force so-user to sync roles to ensure so_kibana role change
2022-07-07 16:19:30 -04:00
weslambert and GitHub
85be2f4f99
Force so-user to sync roles to ensure so_kibana role change from superuser to kibana_system
2022-07-07 15:55:44 -04:00
weslambert and GitHub
8b3fa0c4c6
Merge pull request #8252 from Security-Onion-Solutions/feature/elastic_8_3_2
...
Update to Elastic 8.3.2
2022-07-07 11:14:14 -04:00
weslambert and GitHub
ede845ce00
Update to Kibana 8.3.2
2022-07-07 11:05:44 -04:00
weslambert and GitHub
42c96553c5
Update to Kibana 8.3.2
2022-07-07 11:04:43 -04:00
weslambert and GitHub
2b73cd1156
Merge pull request #8236 from Security-Onion-Solutions/fix/localfile_analyzer
...
Strip quotes and ensure file_path is typed as a list (localfile analyzer)
2022-07-05 16:28:56 -04:00
weslambert and GitHub
77ee30f31a
Merge pull request #8237 from Security-Onion-Solutions/feature/elastic_8_3_1
...
Bump Elastic to 8.3.1
2022-07-05 14:50:24 -04:00
weslambert and GitHub
2938464501
Update to Kibana 8.3.1
2022-07-05 14:46:02 -04:00
weslambert and GitHub
79e88c9ca3
Update to Kibana 8.3.1
2022-07-05 14:45:30 -04:00