Commit Graph
100 Commits
Author SHA1 Message Date
weslambertandGitHub 4ecf4ab253 Merge pull request #7020 from Security-Onion-Solutions/feature/dash_updates
EG and HL Dashboard Updates
2022-01-28 13:19:02 -05:00
weslambertandGitHub 5142e6ccc7 Update so-kibana-config-load 2022-01-28 13:01:33 -05:00
Wes Lambert 3b76c2421c Update to allow for passing HL saved objects 2022-01-28 17:59:34 +00:00
weslambertandGitHub 69689b470b Merge pull request #7005 from Security-Onion-Solutions/fix/revert_cases_field_limit
Revert field limit from testing
2022-01-27 11:33:31 -05:00
weslambertandGitHub fc0a5bce86 Revert field limit from testing 2022-01-27 11:18:35 -05:00
weslambertandGitHub 39257df396 Merge pull request #7004 from Security-Onion-Solutions/fix/revert_dtc
Revert changes to common template
2022-01-27 11:15:50 -05:00
weslambertandGitHub 60a0204975 Revert changes to common template 2022-01-27 11:02:47 -05:00
weslambertandGitHub e303fb12cf Merge pull request #7000 from Security-Onion-Solutions/fix/zeek_dns_answers_pipeline
Fix Zeek field name so it doesn't conflict with mapping of other dns.…
2022-01-26 15:04:12 -05:00
weslambertandGitHub 8f0a327cb5 Fix Zeek field name so it doesn't conflict with mapping of other dns.answers fields 2022-01-26 15:02:59 -05:00
weslambertandGitHub bdc5e89822 Merge pull request #6999 from Security-Onion-Solutions/fix/case_mapping_changes_temp
Mapping changes for case index
2022-01-26 14:59:45 -05:00
weslambertandGitHub 1b3e7f9d79 Temp changes while adjusting mapping 2022-01-26 14:57:16 -05:00
weslambertandGitHub e77648c475 Merge pull request #6994 from Security-Onion-Solutions/feature/dtc
Additional DTC changes
2022-01-26 12:22:48 -05:00
Wes Lambert e10749a495 Additional changes to template to accomodate default fields and keyword subfield 2022-01-26 17:16:29 +00:00
weslambertandGitHub ba52bd3835 Update template with syntax fixes 2022-01-25 08:56:03 -05:00
weslambertandGitHub f7a4cc20f2 Update so-common-template.json.jinja 2022-01-21 12:36:38 -05:00
weslambertandGitHub 1b860e11e7 Merge pull request #6936 from Security-Onion-Solutions/fix/field_conflicts
Remove dynamic keyword template to prevent field conflicts with mappi…
2022-01-20 12:48:15 -05:00
weslambertandGitHub d1efa71c57 Remove dynamic keyword template to prevent field conflicts with mappings defined in common template 2022-01-20 12:34:32 -05:00
weslambertandGitHub d0c8dd0626 Merge pull request #6931 from Security-Onion-Solutions/fix/cases_dynamic_disable
Disable dynamic mapping and increase order to reduce potential field …
2022-01-20 09:48:01 -05:00
weslambertandGitHub e137ad60c5 Disable dynamic mapping and increase order to reduce potential field conflicts 2022-01-20 09:44:41 -05:00
weslambertandGitHub c512351dd6 Add mapping for scan.exiftool and scan.pe.sections.entropy 2022-01-14 17:01:13 -05:00
weslambertandGitHub a90bc9dba9 Add mapping for scan.pe.sections.entropy 2022-01-14 16:58:53 -05:00
weslambertandGitHub 17509a9231 Merge pull request #6822 from Security-Onion-Solutions/fix/event_fields
Add event.acknowledged and event.escalated mappings
2022-01-10 16:14:45 -05:00
weslambertandGitHub 84f7c6b13b Add event.acknowledged and event.escalated mappings 2022-01-10 16:08:35 -05:00
weslambertandGitHub 1dc363138a Merge pull request #6814 from Security-Onion-Solutions/fix/template_typo
Fix typo -- replace period with comma
2022-01-10 13:30:13 -05:00
weslambertandGitHub 1c3eeb5a34 Fix typo -- replace period with comma 2022-01-10 13:29:06 -05:00
weslambertandGitHub 218f7f3a13 Merge pull request #6790 from Security-Onion-Solutions/fix/dtc_severity_label
Add event.severity_label
2022-01-07 11:44:30 -05:00
weslambertandGitHub 770e53d914 Add keyword subfield for event.severity_label 2022-01-07 11:21:57 -05:00
weslambertandGitHub c69e1353d9 Add event.severity_label 2022-01-07 11:19:54 -05:00
weslambertandGitHub a7e7566532 Merge pull request #6780 from Security-Onion-Solutions/feature/datatype_compliance
Initial commit for data type compliance
2022-01-06 16:38:17 -05:00
weslambertandGitHub 3f02003ea2 Merge pull request #6777 from Security-Onion-Solutions/fix/deprecation_ecs_compatibility_logstash
Add config option for ECS compatibility (default of disabled)
2022-01-06 11:31:51 -05:00
weslambertandGitHub 8e2f500b9c Add config option for ECS compatibility (default of disabled) 2022-01-06 11:24:04 -05:00
weslambertandGitHub 099e3e1ceb Merge pull request #6775 from Security-Onion-Solutions/fix/deprecation_warning_suppress
Add logger stanza to suppress ES deprecation warning messages
2022-01-06 10:45:37 -05:00
weslambertandGitHub 900d12b556 Add logger stanza to suppress deprecation warning messages for now due to current system index access warning messages flooding the ES log 2022-01-06 10:35:50 -05:00
weslambertandGitHub 2fb488f768 Merge pull request #6769 from Security-Onion-Solutions/fix/id_fielddata_deprecation
Fix issue with _id field fielddata/deprecation
2022-01-05 15:40:25 -05:00
Wes Lambert 1cafacfa51 Update saved objects to reflect removal of TheHive scripted field and replacement of PCAP pivot with Hunt pivot 2022-01-05 20:36:23 +00:00
weslambertandGitHub c1a88977cf Disable fielddata for _id field by default (since it is deprecated and can be memory-intensive) 2022-01-05 15:23:52 -05:00
Wes Lambert b60837e71a Initial commit for data type compliance 2022-01-05 16:38:56 +00:00
weslambertandGitHub 2f9672d3ea Merge pull request #6764 from Security-Onion-Solutions/feature/soup_branch
Denote which branch is being used in SOUP if BRANCH is specified
2022-01-05 10:54:29 -05:00
weslambertandGitHub db43e21378 Fix indentation 2022-01-05 10:46:41 -05:00
weslambertandGitHub 4d8b417fc9 Denote which branch is being used in SOUP if BRANCH is specified 2022-01-05 10:41:27 -05:00
weslambertandGitHub ff25d6f80b Merge pull request #6447 from Security-Onion-Solutions/eg_dashes
Add initial EG dashboards
2021-12-03 18:05:22 -05:00
Wes Lambert 0571612ea1 Add initial EG dashes 2021-12-03 22:38:30 +00:00
weslambertandGitHub 92131d4bb7 Merge pull request #6215 from Security-Onion-Solutions/fix/eg_spelling
Fix spelling
2021-11-12 21:13:28 -05:00
weslambertandGitHub 9ac1cb0e76 Fix spelling 2021-11-12 21:12:09 -05:00
weslambertandGitHub 8c46a2d1db Merge pull request #6210 from Security-Onion-Solutions/fix/soc_pillar_soup
Add SOC pillar entry
2021-11-12 13:35:46 -05:00
Wes Lambert 2fb9196604 Move logic above version declaration 2021-11-12 18:26:21 +00:00
Wes Lambert 48c71c8b12 Add soc pillar entry 2021-11-12 18:23:09 +00:00
weslambertandGitHub 8d185ced61 Merge pull request #6209 from Security-Onion-Solutions/fix/endgame_setup
Adjust manager pillar config for Endgame and defaults
2021-11-12 12:27:55 -05:00
weslambertandGitHub bc2e470da9 Fix indentation 2021-11-12 12:20:00 -05:00
weslambertandGitHub 0f817cd735 Merge pull request #6208 from Security-Onion-Solutions/fix/endgame_pivot
Make Endgame pivot independent
2021-11-12 12:17:24 -05:00
weslambertandGitHub df5901a65d Adjust how manager pillar is populated for ENDGAME and default SOC config 2021-11-12 12:16:26 -05:00
weslambertandGitHub 3cd1b5687e Make pivot condition independent for ENDGAMEHOST 2021-11-12 12:06:39 -05:00
weslambertandGitHub 6eb1a0b0ae Merge pull request #6169 from Security-Onion-Solutions/fix/ingest_dynamic_ref
Add dynamic conf to config change check
2021-11-09 16:11:38 -05:00
weslambertandGitHub 9301b8f5b9 Add dynamic conf to config change check 2021-11-09 15:56:52 -05:00
weslambertandGitHub 9597373e4a Merge pull request #6167 from Security-Onion-Solutions/ecs_pipeline_common
Add config for dynamically formatted ingest pipelines
2021-11-09 15:41:43 -05:00
Wes Lambert f80b70e008 Add config for dynamically formatted ingest pipelines 2021-11-09 20:07:53 +00:00
weslambertandGitHub 8bf88043ac Merge pull request #6149 from Security-Onion-Solutions/add_test_pipeline
Add ECS testing pipeline
2021-11-08 15:43:03 -05:00
Wes Lambert 46d3eb452d Add ECS testing pipeline 2021-11-08 20:08:56 +00:00
weslambertandGitHub 926551d398 Merge pull request #5998 from Security-Onion-Solutions/fix/hl_host_name
Rename HTTP client headers and host
2021-10-25 13:21:11 -04:00
weslambertandGitHub 3be0d05eea Update field removal based on HTTP input changes 2021-10-25 13:16:30 -04:00
weslambertandGitHub 7fa43a276a Rename default headers and host for HTTP input 2021-10-25 13:15:20 -04:00
weslambertandGitHub 40dd33affe Merge pull request #5971 from Security-Onion-Solutions/feature/es_templates
Add .keyword subfield for conflict fields
2021-10-21 15:07:00 -04:00
weslambertandGitHub 77ee1db44c Add .keyword subfield for conflict fields 2021-10-21 12:56:03 -04:00
weslambertandGitHub 6f3e441bf7 Merge pull request #5945 from Security-Onion-Solutions/fix/soc_index_pattern
Remove space to allow pattern(s) to be correctly interpreted
2021-10-19 13:05:40 -04:00
weslambertandGitHub 9453ed7fa1 Remove space to allow pattern(s) to be correctly interpreted 2021-10-19 13:01:40 -04:00
weslambertandGitHub 7590728a0b Merge pull request #5915 from Security-Onion-Solutions/feature/ti_module
Add TI module
2021-10-15 17:17:33 -04:00
weslambertandGitHub bb36fc1ed8 Add TI module defaults 2021-10-15 17:16:38 -04:00
weslambertandGitHub d0a6dafc8b Add TI module 2021-10-15 17:09:59 -04:00
weslambertandGitHub 59852841ff Add keyword subfield for event.module 2021-10-15 13:29:50 -04:00
weslambertandGitHub 6f1f7d2a63 Merge pull request #5905 from Security-Onion-Solutions/feature/soc_es_index_pattern
Allow setting ES index patterns for SOC in pillar
2021-10-15 13:28:04 -04:00
Wes Lambert 8feeff97b5 Add EG index pattern during setup (if enabled) 2021-10-15 16:19:19 +00:00
Wes Lambert 032373187c Allow setting ES index patterns for SOC in pillar 2021-10-15 16:02:53 +00:00
weslambertandGitHub 490f7eaf81 Merge pull request #5886 from Security-Onion-Solutions/feature/eg_pivot
Add EG pivot
2021-10-14 14:49:38 -04:00
Wes Lambert f1fafa015e Add EG to list of groups to include 127.0.0.1 2021-10-14 16:27:28 +00:00
Wes Lambert 6cdc214582 Add pillar in setup and change name of EG variable 2021-10-14 15:33:37 +00:00
Wes Lambert 15049f44b9 Add EG pivot 2021-10-14 15:15:23 +00:00
weslambertandGitHub 3b45e68ead Merge pull request #5885 from Security-Onion-Solutions/feature/jinjafy_soc_actions
Allow SOC actions to use Jinja
2021-10-14 10:03:12 -04:00
Wes Lambert 5ee0ea3fe7 Allow SOC actions to use Jinja 2021-10-14 13:59:55 +00:00
weslambertandGitHub 55c60f485c Merge pull request #5884 from Security-Onion-Solutions/feature/hl_eg
Add EG firewall allowance via setup
2021-10-14 09:55:07 -04:00
Wes Lambert 78e88e0765 Add EG firewall allowance via setup 2021-10-13 21:42:54 +00:00
Wes Lambert a9b250c0f4 Add EG firewall config 2021-10-13 21:37:59 +00:00
weslambertandGitHub f9001654bb Merge pull request #5871 from Security-Onion-Solutions/feature/hl_eg
Initial EG stuff
2021-10-13 15:07:03 -04:00
Wes Lambert 2a504a061b Add Curator action files for EG indices 2021-10-13 18:40:34 +00:00
Wes Lambert e1629d7ec4 Initial EG stuff 2021-10-13 17:13:07 +00:00
weslambertandGitHub 18d81352c6 Merge pull request #5537 from Security-Onion-Solutions/delta
Add improved ignore functionality for YARA rules used by Strelka and add default ignored rules that break compilation
2021-09-16 10:38:49 -04:00
weslambertandGitHub 2affaf07a2 Merge pull request #5521 from Security-Onion-Solutions/fix/strelka-yara
Fix/strelka yara
2021-09-15 11:33:44 -04:00
weslambertandGitHub 39e5ded58d Refactor ignore list and only ignore for signature-base for now 2021-09-15 11:32:29 -04:00
weslambertandGitHub 4d41d3aee1 Ignore these rules by default because they are causing issues with YARA compilation with Strelka 2021-09-15 10:29:11 -04:00
weslambertandGitHub 5c8067728e Remove unnecessary logic 2021-09-15 10:22:17 -04:00
weslambertandGitHub 03b45512fa Merge pull request #5436 from Security-Onion-Solutions/fix/kibana_server_url
Incude server.publicBaseUrl
2021-09-08 12:13:48 -04:00
weslambertandGitHub b8600be0f1 Incude server.publicBaseUrl 2021-09-08 12:12:09 -04:00
weslambertandGitHub 72542322ca Merge pull request #4857 from Security-Onion-Solutions/fix/beats_output_fb_modules
Check if Filebeat modules are being used for incoming (external) Beats
2021-07-19 13:11:06 -04:00
weslambertandGitHub fea4f3f973 Check if Filebeat modules are being used for incoming Beats 2021-07-19 12:57:42 -04:00
weslambertandGitHub bde86e0383 Use http_auth instead of username/password until Curator is upgraded to next version 2021-07-19 12:42:46 -04:00
weslambertandGitHub 7e1be8a3a4 Merge pull request #4798 from Security-Onion-Solutions/fix/strelka_filepath_mapping
Replace staging with processed in Strelka file path mapping
2021-07-14 11:16:15 -04:00
Wes Lambert 05aad07bfc Replace staging path with processed path for analyzed files 2021-07-14 15:04:46 +00:00
weslambertandGitHub 42ba9888d7 Merge pull request #4797 from Security-Onion-Solutions/fix/wazuh_data_port
Change field name and mapping for Wazuh's data.port
2021-07-14 10:14:53 -04:00
Wes Lambert 723172bc1f Add path_unmatch for data.port so it is not mapped as integer 2021-07-14 13:45:09 +00:00
Wes Lambert 323b5d6694 Add dynamic mapping for wazuh 2021-07-14 13:43:34 +00:00
Wes Lambert 441cd3fc59 Move Wazuh-specific data to wazuh.data 2021-07-14 13:42:51 +00:00