Merge pull request #909 from Security-Onion-Solutions/fix/1.4.1

Update to 1.4.1
2025-12-06 17:22:49 +01:00 · 2020-06-30 09:55:10 -04:00 · 2020-06-30 09:47:20 -04:00 · 2020-06-30 09:14:20 -04:00 · 2020-06-30 09:08:55 -04:00 · 2020-06-16 14:47:08 -04:00
271 changed files with 22825 additions and 7768 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,59 @@
 # Created by https://www.gitignore.io/api/macos,windows
 # Edit at https://www.gitignore.io/?templates=macos,windows
 ### macOS ###
 # General
 .DS_Store
-.idea
+.AppleDouble
 .LSOverride
 # Icon must end with two \r
 Icon
 # Thumbnails
 ._*
 # Files that might appear in the root of a volume
 .DocumentRevisions-V100
 .fseventsd
 .Spotlight-V100
 .TemporaryItems
 .Trashes
 .VolumeIcon.icns
 .com.apple.timemachine.donotpresent
 # Directories potentially created on remote AFP share
 .AppleDB
 .AppleDesktop
 Network Trash Folder
 Temporary Items
 .apdisk
 ### Windows ###
 # Windows thumbnail cache files
 Thumbs.db
 Thumbs.db:encryptable
 ehthumbs.db
 ehthumbs_vista.db
 # Dump file
 *.stackdump
 # Folder config file
 [Dd]esktop.ini
 # Recycle Bin used on file shares
 $RECYCLE.BIN/
 # Windows Installer files
 *.cab
 *.msi
 *.msix
 *.msm
 *.msp
 # Windows shortcuts
 *.lnk
 # End of https://www.gitignore.io/api/macos,windows
--- a/README.md
+++ b/README.md
@@ -1,44 +1,76 @@
-## Hybrid Hunter Beta 1.2.1 - Beta 1
+## Hybrid Hunter Beta 1.4.1 - Beta 3
-### Changes:
+- Fix install script to handle hostnames properly.
 - Full support for Ubuntu 18.04. 16.04 is no longer supported for Hybrid Hunter.
 - Introduction of the Security Onion Console. Once logged in you are directly taken to the SOC.
 - New authentication using Kratos.
 - During install you must specify how you would like to access the SOC ui. This is for strict cookie security.
 - Ability to list and delete web users from the SOC ui.
 - The soremote account is now used to add nodes to the grid vs using socore. 
 - Community ID support for Zeek, osquery, and Suricata. You can now tie host events to connection logs!
 - Elastic 7.6.1 with ECS support.
 - New set of Kibana dashboards that align with ECS.
 - Eval mode no longer uses Logstash for parsing (Filebeat -> ES Ingest)
 - Ingest node parsing for osquery-shipped logs (osquery, WEL, Sysmon).
 - Fleet standalone mode with improved Web UI & API access control.
 - Improved Fleet integration support.
 - Playbook now has full Windows Sigma community ruleset builtin.
 - Automatic Sigma community rule updates.
 - Playbook stability enhancements.
 - Zeek health check. Zeek will now auto restart if a worker crashes.
 - zeekctl is now managed by salt.
 - Grafana dashboard improvements and cleanup.
 - Moved logstash configs to pillars.
 - Salt logs moved to /opt/so/log/salt.
 - Strelka integrated for file-oriented detection/analysis at scale
-### Known issues:
+## Hybrid Hunter Beta 1.4.0 - Beta 3
- Updating users via the SOC ui is known to fail. To change a user, delete the user and re-add them. 
+- Complete overhaul of the way we handle custom and default settings and data. You will now see a default and local directory under the saltstack directory. All customizations are stored in local.
 - The way firewall rules are handled has been completely revamped. This will allow the user to customize firewall rules much easier. 
 - Users can now change their own password in SOC.
 - Hunt now allows users to enable auto-hunt. This is a toggle which, when enabled, automatically submits a new hunt when filtering, grouping, etc.
 - Title bar now reflects current Hunt query. This will assist users in locating a previous query from their browser history.
 - Zeek 3.0.7
 - Elastic 7.7.1
 - Suricata can now be used for meta data generation.
 - Suricata eve.json has been moved to `/nsm` to align with storage of other data.
 - Suricata will now properly rotate its logs.
 - Grafana dashboards now work properly in standalone mode.
 - Kibana Dashboard updates including osquery, community_id.  
 - New Elasticsearch Ingest processor to generate community_id from any log that includes the required fields.  
 - Community_id generated for additional logs: Zeek HTTP/SMTP/ , Sysmon shipped with Osquery or Winlogbeat.  
 - Major streamlining of Fleet setup & configuration - no need to run a secondary setup script anymore. 
 - Fleet Standalone node now includes the ability to set a FQDN to point osquery endpoints to. 
 - Distributed installs now support ingesting Windows Eventlogs via Winlogbeat - includes full parsing support for Sysmon.
 - SOC Downloads section now includes a link to the supported version of Winlogbeat.     
 - Basic syslog ingestion capability now included.
 - Elasticsearch index name transition fixes for various components.
 - Updated URLs for pivot fields in Kibana.
 - Instances of `hive` renamed to `thehive`. 
 ### Known Issues:
 - The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
 - You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
 - Navigator is currently not working when using hostname to access SOC. IP mode works correctly.
 - Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
 - The osquery MacOS package does not install correctly.
-## Version 1.2.1 Beta 1 ISO Download
+## Hybrid Hunter Beta 1.3.0 - Beta 2
-[HH1.2.1-6.ISO](https://download.securityonion.net/file/Hybrid-Hunter/HH-1.2.1-6.iso)  
+### Changes:
-MD5: D7E66CA8AAC37E70E2A2F7BB12EB3C23  
+- New Feature: Codename: "Onion Hunt". Select Hunt from the menu and start hunting down your adversaries! 
-SHA1: D91D921896F9ADA600EBA0ADAA548D8630B5341F  
+- Improved ECS support.
-SHA256: D69E327597AB429DCE13C1177BCE6C1FAD934E78A09F73D14778C2CAE616557B  
+- Complete refactor of the setup to make it easier to follow.
 - Improved setup script logging to better assist on any issues.
 - Setup now checks for minimal requirements during install.
 - Updated Cyberchef to version 9.20.3.
 - Updated Elastalert to version 0.2.4 and switched to alpine to reduce container size.
 - Updated Redis to 5.0.9 and switched to alpine to reduce container size.
 - Updated Salt to 2019.2.5
 - Updated Grafana to 6.7.3.
 - Zeek 3.0.6
 - Suricata 4.1.8
 - Fixes so-status to now display correct containers and status.
 - local.zeek is now controlled by a pillar instead of modifying the file directly.
 - Renamed so-core to so-nginx and switched to alpine to reduce container size.
 - Playbook now uses MySQL instead of SQLite.
 - Sigma rules have all been updated.
 - Kibana dashboard improvements for ECS.
 - Fixed an issue where geoip was not properly parsed.
 - ATT&CK Navigator is now it's own state.
 - Standlone mode is now supported.
 - Mastersearch previously used the same Grafana dashboard as a Search node. It now has its own dashboard that incorporates panels from the Master node and Search node dashboards.
 ### Known Issues:
 - The Hunt feature is currently considered "Preview" and although very useful in its current state, not everything works. We wanted to get this out as soon as possible to get the feedback from you! Let us know what you want to see! Let us know what you think we should call it!
 - You cannot pivot to PCAP from Suricata alerts in Kibana or Hunt.
 - Updating users via the SOC ui is known to fail. To change a user, delete the user and re-add them. 
 - Due to the move to ECS, the current Playbook plays may not alert correctly at this time.
 - The osquery MacOS package does not install correctly.
 ### Warnings and Disclaimers
@@ -55,33 +87,36 @@ SHA256: D69E327597AB429DCE13C1177BCE6C1FAD934E78A09F73D14778C2CAE616557B
 Evaluation Mode:
- ISO or a Single VM running Ubuntu 16.04 or CentOS 7
+- ISO or a Single VM running Ubuntu 18.04 or CentOS 7
 - Minimum 12GB of RAM
 - Minimum 4 CPU cores
 - Minimum 2 NICs
 Distributed:
- 3 VMs running the ISO or Ubuntu 16.04 or CentOS 7 (You can mix and match)
+- 3 VMs running the ISO or Ubuntu 18.04 or CentOS 7 (You can mix and match)
 - Minimum 8GB of RAM per VM
 - Minimum 4 CPU cores per VM
 - Minimum 2 NICs for forward nodes
-### Prerequisites for Network Based Install
+### Installation
-Install git if using a Centos 7 Minimal install:
+For most users, we recommend installing using [our ISO image](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO).
 If instead you would like to try a manual installation (not using our ISO), you can build from CentOS 7 or Ubuntu 18.04.
 If using CentOS 7 Minimal, you will need to install git:
 ```sudo yum -y install git```
-### Installation
+Once you have git, then do the following:
 Once you resolve those requirements or are using Ubuntu 16.04 do the following:
 ```
 git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack
 cd securityonion-saltstack
 sudo bash so-setup-network
 ```
 Follow the prompts and reboot if asked to do so.
 Then proceed to the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide).
--- a/2
+++ b/2
@@ -1 +1 @@
-1.2.1
+1.4.1
--- a/files/firewall/assigned_hostgroups.local.map.yaml
+++ b/files/firewall/assigned_hostgroups.local.map.yaml
@@ -0,0 +1,20 @@
 {% import_yaml 'firewall/portgroups.yaml' as default_portgroups %}
 {% set default_portgroups = default_portgroups.firewall.aliases.ports %}
 {% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %}
 {% if local_portgroups.firewall.aliases.ports %}
  {% set local_portgroups = local_portgroups.firewall.aliases.ports %}
 {% else %}
  {% set local_portgroups = {} %}
 {% endif %}
 {% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %}
 role:
  eval:
  fleet:
  heavynode:
  helixsensor:
  master:
  mastersearch:
  standalone:
  searchnode:
  sensor:
--- a/files/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -0,0 +1,62 @@
 firewall:
  hostgroups:
    analyst:
      ips:
        delete:
        insert:
    beats_endpoint:
      ips:
        delete:
        insert:
    beats_endpoint_ssl:
      ips:
        delete:
        insert:
    fleet:
      ips:
        delete:
        insert:
    heavy_node:
      ips:
        delete:
        insert:
    master:
      ips:
        delete:
        insert:
    minion:
      ips:
        delete:
        insert:
    node:
      ips:
        delete:
        insert:
    osquery_endpoint:
      ips:
        delete:
        insert:
    search_node:
      ips:
        delete:
        insert:
    sensor:
      ips:
        delete:
        insert:
    syslog:
      ips:
        delete:
        insert:
    wazuh_agent:
      ips:
        delete:
        insert:
    wazuh_api:
      ips:
        delete:
        insert:
    wazuh_authd:
      ips:
        delete:
        insert:
--- a/files/firewall/portgroups.local.yaml
+++ b/files/firewall/portgroups.local.yaml
@@ -0,0 +1,3 @@
 firewall:
  aliases:
    ports:
--- a/files/master
+++ b/files/master
@@ -37,7 +37,9 @@ log_file: /opt/so/log/salt/master
 #
 file_roots:
  base:
-    - /opt/so/saltstack/salt
+    - /opt/so/saltstack/local/salt
    - /opt/so/saltstack/default/salt
 # The master_roots setting configures a master-only copy of the file_roots dictionary,
 # used by the state compiler.
@@ -53,7 +55,8 @@ file_roots:
 pillar_roots:
  base:
-    - /opt/so/saltstack/pillar
+    - /opt/so/saltstack/local/pillar
    - /opt/so/saltstack/default/pillar
 peer:
  .*:
--- a/pillar/data/addtotab.sh
+++ b/pillar/data/addtotab.sh
@@ -1,7 +1,8 @@
 #!/usr/bin/env bash
 # This script adds sensors/nodes/etc to the nodes tab
-
+default_salt_dir=/opt/so/saltstack/default
 local_salt_dir=/opt/so/saltstack/local
 TYPE=$1
 NAME=$2
 IPADDRESS=$3
@@ -15,7 +16,7 @@ MONINT=$9
 #HOTNAME=$11
 echo "Seeing if this host is already in here. If so delete it"
-if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
+if grep -q $NAME "$local_salt_dir/pillar/data/$TYPE.sls"; then
  echo "Node Already Present - Let's re-add it"
  awk -v blah="  $NAME:" 'BEGIN{ print_flag=1 }
 {
@@ -31,27 +32,29 @@ if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
    if ( print_flag == 1 )
        print $0
-} ' /opt/so/saltstack/pillar/data/$TYPE.sls > /opt/so/saltstack/pillar/data/tmp.$TYPE.sls
+} ' $local_salt_dir/pillar/data/$TYPE.sls > $local_salt_dir/pillar/data/tmp.$TYPE.sls
-mv /opt/so/saltstack/pillar/data/tmp.$TYPE.sls /opt/so/saltstack/pillar/data/$TYPE.sls
+mv $local_salt_dir/pillar/data/tmp.$TYPE.sls $local_salt_dir/pillar/data/$TYPE.sls
 echo "Deleted $NAME from the tab. Now adding it in again with updated info"
 fi
-echo "  $NAME:" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "  $NAME:" >> $local_salt_dir/pillar/data/$TYPE.sls
-echo "    ip: $IPADDRESS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    ip: $IPADDRESS" >> $local_salt_dir/pillar/data/$TYPE.sls
-echo "    manint: $MANINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    manint: $MANINT" >> $local_salt_dir/pillar/data/$TYPE.sls
-echo "    totalcpus: $CPUS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    totalcpus: $CPUS" >> $local_salt_dir/pillar/data/$TYPE.sls
-echo "    guid: $GUID" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    guid: $GUID" >> $local_salt_dir/pillar/data/$TYPE.sls
-echo "    rootfs: $ROOTFS" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    rootfs: $ROOTFS" >> $local_salt_dir/pillar/data/$TYPE.sls
-echo "    nsmfs: $NSM" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+echo "    nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls
 if [ $TYPE == 'sensorstab' ]; then
-  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+  echo "    monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls
-  salt-call state.apply common queue=True
+  salt-call state.apply grafana queue=True
 fi
-if [ $TYPE == 'evaltab' ]; then
+if [ $TYPE == 'evaltab' ] || [ $TYPE == 'standalonetab' ]; then
-  echo "    monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+  echo "    monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls
-  salt-call state.apply common queue=True
+  if [ ! $10 ]; then
-  salt-call state.apply utility queue=True
+    salt-call state.apply grafana queue=True
    salt-call state.apply utility queue=True
  fi
 fi
 #if [ $TYPE == 'nodestab' ]; then
-#  echo "    nodetype: $NODETYPE" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+#  echo "    nodetype: $NODETYPE" >> $local_salt_dir/pillar/data/$TYPE.sls
-#  echo "    hotname: $HOTNAME" >> /opt/so/saltstack/pillar/data/$TYPE.sls
+#  echo "    hotname: $HOTNAME" >> $local_salt_dir/pillar/data/$TYPE.sls
 #fi
--- a/pillar/data/evaltab.sls
+++ b/pillar/data/evaltab.sls
@@ -1 +0,0 @@
 evaltab:
--- a/pillar/data/mastertab.sls
+++ b/pillar/data/mastertab.sls
@@ -1 +0,0 @@
 mastertab:
--- a/pillar/data/nodestab.sls
+++ b/pillar/data/nodestab.sls
@@ -1 +0,0 @@
 nodestab:
--- a/pillar/data/sensorstab.sls
+++ b/pillar/data/sensorstab.sls
@@ -1 +0,0 @@
 sensorstab:
--- a/pillar/docker/config.sls
+++ b/pillar/docker/config.sls
@@ -10,7 +10,7 @@
 eval:
  containers:
-    - so-core
+    - so-nginx
    - so-telegraf
    {% if  GRAFANA == '1' %}
    - so-influxdb
@@ -54,7 +54,7 @@ eval:
    {% endif %}
 heavy_node:
  containers:
-    - so-core
+    - so-nginx
    - so-telegraf
    - so-redis
    - so-logstash
@@ -69,7 +69,7 @@ heavy_node:
    {% endif %}
 helix:
  containers:
-    - so-core
+    - so-nginx
    - so-telegraf
    - so-idstools
    - so-steno
@@ -79,14 +79,14 @@ helix:
    - so-filebeat
 hot_node:
  containers:
-    - so-core
+    - so-nginx
    - so-telegraf
    - so-logstash
    - so-elasticsearch
    - so-curator
 master_search:
  containers:
-    - so-core
+    - so-nginx
    - so-telegraf
    - so-soc
    - so-kratos
@@ -127,7 +127,7 @@ master_search:
 master:
  containers:
    - so-dockerregistry
-    - so-core
+    - so-nginx
    - so-telegraf
    {% if  GRAFANA == '1' %}
    - so-influxdb
@@ -169,12 +169,12 @@ master:
    {% endif %}
 parser_node:
  containers:
-    - so-core
+    - so-nginx
    - so-telegraf
    - so-logstash
 search_node:
  containers:
-    - so-core
+    - so-nginx
    - so-telegraf
    - so-logstash
    - so-elasticsearch
@@ -185,7 +185,7 @@ search_node:
    {% endif %}
 sensor:
  containers:
-    - so-core
+    - so-nginx
    - so-telegraf
    - so-steno
    - so-suricata
@@ -196,7 +196,7 @@ sensor:
    - so-filebeat
 warm_node:
  containers:
-    - so-core
+    - so-nginx
    - so-telegraf
    - so-elasticsearch
 fleet:
@@ -206,6 +206,6 @@ fleet:
    - so-fleet
    - so-redis
    - so-filebeat
-    - so-core
+    - so-nginx
    - so-telegraf
    {% endif %}
--- a/pillar/firewall/addfirewall.sh
+++ b/pillar/firewall/addfirewall.sh
@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
 # This script adds ip addresses to specific rule sets defined by the user
-
+local_salt_dir=/opt/so/saltstack/local
 POLICY=$1
 IPADDRESS=$2
-if grep -q $2 "/opt/so/saltstack/pillar/firewall/$1.sls"; then
+if grep -q $2 "$local_salt_dir/pillar/firewall/$1.sls"; then
  echo "Firewall Rule Already There"
 else
-  echo "  - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls
+  echo "  - $2" >> $local_salt_dir/pillar/firewall/$1.sls
  salt-call state.apply firewall queue=True
-fi
+fi
--- a/pillar/firewall/analyst.sls
+++ b/pillar/firewall/analyst.sls
@@ -1,3 +0,0 @@
 analyst:
  - 127.0.0.1
--- a/pillar/firewall/beats_endpoint.sls
+++ b/pillar/firewall/beats_endpoint.sls
@@ -1,3 +0,0 @@
 beats_endpoint:
  - 127.0.0.1
--- a/pillar/firewall/forward_nodes.sls
+++ b/pillar/firewall/forward_nodes.sls
@@ -1,3 +0,0 @@
 forward_nodes:
  - 127.0.0.1
--- a/pillar/firewall/masterfw.sls
+++ b/pillar/firewall/masterfw.sls
@@ -1,2 +0,0 @@
 masterfw:
  - 127.0.0.1
--- a/pillar/firewall/minions.sls
+++ b/pillar/firewall/minions.sls
@@ -1,3 +0,0 @@
 minions:
  - 127.0.0.1
--- a/pillar/firewall/osquery_endpoint.sls
+++ b/pillar/firewall/osquery_endpoint.sls
@@ -1,3 +0,0 @@
 osquery_endpoint:
  - 127.0.0.1
--- a/pillar/firewall/ports.sls
+++ b/pillar/firewall/ports.sls
@@ -0,0 +1,62 @@
 firewall:
  analyst:
    ports:
      tcp:
        - 80
        - 443
      udp:
  beats_endpoint:
    ports:
      tcp:
        - 5044
  forward_nodes:
    ports:
      tcp:
        - 443
        - 5044
        - 5644
        - 9822
      udp:
  master:
    ports:
      tcp:
        - 1514
        - 3200
        - 3306
        - 4200
        - 5601
        - 6379
        - 8086
        - 8090
        - 9001
        - 9200
        - 9300
        - 9400  
        - 9500
      udp:
        - 1514
  minions:
    ports:
      tcp:
        - 3142
        - 4505
        - 4506
        - 5000
        - 8080
        - 8086
        - 55000      
  osquery_endpoint:
    ports:
      tcp:
        - 8090
  search_nodes:
    ports:
      tcp:
        - 6379
        - 9300
  wazuh_endpoint:
    ports:
      tcp:
        - 1514
      udp: 
        -1514
--- a/pillar/firewall/search_nodes.sls
+++ b/pillar/firewall/search_nodes.sls
@@ -1,2 +0,0 @@
 search_nodes:
  - 127.0.0.1
--- a/pillar/firewall/wazuh_endpoint.sls
+++ b/pillar/firewall/wazuh_endpoint.sls
@@ -1,2 +0,0 @@
 wazuh_endpoint:
  - 127.0.0.1
--- a/pillar/healthcheck/standalone.sls
+++ b/pillar/healthcheck/standalone.sls
@@ -0,0 +1,5 @@
 healthcheck:
  enabled: False
  schedule: 300
  checks:
    - zeek
--- a/pillar/logstash/master.sls
+++ b/pillar/logstash/master.sls
@@ -2,5 +2,6 @@ logstash:
  pipelines:
    master:
      config:
        - so/0009_input_beats.conf      
        - so/0010_input_hhbeats.conf
        - so/9999_output_redis.conf.jinja
--- a/pillar/logstash/search.sls
+++ b/pillar/logstash/search.sls
@@ -5,12 +5,12 @@ logstash:
        - so/0900_input_redis.conf.jinja
        - so/9000_output_zeek.conf.jinja
        - so/9002_output_import.conf.jinja
        - so/9034_output_syslog.conf.jinja
        - so/9100_output_osquery.conf.jinja
        - so/9400_output_suricata.conf.jinja
        - so/9500_output_beats.conf.jinja
        - so/9600_output_ossec.conf.jinja
        - so/9700_output_strelka.conf.jinja
  templates:
    - so/so-beats-template.json
    - so/so-common-template.json
    - so/so-zeek-template.json
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -1,7 +1,10 @@
 base:
  '*':
    - patch.needs_restarting
-    - docker.config
+
  '*_eval or *_helix or *_heavynode or *_sensor or *_standalone':
    - match: compound
    - zeek
  '*_mastersearch or *_heavynode':
    - match: compound
@@ -11,7 +14,6 @@ base:
  '*_sensor':
    - static
    - firewall.*
    - brologs
    - healthcheck.sensor
    - minions.{{ grains.id }}
@@ -19,7 +21,6 @@ base:
  '*_master or *_mastersearch':
    - match: compound
    - static
    - firewall.*
    - data.*
    - secrets
    - minions.{{ grains.id }}
@@ -30,27 +31,34 @@ base:
  '*_eval':
    - static
    - firewall.*
    - data.*
    - brologs
    - secrets
    - healthcheck.eval
    - minions.{{ grains.id }}
  '*_standalone':
    - logstash
    - logstash.master
    - logstash.search
    - data.*
    - brologs
    - secrets
    - healthcheck.standalone
    - static
    - minions.{{ grains.id }}
  '*_node':
    - static
    - firewall.*
    - minions.{{ grains.id }}
  '*_heavynode':
    - static
    - firewall.*
    - brologs
    - minions.{{ grains.id }}
  '*_helix':
    - static
    - firewall.*
    - fireeye
    - brologs
    - logstash
@@ -59,14 +67,12 @@ base:
  '*_fleet':
    - static
    - firewall.*
    - data.*
    - secrets
    - minions.{{ grains.id }}
  '*_searchnode':
    - static
    - firewall.*
    - logstash
    - logstash.search
    - minions.{{ grains.id }}
--- a/pillar/zeek/init.sls
+++ b/pillar/zeek/init.sls
@@ -0,0 +1,55 @@
 zeek:
  zeekctl:
    MailTo: root@localhost
    MailConnectionSummary: 1
    MinDiskSpace: 5
    MailHostUpDown: 1
    LogRotationInterval: 3600
    LogExpireInterval: 0
    StatsLogEnable: 1
    StatsLogExpireInterval: 0
    StatusCmdShowAll: 0
    CrashExpireInterval: 0
    SitePolicyScripts: local.zeek
    LogDir: /nsm/zeek/logs
    SpoolDir: /nsm/zeek/spool
    CfgDir: /opt/zeek/etc
    CompressLogs: 1
  local:
    '@load':
      - misc/loaded-scripts
      - tuning/defaults
      - misc/capture-loss
      - misc/stats
      - frameworks/software/vulnerable
      - frameworks/software/version-changes
      - protocols/ftp/software
      - protocols/smtp/software
      - protocols/ssh/software
      - protocols/http/software
      - protocols/dns/detect-external-names
      - protocols/ftp/detect
      - protocols/conn/known-hosts
      - protocols/conn/known-services
      - protocols/ssl/known-certs
      - protocols/ssl/validate-certs
      - protocols/ssl/log-hostcerts-only
      - protocols/ssh/geo-data
      - protocols/ssh/detect-bruteforcing
      - protocols/ssh/interesting-hostnames
      - protocols/http/detect-sqli
      - frameworks/files/hash-all-files
      - frameworks/files/detect-MHR
      - policy/frameworks/notice/extend-email/hostnames
      - ja3
      - hassh
      - intel
      - cve-2020-0601
      - securityonion/bpfconf
      - securityonion/communityid
      - securityonion/file-extraction
    '@load-sigs':
      - frameworks/signatures/detect-windows-shells
    redef:
      - LogAscii::use_json = T;
      - LogAscii::json_timestamps = JSON::TS_ISO8601;
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -44,5 +44,3 @@ send_x509_pem_entries_to_mine:
    - mine.send:
      - func: x509.get_pem_entries
      - glob_path: /etc/pki/ca.crt
    - onchanges:
      - x509: /etc/pki/ca.crt
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,8 +1,3 @@
 {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% set GRAFANA = salt['pillar.get']('master:grafana', '0') %}
 {% set FLEETMASTER = salt['pillar.get']('static:fleet_master', False) %}
 {% set FLEETNODE = salt['pillar.get']('static:fleet_node', False) %}
 # Add socore Group
 socoregroup:
  group.present:
@@ -19,7 +14,6 @@ socore:
    - shell: /bin/bash
 # Create a state directory
 statedir:
  file.directory:
    - name: /opt/so/state
@@ -34,24 +28,85 @@ salttmp:
    - group: 939
    - makedirs: True
-# Install packages needed for the sensor
+# Install epel
-
+{% if grains['os'] == 'CentOS' %}
-sensorpkgs:
+epel:
  pkg.installed:
-    - skip_suggestions: False
+    - skip_suggestions: True
    - pkgs:
      - epel-release
 {% endif %}
 # Install common packages
 {% if grains['os'] != 'CentOS' %}     
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - docker-ce
      - wget
      - jq
      {% if grains['os'] != 'CentOS' %}
      - python-docker
      - python-m2crypto
      - apache2-utils
-      {% else %}
+      - wget
-      - net-tools
+      - ntpdate
      - jq
      - python3-docker
      - docker-ce
      - curl
      - ca-certificates
      - software-properties-common
      - apt-transport-https
      - openssl
      - netcat
      - python3-mysqldb
      - sqlite3
      - argon2
      - libssl-dev
      - python3-dateutil
      - python3-m2crypto
      - python3-mysqldb
      - git
 heldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.2.13-2
      - docker-ce: 5:19.03.9~3-0~ubuntu-bionic
    - hold: True
    - update_holds: True
 {% else %}
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - wget
      - ntpdate
      - bind-utils
      - jq
      - tcpdump
      - httpd-tools
-      {% endif %}
+      - net-tools
      - curl
      - sqlite
      - argon2
      - mariadb-devel
      - nmap-ncat
      - python3
      - python36-docker
      - python36-dateutil
      - python36-m2crypto
      - python36-mysql
      - yum-utils
      - device-mapper-persistent-data
      - lvm2
      - openssl
      - git
 heldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.2.13-3.2.el7
      - docker-ce: 3:19.03.11-3.el7
    - hold: True
    - update_holds: True
 {% endif %}
 # Always keep these packages up to date
@@ -64,7 +119,6 @@ alwaysupdated:
    - skip_suggestions: True
 # Set time to UTC
 Etc/UTC:
  timezone.system
@@ -77,339 +131,3 @@ utilsyncscripts:
    - file_mode: 755
    - template: jinja
    - source: salt://common/tools/sbin
 # Make sure Docker is running!
 docker:
  service.running:
    - enable: True
 # Drop the correct nginx config based on role
 nginxconfdir:
  file.directory:
    - name: /opt/so/conf/nginx
    - user: 939
    - group: 939
    - makedirs: True
 nginxconf:
  file.managed:
    - name: /opt/so/conf/nginx/nginx.conf
    - user: 939
    - group: 939
    - template: jinja
    - source: salt://common/nginx/nginx.conf.{{ grains.role }}
 nginxlogdir:
  file.directory:
    - name: /opt/so/log/nginx/
    - user: 939
    - group: 939
    - makedirs: True
 nginxtmp:
  file.directory:
    - name: /opt/so/tmp/nginx/tmp
    - user: 939
    - group: 939
    - makedirs: True
 so-core:
  docker_container.running:
    - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }}
    - hostname: so-core
    - user: socore
    - binds:
      - /opt/so:/opt/so:rw
      - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - /opt/so/log/nginx/:/var/log/nginx:rw
      - /opt/so/tmp/nginx/:/var/lib/nginx:rw
      - /opt/so/tmp/nginx/:/run:rw
      - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
      - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
      - /opt/so/conf/fleet/packages:/opt/socore/html/packages
    - cap_add: NET_BIND_SERVICE
    - port_bindings:
      - 80:80
      - 443:443
    {%- if FLEETMASTER or FLEETNODE %}
      - 8090:8090
    {%- endif %}
    - watch:
      - file: /opt/so/conf/nginx/nginx.conf
 # Add Telegraf to monitor all the things.
 tgraflogdir:
  file.directory:
    - name: /opt/so/log/telegraf
    - makedirs: True
 tgrafetcdir:
  file.directory:
    - name: /opt/so/conf/telegraf/etc
    - makedirs: True
 tgrafetsdir:
  file.directory:
    - name: /opt/so/conf/telegraf/scripts
    - makedirs: True
 tgrafsyncscripts:
  file.recurse:
    - name: /opt/so/conf/telegraf/scripts
    - user: 939
    - group: 939
    - file_mode: 755
    - template: jinja
    - source: salt://common/telegraf/scripts
 tgrafconf:
  file.managed:
    - name: /opt/so/conf/telegraf/etc/telegraf.conf
    - user: 939
    - group: 939
    - template: jinja
    - source: salt://common/telegraf/etc/telegraf.conf
 so-telegraf:
  docker_container.running:
    - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }}
    - environment:
      - HOST_PROC=/host/proc
      - HOST_ETC=/host/etc
      - HOST_SYS=/host/sys
      - HOST_MOUNT_PREFIX=/host
    - network_mode: host
    - port_bindings:
      - 127.0.0.1:8094:8094
    - binds:
      - /opt/so/log/telegraf:/var/log/telegraf:rw
      - /opt/so/conf/telegraf/etc/telegraf.conf:/etc/telegraf/telegraf.conf:ro
      - /var/run/utmp:/var/run/utmp:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /:/host/root:ro
      - /sys:/host/sys:ro
      - /proc:/host/proc:ro
      - /nsm:/host/nsm:ro
      - /etc:/host/etc:ro
      {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' or grains['role'] == 'so-mastersearch' %}
      - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
      {% else %}
      - /etc/ssl/certs/intca.crt:/etc/telegraf/ca.crt:ro
      {% endif %}
      - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
      - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro
      - /opt/so/conf/telegraf/scripts:/scripts:ro
      - /opt/so/log/stenographer:/var/log/stenographer:ro
      - /opt/so/log/suricata:/var/log/suricata:ro
    - watch:
      - /opt/so/conf/telegraf/etc/telegraf.conf
      - /opt/so/conf/telegraf/scripts
 # If its a master or eval lets install the back end for now
 {% if grains['role'] in ['so-master', 'so-mastersearch', 'so-eval'] and GRAFANA == 1 %}
 # Influx DB
 influxconfdir:
  file.directory:
    - name: /opt/so/conf/influxdb/etc
    - makedirs: True
 influxdbdir:
  file.directory:
    - name: /nsm/influxdb
    - makedirs: True
 influxdbconf:
  file.managed:
    - name: /opt/so/conf/influxdb/etc/influxdb.conf
    - user: 939
    - group: 939
    - template: jinja
    - source: salt://common/influxdb/etc/influxdb.conf
 so-influxdb:
  docker_container.running:
    - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }}
    - hostname: influxdb
    - environment:
      - INFLUXDB_HTTP_LOG_ENABLED=false
    - binds:
      - /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro
      - /nsm/influxdb:/var/lib/influxdb:rw
      - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro
      - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
    - port_bindings:
      - 0.0.0.0:8086:8086
    - watch:
      - file: /opt/so/conf/influxdb/etc/influxdb.conf
 # Grafana all the things
 grafanadir:
  file.directory:
    - name: /nsm/grafana
    - user: 939
    - group: 939
    - makedirs: True
 grafanaconfdir:
  file.directory:
    - name: /opt/so/conf/grafana/etc
    - user: 939
    - group: 939
    - makedirs: True
 grafanadashdir:
  file.directory:
    - name: /opt/so/conf/grafana/grafana_dashboards
    - user: 939
    - group: 939
    - makedirs: True
 grafanadashmdir:
  file.directory:
    - name: /opt/so/conf/grafana/grafana_dashboards/master
    - user: 939
    - group: 939
    - makedirs: True
 grafanadashevaldir:
  file.directory:
    - name: /opt/so/conf/grafana/grafana_dashboards/eval
    - user: 939
    - group: 939
    - makedirs: True
 grafanadashfndir:
  file.directory:
    - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes
    - user: 939
    - group: 939
    - makedirs: True
 grafanadashsndir:
  file.directory:
    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes
    - user: 939
    - group: 939
    - makedirs: True
 grafanaconf:
  file.recurse:
    - name: /opt/so/conf/grafana/etc
    - user: 939
    - group: 939
    - template: jinja
    - source: salt://common/grafana/etc
 {% if salt['pillar.get']('mastertab', False) %}
 {% for SN, SNDATA in salt['pillar.get']('mastertab', {}).items() %}
 {% set NODETYPE = SN.split('_')|last %}
 {% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
 dashboard-master:
  file.managed:
    - name: /opt/so/conf/grafana/grafana_dashboards/master/{{ SN }}-Master.json
    - user: 939
    - group: 939
    - template: jinja
    - source: salt://common/grafana/grafana_dashboards/master/master.json
    - defaults:
      SERVERNAME: {{ SN }}
      MANINT: {{ SNDATA.manint }}
      MONINT: {{ SNDATA.manint }}
      CPUS: {{ SNDATA.totalcpus }}
      UID: {{ SNDATA.guid }}
      ROOTFS: {{ SNDATA.rootfs }}
      NSMFS: {{ SNDATA.nsmfs }}
 {% endfor %}
 {% endif %}
 {% if salt['pillar.get']('sensorstab', False) %}
 {% for SN, SNDATA in salt['pillar.get']('sensorstab', {}).items() %}
 {% set NODETYPE = SN.split('_')|last %}
 {% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
 dashboard-{{ SN }}:
  file.managed:
    - name: /opt/so/conf/grafana/grafana_dashboards/sensor_nodes/{{ SN }}-Sensor.json
    - user: 939
    - group: 939
    - template: jinja
    - source: salt://common/grafana/grafana_dashboards/sensor_nodes/sensor.json
    - defaults:
      SERVERNAME: {{ SN }}
      MONINT: {{ SNDATA.monint }}
      MANINT: {{ SNDATA.manint }}
      CPUS: {{ SNDATA.totalcpus }}
      UID: {{ SNDATA.guid }}
      ROOTFS: {{ SNDATA.rootfs }}
      NSMFS: {{ SNDATA.nsmfs }}
 {% endfor %}
 {% endif %}
 {% if salt['pillar.get']('nodestab', False) %}
 {% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
 {% set NODETYPE = SN.split('_')|last %}
 {% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
 dashboardsearch-{{ SN }}:
  file.managed:
    - name: /opt/so/conf/grafana/grafana_dashboards/search_nodes/{{ SN }}-Node.json
    - user: 939
    - group: 939
    - template: jinja
    - source: salt://common/grafana/grafana_dashboards/search_nodes/searchnode.json
    - defaults:
      SERVERNAME: {{ SN }}
      MANINT: {{ SNDATA.manint }}
      MONINT: {{ SNDATA.manint }}
      CPUS: {{ SNDATA.totalcpus }}
      UID: {{ SNDATA.guid }}
      ROOTFS: {{ SNDATA.rootfs }}
      NSMFS: {{ SNDATA.nsmfs }}
 {% endfor %}
 {% endif %}
 {% if salt['pillar.get']('evaltab', False) %}
 {% for SN, SNDATA in salt['pillar.get']('evaltab', {}).items() %}
 {% set NODETYPE = SN.split('_')|last %}
 {% set SN = SN | regex_replace('_' ~ NODETYPE, '') %}
 dashboard-{{ SN }}:
  file.managed:
    - name: /opt/so/conf/grafana/grafana_dashboards/eval/{{ SN }}-Node.json
    - user: 939
    - group: 939
    - template: jinja
    - source: salt://common/grafana/grafana_dashboards/eval/eval.json
    - defaults:
      SERVERNAME: {{ SN }}
      MANINT: {{ SNDATA.manint }}
      MONINT: {{ SNDATA.monint }}
      CPUS: {{ SNDATA.totalcpus }}
      UID: {{ SNDATA.guid }}
      ROOTFS: {{ SNDATA.rootfs }}
      NSMFS: {{ SNDATA.nsmfs }}
 {% endfor %}
 {% endif %}
 so-grafana:
  docker_container.running:
    - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }}
    - hostname: grafana
    - user: socore
    - binds:
      - /nsm/grafana:/var/lib/grafana:rw
      - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro
      - /opt/so/conf/grafana/etc/datasources:/etc/grafana/provisioning/datasources:rw
      - /opt/so/conf/grafana/etc/dashboards:/etc/grafana/provisioning/dashboards:rw
      - /opt/so/conf/grafana/grafana_dashboards:/etc/grafana/grafana_dashboards:rw
    - environment:
      - GF_SECURITY_ADMIN_PASSWORD=augusta
    - port_bindings:
      - 0.0.0.0:3000:3000
    - watch:
      - file: /opt/so/conf/grafana/*
 {% endif %}
--- a/salt/common/maps/broversion.map.jinja
+++ b/salt/common/maps/broversion.map.jinja
@@ -0,0 +1,5 @@
 {% set docker = {
  'containers': [
    'so-zeek'
  ]
 } %}
--- a/salt/common/maps/domainstats.map.jinja
+++ b/salt/common/maps/domainstats.map.jinja
@@ -0,0 +1,5 @@
 {% set docker = {
  'containers': [
    'so-domainstats'
  ]
 } %}
--- a/salt/common/maps/eval.map.jinja
+++ b/salt/common/maps/eval.map.jinja
@@ -0,0 +1,19 @@
 {% set docker = {
  'containers': [
    'so-filebeat',
    'so-nginx',
    'so-telegraf',
    'so-dockerregistry',
    'so-soc',
    'so-kratos',
    'so-idstools',
    'so-elasticsearch',
    'so-kibana',
    'so-steno',
    'so-suricata',
    'so-zeek',
    'so-curator',
    'so-elastalert',
    'so-soctopus'
  ]
 } %}
--- a/salt/common/maps/fleet.map.jinja
+++ b/salt/common/maps/fleet.map.jinja
@@ -0,0 +1,10 @@
 {% set docker = {
  'containers': [
    'so-mysql',
    'so-fleet',
    'so-redis',
    'so-filebeat',
    'so-nginx',
    'so-telegraf'
  ]
 } %}
--- a/salt/common/maps/fleet_master.map.jinja
+++ b/salt/common/maps/fleet_master.map.jinja
@@ -0,0 +1,7 @@
 {% set docker = {
  'containers': [
    'so-mysql',
    'so-fleet',
    'so-redis'
  ]
 } %}
--- a/salt/common/maps/freq.map.jinja
+++ b/salt/common/maps/freq.map.jinja
@@ -0,0 +1,5 @@
 {% set docker = {
  'containers': [
    'so-freqserver'
  ]
 } %}
--- a/salt/common/maps/grafana.map.jinja
+++ b/salt/common/maps/grafana.map.jinja
@@ -0,0 +1,6 @@
 {% set docker = {
  'containers': [
    'so-influxdb',
    'so-grafana'
  ]
 } %}
--- a/salt/common/maps/heavynode.map.jinja
+++ b/salt/common/maps/heavynode.map.jinja
@@ -0,0 +1,14 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-redis',
    'so-logstash',
    'so-elasticsearch',
    'so-curator',
    'so-steno',
    'so-suricata',
    'so-wazuh',
    'so-filebeat
  ]
 } %}
--- a/salt/common/maps/helixsensor.map.jinja
+++ b/salt/common/maps/helixsensor.map.jinja
@@ -0,0 +1,12 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-idstools',
    'so-steno',
    'so-zeek',
    'so-redis',
    'so-logstash',
    'so-filebeat
  ]
 } %}
--- a/salt/common/maps/hotnode.map.jinja
+++ b/salt/common/maps/hotnode.map.jinja
@@ -0,0 +1,9 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
     'so-logstash',
    'so-elasticsearch',
    'so-curator',
   ]
 } %}
--- a/salt/common/maps/master.map.jinja
+++ b/salt/common/maps/master.map.jinja
@@ -0,0 +1,18 @@
 {% set docker = {
  'containers': [
    'so-dockerregistry',
    'so-nginx',
    'so-telegraf',
    'so-soc',
    'so-kratos',
    'so-aptcacherng',
    'so-idstools',
    'so-redis',
    'so-elasticsearch',
    'so-logstash',
    'so-kibana',
    'so-elastalert',
    'so-filebeat',
    'so-soctopus'
  ]
 } %}
--- a/salt/common/maps/mastersearch.map.jinja
+++ b/salt/common/maps/mastersearch.map.jinja
@@ -0,0 +1,18 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-soc',
    'so-kratos',
    'so-aptcacherng',
    'so-idstools',
    'so-redis',
    'so-logstash',
    'so-elasticsearch',
    'so-curator',
    'so-kibana',
    'so-elastalert',
    'so-filebeat',
    'so-soctopus'
  ]
 } %}
--- a/salt/common/maps/playbook.map.jinja
+++ b/salt/common/maps/playbook.map.jinja
@@ -0,0 +1,6 @@
 {% set docker = {
  'containers': [
    'so-playbook',
    'so-navigator'
  ]
 } %}
--- a/salt/common/maps/searchnode.map.jinja
+++ b/salt/common/maps/searchnode.map.jinja
@@ -0,0 +1,10 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-logstash',
    'so-elasticsearch',
    'so-curator',
    'so-filebeat'
  ]
 } %}
--- a/salt/common/maps/sensor.map.jinja
+++ b/salt/common/maps/sensor.map.jinja
@@ -0,0 +1,8 @@
 {% set docker = {
  'containers': [
    'so-telegraf',
    'so-steno',
    'so-suricata',
    'so-filebeat'
  ]
 } %}
--- a/salt/common/maps/so-status.map.jinja
+++ b/salt/common/maps/so-status.map.jinja
@@ -0,0 +1,45 @@
 {% set role = grains.id.split('_') | last %}
 {% from 'common/maps/'~ role ~'.map.jinja' import docker with context %}
 # Check if the service is enabled and append it's required containers
 # to the list predefined by the role / minion id affix
 {% macro append_containers(pillar_name, k, compare )%}
  {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %}
    {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %}
    {% for li in d['containers'] %}
      {{ docker['containers'].append(li) }}
    {% endfor %}
  {% endif %}
 {% endmacro %}
 {% set docker = salt['grains.filter_by']({
  '*_'~role: {
    'containers': docker['containers']
  } 
 },grain='id', merge=salt['pillar.get']('docker')) %}
 {% if role in ['eval', 'mastersearch', 'master', 'standalone'] %}
  {{ append_containers('master', 'grafana', 0) }}
  {{ append_containers('static', 'fleet_master', 0) }}
  {{ append_containers('master', 'wazuh', 0) }}
  {{ append_containers('master', 'thehive', 0) }}
  {{ append_containers('master', 'playbook', 0) }}
  {{ append_containers('master', 'freq', 0) }}
  {{ append_containers('master', 'domainstats', 0) }}
 {% endif %}
 {% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %}
  {{ append_containers('static', 'strelka', 0) }}
 {% endif %}
 {% if role in ['heavynode', 'standalone'] %}
  {{ append_containers('static', 'broversion', 'SURICATA') }}
 {% endif %}
 {% if role == 'searchnode' %}
  {{ append_containers('master', 'wazuh', 0) }}
 {% endif %}
 {% if role == 'sensor' %}
  {{ append_containers('static', 'broversion', 'SURICATA') }}
 {% endif %}
--- a/salt/common/maps/standalone.map.jinja
+++ b/salt/common/maps/standalone.map.jinja
@@ -0,0 +1,21 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-soc',
    'so-kratos',
    'so-aptcacherng',
    'so-idstools',
    'so-redis',
    'so-logstash',
    'so-elasticsearch',
    'so-curator',
    'so-kibana',
    'so-elastalert',
    'so-filebeat',
    'so-suricata',
    'so-steno',
    'so-dockerregistry',
    'so-soctopus'
  ]
 } %}
--- a/salt/common/maps/strelka.map.jinja
+++ b/salt/common/maps/strelka.map.jinja
@@ -0,0 +1,9 @@
 {% set docker = {
  'containers': [
    'so-strelka-coordinator',
    'so-strelka-gatekeeper',
    'so-strelka-manager',
    'so-strelka-frontend',
    'so-strelka-filestream'
  ]
 } %}
--- a/salt/common/maps/thehive.map.jinja
+++ b/salt/common/maps/thehive.map.jinja
@@ -0,0 +1,7 @@
 {% set docker = {
  'containers': [
    'so-thehive',
    'so-thehive-es',
    'so-cortex'
  ]
 } %}
--- a/salt/common/maps/warmnode.map.jinja
+++ b/salt/common/maps/warmnode.map.jinja
@@ -0,0 +1,7 @@
 {% set docker = {
  'containers': [
    'so-nginx',
    'so-telegraf',
    'so-elasticsearch'
  ]
 } %}
--- a/salt/common/maps/wazuh.map.jinja
+++ b/salt/common/maps/wazuh.map.jinja
@@ -0,0 +1,5 @@
 {% set docker = {
  'containers': [
    'so-wazuh'
  ]
 } %}
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -17,6 +17,9 @@
 . /usr/sbin/so-common
 default_salt_dir=/opt/so/saltstack/default
 local_salt_dir=/opt/so/saltstack/local
 SKIP=0
 while getopts "abowi:" OPTION
@@ -42,9 +45,22 @@ do
            SKIP=1
            ;;
        w)
-            FULLROLE="wazuh_endpoint"
+            FULLROLE="wazuh_agent"
            SKIP=1
            ;;
        s)
            FULLROLE="syslog"
            SKIP=1
            ;;
        p)
            FULLROLE="wazuh_api"
            SKIP=1
            ;;
        r)
            FULLROLE="wazuh_authd"
            SKIP=1
            ;;
    esac
 done
@@ -57,8 +73,10 @@ if [ "$SKIP" -eq 0 ]; then
    echo "[a] - Analyst - ports 80/tcp and 443/tcp"
    echo "[b] - Logstash Beat - port 5044/tcp"
    echo "[o] - Osquery endpoint - port 8090/tcp"
-    echo "[w] - Wazuh endpoint - port 1514"
+    echo "[s] - Syslog device - 514/tcp/udp"
-    echo ""
+    echo "[w] - Wazuh agent - port 1514/tcp/udp"
    echo "[p] - Wazuh API - port 55000/tcp"
    echo "[r] - Wazuh registration service - 1515/tcp"
    echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
    read ROLE
    echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
@@ -71,7 +89,13 @@ if [ "$SKIP" -eq 0 ]; then
    elif [ "$ROLE" == "o" ]; then
        FULLROLE=osquery_endpoint
    elif [ "$ROLE" == "w" ]; then
-        FULLROLE=wazuh_endpoint
+        FULLROLE=wazuh_agent
    elif [ "$ROLE" == "s" ]; then
        FULLROLE=syslog
    elif [ "$ROLE" == "p" ]; then
        FULLROLE=wazuh_api
    elif [ "$ROLE" == "r" ]; then
        FULLROLE=wazuh_authd
    else
        echo "I don't recognize that role"
        exit 1
@@ -80,10 +104,11 @@ if [ "$SKIP" -eq 0 ]; then
 fi
 echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
-/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
+/usr/sbin/so-firewall includehost $FULLROLE $IP
 salt-call state.apply firewall queue=True
 # Check if Wazuh enabled
-if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
+if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then
    # If analyst, add to Wazuh AR whitelist
    if [ "$FULLROLE" == "analyst" ]; then
          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
--- a/salt/common/tools/sbin/so-bro-logs
+++ b/salt/common/tools/sbin/so-bro-logs
@@ -1,11 +1,12 @@
 #!/bin/bash
 local_salt_dir=/opt/so/saltstack/local
 bro_logs_enabled() {
-  echo "brologs:" > /opt/so/saltstack/pillar/brologs.sls
+  echo "brologs:" > $local_salt_dir/pillar/brologs.sls
-  echo "  enabled:" >> /opt/so/saltstack/pillar/brologs.sls
+  echo "  enabled:" >> $local_salt_dir/pillar/brologs.sls
  for BLOG in ${BLOGS[@]}; do
-    echo "    - $BLOG" | tr -d '"' >> /opt/so/saltstack/pillar/brologs.sls
+    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/brologs.sls
  done
 }
--- a/salt/common/tools/sbin/so-cortex-restart
+++ b/salt/common/tools/sbin/so-cortex-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
@@ -17,4 +17,5 @@
 . /usr/sbin/so-common
-/usr/sbin/so-restart cortex $1
+/usr/sbin/so-stop cortex $1
 /usr/sbin/so-start thehive $1
--- a/salt/common/tools/sbin/so-cortex-start
+++ b/salt/common/tools/sbin/so-cortex-start
@@ -17,4 +17,4 @@
 . /usr/sbin/so-common
-/usr/sbin/so-start cortex $1
+/usr/sbin/so-start thehive $1
--- a/salt/common/tools/sbin/so-cortex-stop
+++ b/salt/common/tools/sbin/so-cortex-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
--- a/salt/common/tools/sbin/so-docker-refresh
+++ b/salt/common/tools/sbin/so-docker-refresh
@@ -0,0 +1,112 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 got_root(){
    if [ "$(id -u)" -ne 0 ]; then
        echo "This script must be run using sudo!"
        exit 1
    fi
 }
 master_check() {
  # Check to see if this is a master
  MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
  if [ $MASTERCHECK == 'so-eval' ] || [ $MASTERCHECK == 'so-master' ] || [ $MASTERCHECK == 'so-mastersearch' ] || [ $MASTERCHECK == 'so-standalone' ] || [ $MASTERCHECK == 'so-helix' ]; then
    echo "This is a master. We can proceed"
  else
    echo "Please run soup on the master. The master controls all updates."
    exit 1
  fi
 }
 update_docker_containers() {
  # Download the containers from the interwebs
  for i in "${TRUSTED_CONTAINERS[@]}"
  do
    # Pull down the trusted docker image
    echo "Downloading $i"
    docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
    # Tag it with the new registry destination
    docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
    docker push $HOSTNAME:5000/soshybridhunter/$i
  done
 }
 version_check() {
  if [ -f /etc/soversion ]; then
    VERSION=$(cat /etc/soversion)
  else
    echo "Unable to detect version. I will now terminate."
    exit 1
  fi
 }
 got_root
 master_check
 version_check
 # Use the hostname
 HOSTNAME=$(hostname)
 BUILD=HH
 # List all the containers
 if [ $MASTERCHECK != 'so-helix' ]; then
    TRUSTED_CONTAINERS=( \
    "so-acng:$BUILD$VERSION" \
    "so-thehive-cortex:$BUILD$VERSION" \
    "so-curator:$BUILD$VERSION" \
    "so-domainstats:$BUILD$VERSION" \
    "so-elastalert:$BUILD$VERSION" \
    "so-elasticsearch:$BUILD$VERSION" \
    "so-filebeat:$BUILD$VERSION" \
    "so-fleet:$BUILD$VERSION" \
    "so-fleet-launcher:$BUILD$VERSION" \
    "so-freqserver:$BUILD$VERSION" \
    "so-grafana:$BUILD$VERSION" \
    "so-idstools:$BUILD$VERSION" \
    "so-influxdb:$BUILD$VERSION" \
    "so-kibana:$BUILD$VERSION" \
    "so-kratos:$BUILD$VERSION" \
    "so-logstash:$BUILD$VERSION" \
    "so-mysql:$BUILD$VERSION" \
    "so-navigator:$BUILD$VERSION" \
    "so-nginx:$BUILD$VERSION" \
    "so-playbook:$BUILD$VERSION" \
    "so-redis:$BUILD$VERSION" \
    "so-soc:$BUILD$VERSION" \
    "so-soctopus:$BUILD$VERSION" \
    "so-steno:$BUILD$VERSION" \
    "so-strelka:$BUILD$VERSION" \
    "so-suricata:$BUILD$VERSION" \
    "so-telegraf:$BUILD$VERSION" \
    "so-thehive:$BUILD$VERSION" \
    "so-thehive-es:$BUILD$VERSION" \
    "so-wazuh:$BUILD$VERSION" \
    "so-zeek:$BUILD$VERSION" )
  else
    TRUSTED_CONTAINERS=( \
    "so-filebeat:$BUILD$VERSION" \
    "so-idstools:$BUILD$VERSION" \
    "so-logstash:$BUILD$VERSION" \
    "so-nginx:$BUILD$VERSION" \
    "so-redis:$BUILD$VERSION" \
    "so-steno:$BUILD$VERSION" \
    "so-suricata:$BUILD$VERSION" \
    "so-telegraf:$BUILD$VERSION" \
    "so-zeek:$BUILD$VERSION" )
  fi
 update_docker_containers
--- a/salt/common/tools/sbin/so-elastalert-create
+++ b/salt/common/tools/sbin/so-elastalert-create
@@ -166,8 +166,7 @@ cat << EOF
 What elasticsearch index do you want to use?
 Below are the default Index Patterns used in Security Onion:
-*:logstash-*
+*:so-ids-*
 *:logstash-beats-*
 *:elastalert_status*
 EOF
--- a/salt/common/tools/sbin/so-elastic-download
+++ b/salt/common/tools/sbin/so-elastic-download
@@ -2,7 +2,7 @@
 MASTER=MASTER
 VERSION="HH1.1.4"
 TRUSTED_CONTAINERS=( \
-"so-core:$VERSION" \
+"so-nginx:$VERSION" \
 "so-thehive-cortex:$VERSION" \
 "so-curator:$VERSION" \
 "so-domainstats:$VERSION" \
--- a/salt/common/tools/sbin/so-elasticsearch-templates
+++ b/salt/common/tools/sbin/so-elasticsearch-templates
@@ -15,12 +15,13 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 default_salt_dir=/opt/so/saltstack/default
 ELASTICSEARCH_HOST="{{ MASTERIP}}"
 ELASTICSEARCH_PORT=9200
 #ELASTICSEARCH_AUTH=""
 # Define a default directory to load pipelines from
-ELASTICSEARCH_TEMPLATES="/opt/so/saltstack/salt/logstash/pipelines/templates/so/"
+ELASTICSEARCH_TEMPLATES="$default_salt_dir/salt/logstash/pipelines/templates/so/"
 # Wait for ElasticSearch to initialize
 echo -n "Waiting for ElasticSearch..."
--- a/salt/common/tools/sbin/so-features-enable
+++ b/salt/common/tools/sbin/so-features-enable
@@ -15,10 +15,11 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 local_salt_dir=/opt/so/saltstack/local
-VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+VERSION=$(grep soversion $local_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
 # Modify static.sls to enable Features
-sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls
+sed -i 's/features: False/features: True/' $local_salt_dir/pillar/static.sls
 SUFFIX="-features"
 TRUSTED_CONTAINERS=( \
  "so-elasticsearch:$VERSION$SUFFIX" \
--- a/salt/common/tools/sbin/so-firewall
+++ b/salt/common/tools/sbin/so-firewall
@@ -0,0 +1,305 @@
 #!/usr/bin/env python3
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import subprocess
 import sys
 import yaml
 hostgroupsFilename = "/opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml"
 portgroupsFilename = "/opt/so/saltstack/local/salt/firewall/portgroups.local.yaml"
 supportedProtocols = ['tcp', 'udp']
 def showUsage(args):
  print('Usage: {} [OPTIONS] <COMMAND> [ARGS...]'.format(sys.argv[0]))
  print('  Options:')
  print('   --apply       - After updating the firewall configuration files, apply the new firewall state')
  print('')
  print('  Available commands:')
  print('   help          - Prints this usage information.')
  print('   includedhosts - Lists the IPs included in the given group. Args: <GROUP_NAME>')
  print('   excludedhosts - Lists the IPs excluded from the given group. Args: <GROUP_NAME>')
  print('   includehost   - Includes the given IP in the given group. Args: <GROUP_NAME> <IP>')
  print('   excludehost   - Excludes the given IP from the given group. Args: <GROUP_NAME> <IP>')
  print('   removehost    - Removes an excluded IP from the given group. Args: <GROUP_NAME> <IP>')
  print('   addhostgroup  - Adds a new, custom host group. Args: <GROUP_NAME>')
  print('   listports     - Lists ports in the given group and protocol. Args: <GROUP_NAME> <PORT_PROTOCOL>')
  print('   addport       - Adds a PORT to the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
  print('   removeport    - Removes a PORT from the given group. Args: <GROUP_NAME> <PORT_PROTOCOL> <PORT>')
  print('   addportgroup  - Adds a new, custom port group. Args: <GROUP_NAME>')
  print('')
  print('  Where:')
  print('   GROUP_NAME    - The name of an alias group (Ex: analyst)')
  print('   IP            - Either a single IP address (Ex: 8.8.8.8) or a CIDR block (Ex: 10.23.0.0/16).')
  print('   PORT_PROTOCOL - Must be one of the following: ' + str(supportedProtocols))
  print('   PORT          - Either a single numeric port (Ex: 443), or a port range (Ex: 8000:8002).')
  sys.exit(1)
 def loadYaml(filename):
  file = open(filename, "r")
  return yaml.load(file.read())
 def writeYaml(filename, content):
  file = open(filename, "w")
  return yaml.dump(content, file)
 def listIps(name, mode):
  content = loadYaml(hostgroupsFilename)
  if name not in content['firewall']['hostgroups']:
    print('Host group does not exist', file=sys.stderr)
    return 4
  hostgroup = content['firewall']['hostgroups'][name]
  ips = hostgroup['ips'][mode]
  if ips is not None:
    for ip in ips:
      print(ip)
  return 0
 def addIp(name, ip, mode):
  content = loadYaml(hostgroupsFilename)
  if name not in content['firewall']['hostgroups']:
    print('Host group does not exist', file=sys.stderr)
    return 4
  hostgroup = content['firewall']['hostgroups'][name]
  ips = hostgroup['ips'][mode]
  if ips is None:
    ips = []
    hostgroup['ips'][mode] = ips
  if ip not in ips:
    ips.append(ip)
  else:
    print('Already exists', file=sys.stderr)
    return 3
  writeYaml(hostgroupsFilename, content)
  return 0
 def removeIp(name, ip, mode, silence = False):
  content = loadYaml(hostgroupsFilename)
  if name not in content['firewall']['hostgroups']:
    print('Host group does not exist', file=sys.stderr)
    return 4
  hostgroup = content['firewall']['hostgroups'][name]
  ips = hostgroup['ips'][mode]
  if ips is None:
    ips = []
    hostgroup['ips'][mode] = ips
  if ip in ips:
    ips.remove(ip)
  else:
    if not silence:
      print('IP does not exist', file=sys.stderr)
      return 3
  writeYaml(hostgroupsFilename, content)
  return 0
 def createProtocolMap():
  map = {}
  for protocol in supportedProtocols:
    map[protocol] = []
  return map
 def addhostgroup(args):
  if len(args) != 1:
    print('Missing host group name argument', file=sys.stderr)
    showUsage(args)
  name = args[1]
  content = loadYaml(hostgroupsFilename)
  if name in content['firewall']['hostgroups']:
    print('Already exists', file=sys.stderr)
    return 3
  content['firewall']['hostgroups'][name] = { 'ips': { 'insert': [], 'delete': [] }}
  writeYaml(hostgroupsFilename, content)
  return 0
 def addportgroup(args):
  if len(args) != 1:
    print('Missing port group name argument', file=sys.stderr)
    showUsage(args)
  name = args[0]
  content = loadYaml(portgroupsFilename)
  ports = content['firewall']['aliases']['ports']
  if ports is None:
    ports = {}
    content['firewall']['aliases']['ports'] = ports
  if name in ports:
    print('Already exists', file=sys.stderr)
    return 3
  ports[name] = createProtocolMap()
  writeYaml(portgroupsFilename, content)
  return 0
 def listports(args):
  if len(args) != 2:
    print('Missing port group name or port protocol', file=sys.stderr)
    showUsage(args)
  name = args[0]
  protocol = args[1]
  if protocol not in supportedProtocols:
    print('Port protocol is not supported', file=sys.stderr)
    return 5
  content = loadYaml(portgroupsFilename)
  ports = content['firewall']['aliases']['ports']
  if ports is None:
    ports = {}
    content['firewall']['aliases']['ports'] = ports
  if name not in ports:
    print('Port group does not exist', file=sys.stderr)
    return 3
  ports = ports[name][protocol]
  if ports is not None:
    for port in ports:
      print(port)
  return 0
 def addport(args):
  if len(args) != 3:
    print('Missing port group name or port protocol, or port argument', file=sys.stderr)
    showUsage(args)
  name = args[0]
  protocol = args[1]
  port = args[2]
  if protocol not in supportedProtocols:
    print('Port protocol is not supported', file=sys.stderr)
    return 5
  content = loadYaml(portgroupsFilename)
  ports = content['firewall']['aliases']['ports']
  if ports is None:
    ports = {}
    content['firewall']['aliases']['ports'] = ports
  if name not in ports:
    print('Port group does not exist', file=sys.stderr)
    return 3
  ports = ports[name][protocol]
  if ports is None:
    ports = []
    content['firewall']['aliases']['ports'][name][protocol] = ports
  if port in ports:
    print('Already exists', file=sys.stderr)
    return 3
  ports.append(port)
  writeYaml(portgroupsFilename, content)
  return 0
 def removeport(args):
  if len(args) != 3:
    print('Missing port group name or port protocol, or port argument', file=sys.stderr)
    showUsage(args)
  name = args[0]
  protocol = args[1]
  port = args[2]
  if protocol not in supportedProtocols:
    print('Port protocol is not supported', file=sys.stderr)
    return 5
  content = loadYaml(portgroupsFilename)
  ports = content['firewall']['aliases']['ports']
  if ports is None:
    ports = {}
    content['firewall']['aliases']['ports'] = ports
  if name not in ports:
    print('Port group does not exist', file=sys.stderr)
    return 3
  ports = ports[name][protocol]
  if ports is None or port not in ports:
    print('Port does not exist', file=sys.stderr)
    return 3
  ports.remove(port)
  writeYaml(portgroupsFilename, content)
  return 0
 def includedhosts(args):
  if len(args) != 1:
    print('Missing host group name argument', file=sys.stderr)
    showUsage(args)
  return listIps(args[0], 'insert')
 def excludedhosts(args):
  if len(args) != 1:
    print('Missing host group name argument', file=sys.stderr)
    showUsage(args)
  return listIps(args[0], 'delete')
 def includehost(args):
  if len(args) != 2:
    print('Missing host group name or ip argument', file=sys.stderr)
    showUsage(args)
  result = addIp(args[0], args[1], 'insert')
  if result == 0:
    removeIp(args[0], args[1], 'delete', True)
  return result
 def excludehost(args):
  if len(args) != 2:
    print('Missing host group name or ip argument', file=sys.stderr)
    showUsage(args)
  result = addIp(args[0], args[1], 'delete')
  if result == 0:
    removeIp(args[0], args[1], 'insert', True)
  return result
 def removehost(args):
  if len(args) != 2:
    print('Missing host group name or ip argument', file=sys.stderr)
    showUsage(args)
  return removeIp(args[0], args[1], 'delete')
 def apply():
  proc = subprocess.run(['salt-call', 'state.apply', 'firewall', 'queue=True'])
  return proc.returncode
 def main():
  options = []
  args = sys.argv[1:]
  for option in args:
    if option.startswith("--"):
      options.append(option)
      args.remove(option)
  if len(args) == 0:
    showUsage(None)
  commands = {
    "help": showUsage,
    "includedhosts": includedhosts,
    "excludedhosts": excludedhosts,
    "includehost": includehost,
    "excludehost": excludehost,
    "removehost": removehost,
    "listports": listports,
    "addport": addport,
    "removeport": removeport,
    "addhostgroup": addhostgroup,
    "addportgroup": addportgroup
  }
  cmd = commands.get(args[0], showUsage)
  code = cmd(args[1:])
  if code == 0 and "--apply" in options:
    code = apply()
  sys.exit(code)
 if __name__ == "__main__":
  main()
--- a/salt/common/tools/sbin/so-fleet-setup
+++ b/salt/common/tools/sbin/so-fleet-setup
@@ -0,0 +1,44 @@
 #!/bin/bash
 #so-fleet-setup $FleetEmail $FleetPassword 
 if [[ $# -ne 2 ]] ; then
      echo "Username or Password was not set - exiting now."
      exit 1
 fi
 # Checking to see if required containers are started...
 if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
        echo "Starting Docker Containers..."
        salt-call state.apply mysql queue=True >> /root/fleet-setup.log
        salt-call state.apply fleet queue=True >> /root/fleet-setup.log
        salt-call state.apply redis queue=True >> /root/fleet-setup.log
 fi
 docker exec so-fleet fleetctl config set --address https://localhost:8080 --tls-skip-verify --url-prefix /fleet
 docker exec so-fleet fleetctl setup --email $1 --password $2
 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
 docker exec so-fleet fleetctl apply -f /packs/so/so-default.yml
 docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
 docker exec so-fleet fleetctl apply -f /packs/osquery-config.conf
 # Enable Fleet
 echo "Enabling Fleet..."
 salt-call state.apply fleet.event_enable-fleet queue=True >> /root/fleet-setup.log
 salt-call state.apply nginx queue=True >> /root/fleet-setup.log
 # Generate osquery install packages
 echo "Generating osquery install packages - this will take some time..."
 salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log
 sleep 120
 echo "Installing launcher via salt..."
 salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
 salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
 docker stop so-nginx
 salt-call state.apply nginx queue=True >> /root/fleet-setup.log
 echo "Fleet Setup Complete - Login with the username and password you ran the script with."
--- a/salt/common/tools/sbin/so-helix-apikey
+++ b/salt/common/tools/sbin/so-helix-apikey
@@ -1,4 +1,7 @@
 #!/bin/bash
 local_salt_dir=/opt/so/saltstack/local
 got_root() {
  # Make sure you are root
@@ -10,13 +13,13 @@ got_root() {
 }
 got_root
-if [ ! -f /opt/so/saltstack/pillar/fireeye/init.sls ]; then
+if [ ! -f $local_salt_dir/pillar/fireeye/init.sls ]; then
  echo "This is nto configured for Helix Mode. Please re-install."
  exit
 else
  echo "Enter your Helix API Key: "
  read APIKEY
-  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" /opt/so/saltstack/pillar/fireeye/init.sls
+  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" $local_salt_dir/pillar/fireeye/init.sls
  docker stop so-logstash
  docker rm so-logstash
  echo "Restarting Logstash for updated key"
--- a/salt/common/tools/sbin/so-kibana-config-export
+++ b/salt/common/tools/sbin/so-kibana-config-export
@@ -1,6 +1,35 @@
 #!/bin/bash
-KIBANA_HOST=10.66.166.141
+#
 # {%- set FLEET_MASTER = salt['pillar.get']('static:fleet_master', False) -%}
 # {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node', False) -%}
 # {%- set FLEET_IP = salt['pillar.get']('static:fleet_ip', '') %}
 # {%- set MASTER = salt['pillar.get']('master:url_base', '') %}
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 KIBANA_HOST={{ MASTER }}
 KSO_PORT=5601
-OUTFILE="saved_objects.json"
+OUTFILE="saved_objects.ndjson"
-curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": "index-pattern", "type": "config", "type": "dashboard", "type": "query", "type": "search", "type": "url", "type": "visualization" }' -o $OUTFILE
+curl -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
 # Clean up using PLACEHOLDER
 sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE
 # Clean up for Fleet, if applicable
 # {% if FLEET_NODE or FLEET_MASTER %}
 # Fleet IP
 sed -i "s/{{ MASTER }}/FLEETPLACEHOLDER/g" $OUTFILE
 # {% endif %}
--- a/salt/common/tools/sbin/so-saltstack-update
+++ b/salt/common/tools/sbin/so-saltstack-update
@@ -0,0 +1,57 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 default_salt_dir=/opt/so/saltstack/default
 clone_to_tmp() {
  # TODO Need to add a air gap option
  # Make a temp location for the files
  mkdir /tmp/sogh
  cd /tmp/sogh
  #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
  git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
  cd /tmp
 }
 copy_new_files() {
  # Copy new files over to the salt dir
  cd /tmp/sogh/securityonion-saltstack
  git checkout $BRANCH
  rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/
  rsync -a --exclude-from 'exclude-list.txt' pillar $default_salt_dir/
  chown -R socore:socore $default_salt_dir/salt
  chown -R socore:socore $default_salt_dir/pillar
  chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
  rm -rf /tmp/sogh
 }
 got_root(){
    if [ "$(id -u)" -ne 0 ]; then
        echo "This script must be run using sudo!"
        exit 1
    fi
 }
 got_root
 if [ $# -ne 1 ] ; then
  BRANCH=master
 else
  BRANCH=$1
 fi
 clone_to_tmp
 copy_new_files
--- a/salt/common/tools/sbin/so-start
+++ b/salt/common/tools/sbin/so-start
@@ -32,5 +32,5 @@ fi
 case $1 in
   "all") salt-call state.highstate queue=True;;
   "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; 
-   *) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
+   *) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; 
 esac
--- a/salt/common/tools/sbin/so-status
+++ b/salt/common/tools/sbin/so-status
@@ -14,35 +14,8 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+{%- from 'common/maps/so-status.map.jinja' import docker with context %}
-{%- set pillar_suffix = ':containers' -%}
+{%- set container_list = docker['containers'] | sort %}
 {%- if (salt['grains.get']('role') == 'so-mastersearch') -%}
    {%- set pillar_val = 'master_search' -%}
 {%- elif (salt['grains.get']('role') == 'so-master') -%}
    {%- set pillar_val = 'master' -%}
 {%- elif (salt['grains.get']('role') == 'so-heavynode') -%}
    {%- set pillar_val = 'heavy_node' -%}
 {%- elif (salt['grains.get']('role') == 'so-sensor') -%}
    {%- set pillar_val = 'sensor' -%}
 {%- elif (salt['grains.get']('role') == 'so-eval') -%}
    {%- set pillar_val = 'eval' -%}
 {%- elif (salt['grains.get']('role') == 'so-fleet') -%}
    {%- set pillar_val = 'fleet' -%}
 {%- elif (salt['grains.get']('role') == 'so-helix') -%}
    {%- set pillar_val = 'helix' -%}
 {%- elif (salt['grains.get']('role') == 'so-node') -%}
    {%- if (salt['pillar.get']('node:node_type') == 'parser') -%}
        {%- set pillar_val = 'parser_node' -%}
    {%- elif (salt['pillar.get']('node:node_type') == 'hot') -%}
        {%- set pillar_val = 'hot_node' -%}
    {%- elif (salt['pillar.get']('node:node_type') == 'warm') -%}
        {%- set pillar_val = 'warm_node' -%}
    {%- elif (salt['pillar.get']('node:node_type') == 'search') -%}
        {%- set pillar_val = 'search_node' -%}
    {%- endif -%}
 {%- endif -%}
 {%- set pillar_name = pillar_val ~ pillar_suffix -%}
 {%- set container_list = salt['pillar.get'](pillar_name) %}
 if ! [ "$(id -u)" = 0 ]; then
   echo "This command must be run as root"
--- a/salt/common/tools/sbin/so-thehive-es-restart
+++ b/salt/common/tools/sbin/so-thehive-es-restart
@@ -0,0 +1,21 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 /usr/sbin/so-stop thehive-es $1
 /usr/sbin/so-start thehive $1
--- a/salt/common/tools/sbin/so-thehive-es-start
+++ b/salt/common/tools/sbin/so-thehive-es-start
@@ -0,0 +1,20 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 /usr/sbin/so-start thehive $1
--- a/salt/common/tools/sbin/so-thehive-es-stop
+++ b/salt/common/tools/sbin/so-thehive-es-stop
@@ -0,0 +1,20 @@
 #!/bin/bash
 #
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 . /usr/sbin/so-common
 /usr/sbin/so-stop thehive-es $1
--- a/salt/common/tools/sbin/so-thehive-restart
+++ b/salt/common/tools/sbin/so-thehive-restart
@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
--- a/salt/common/tools/sbin/so-thehive-stop
+++ b/salt/common/tools/sbin/so-thehive-stop
@@ -1,5 +1,5 @@
 #!/bin/bash
-
+#
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
--- a/salt/common/tools/sbin/so-zeek-stats
+++ b/salt/common/tools/sbin/so-zeek-stats
@@ -0,0 +1,39 @@
 #!/bin/bash
 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 # Show Zeek stats (capstats, netstats)
 show_stats() {
  echo '##############'
  echo '# Zeek Stats #'
  echo '##############'
  echo
  echo "Average throughput:"
  echo
  docker exec -it so-zeek /opt/zeek/bin/zeekctl capstats
  echo
  echo "Average packet loss:"
  echo
  docker exec -it so-zeek /opt/zeek/bin/zeekctl netstats
  echo
 }
 if docker ps | grep -q zeek; then
  show_stats
 else
  echo "Zeek is not running! Try starting it with 'so-zeek-start'." && exit 1;
 fi
--- a/salt/curator/files/action/close.yml
+++ b/salt/curator/files/action/close.yml
@@ -1,12 +1,8 @@
-{% if grains['role'] == 'so-node' %}
+{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
-
+  {%- set cur_close_days = salt['pillar.get']('node:cur_close_days', '') -%}
-{%- set cur_close_days = salt['pillar.get']('node:cur_close_days', '') -%}
+{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
-
+  {%- set cur_close_days = salt['pillar.get']('master:cur_close_days', '') -%}
-{% elif grains['role'] == 'so-eval' %}
+{%- endif -%}
 {%- set cur_close_days = salt['pillar.get']('master:cur_close_days', '') -%}
 {%- endif %}
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
@@ -28,9 +24,8 @@ actions:
      disable_action: False
    filters:
    - filtertype: pattern
-      kind: prefix
+      kind: regex 
-      value: logstash-
+      value: '^(logstash-.*|so-.*)$'
      exclude:
    - filtertype: age
      source: name
      direction: older
--- a/salt/curator/files/action/delete.yml
+++ b/salt/curator/files/action/delete.yml
@@ -1,11 +1,7 @@
-{% if grains['role'] == 'so-node' %}
+{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
-
+  {%- set log_size_limit = salt['pillar.get']('node:log_size_limit', '') -%}
-{%- set log_size_limit = salt['pillar.get']('node:log_size_limit', '') -%}
+{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
-
+  {%- set log_size_limit = salt['pillar.get']('master:log_size_limit', '') -%}
 {% elif grains['role'] == 'so-eval' %}
 {%- set log_size_limit = salt['pillar.get']('master:log_size_limit', '') -%}
 {%- endif %}
 ---
 # Remember, leave a key empty if there is no value.  None will be a string,
@@ -24,8 +20,8 @@ actions:
      disable_action: False
    filters:
    - filtertype: pattern
-      kind: prefix
+      kind: regex
-      value: logstash-
+      value: '^(logstash-.*|so-.*)$'
    - filtertype: space
      source: creation_date
      use_age: True
--- a/salt/curator/files/bin/so-curator-closed-delete-delete
+++ b/salt/curator/files/bin/so-curator-closed-delete-delete
@@ -1,17 +1,13 @@
-{% if grains['role'] == 'so-node' %}
+{%- if grains['role'] in ['so-node', 'so-searchnode', 'so-heavynode'] %}
-
+  {%- set ELASTICSEARCH_HOST = salt['pillar.get']('node:mainip', '') -%}  
-{%- set ELASTICSEARCH_HOST = salt['pillar.get']('node:mainip', '') -%}
+  {%- set ELASTICSEARCH_PORT = salt['pillar.get']('node:es_port', '') -%}
-{%- set ELASTICSEARCH_PORT = salt['pillar.get']('node:es_port', '') -%}
+  {%- set LOG_SIZE_LIMIT = salt['pillar.get']('node:log_size_limit', '') -%}
-{%- set LOG_SIZE_LIMIT = salt['pillar.get']('node:log_size_limit', '') -%}
+{%- elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
-
+  {%- set ELASTICSEARCH_HOST = salt['pillar.get']('master:mainip', '') -%}
-{% elif grains['role'] == 'so-eval' %}
+  {%- set ELASTICSEARCH_PORT = salt['pillar.get']('master:es_port', '') -%}
-
+  {%- set LOG_SIZE_LIMIT = salt['pillar.get']('master:log_size_limit', '') -%}
-{%- set ELASTICSEARCH_HOST = salt['pillar.get']('master:mainip', '') -%}
+{%- endif -%}
 {%- set ELASTICSEARCH_PORT = salt['pillar.get']('master:es_port', '') -%}
 {%- set LOG_SIZE_LIMIT = salt['pillar.get']('master:log_size_limit', '') -%}
 {%- endif %}
 #!/bin/bash
 #
@@ -37,17 +33,17 @@ LOG="/opt/so/log/curator/so-curator-closed-delete.log"
 # Check for 2 conditions:
 # 1. Are Elasticsearch indices using more disk space than LOG_SIZE_LIMIT?
-# 2. Are there any closed logstash- indices that we can delete?
+# 2. Are there any closed logstash-, or so- indices that we can delete?
 # If both conditions are true, keep on looping until one of the conditions is false.
 while [[ $(du -hs --block-size=1GB /nsm/elasticsearch/nodes | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]] &&
-curl -s {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep "^      close logstash-" > /dev/null; do
+curl -s {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E "^      close (logstash-|so-)" > /dev/null; do
 	# We need to determine OLDEST_INDEX.
-	# First, get the list of closed indices that are prefixed with "logstash-".
+	# First, get the list of closed indices that are prefixed with "logstash-" or "so-".
 	# For example: logstash-ids-YYYY.MM.DD
 	# Then, sort by date by telling sort to use hyphen as delimiter and then sort on the third field.
 	# Finally, select the first entry in that sorted list.
-	OLDEST_INDEX=$(curl -s {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep "^      close logstash-" | awk '{print $2}' | sort -t- -k3 | head -1)
+	OLDEST_INDEX=$(curl -s {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices | grep -E "^      close (logstash-|so-)" | awk '{print $2}' | sort -t- -k3 | head -1)
 	# Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it.
 	curl -XDELETE {{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX}
--- a/salt/curator/files/curator.yml
+++ b/salt/curator/files/curator.yml
@@ -1,11 +1,7 @@
-{% if grains['role'] == 'so-node' %}
+{% if grains['role'] in ['so-node', 'so-heavynode'] %}
-
+  {%- set elasticsearch = salt['pillar.get']('node:mainip', '') -%}
-{%- set elasticsearch = salt['pillar.get']('node:mainip', '') -%}
+{% elif grains['role'] in ['so-eval', 'so-mastersearch', 'so-standalone'] %}
-
+  {%- set elasticsearch = salt['pillar.get']('master:mainip', '') -%}
 {% elif grains['role'] == 'so-eval' %}
 {%- set elasticsearch = salt['pillar.get']('master:mainip', '') -%}
 {%- endif %}
 ---
--- a/salt/curator/init.sls
+++ b/salt/curator/init.sls
@@ -1,6 +1,6 @@
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
-{% if grains['role'] == 'so-node' or grains['role'] == 'so-eval' %}
+{% if grains['role'] in ['so-eval', 'so-node', 'so-mastersearch', 'so-heavynode', 'so-standalone'] %}
 # Curator
 # Create the group
 curatorgroup:
@@ -89,7 +89,7 @@ curdel:
 so-curatorcloseddeletecron:
 cron.present:
-   - name: /usr/sbin/so-curator-closed-delete
+   - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1
   - user: root
   - minute: '*'
   - hour: '*'
@@ -99,7 +99,7 @@ so-curatorcloseddeletecron:
 so-curatorclosecron:
 cron.present:
-   - name: /usr/sbin/so-curator-close
+   - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1
   - user: root
   - minute: '*'
   - hour: '*'
@@ -109,7 +109,7 @@ so-curatorclosecron:
 so-curatordeletecron:
 cron.present:
-   - name: /usr/sbin/so-curator-delete
+   - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1
   - user: root
   - minute: '*'
   - hour: '*'
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -0,0 +1,8 @@
 installdocker:
  pkg.installed:
    - name: docker-ce
 # Make sure Docker is running!
 docker:
  service.running:
    - enable: True
--- a/salt/elastalert/files/elastalert_config.yaml
+++ b/salt/elastalert/files/elastalert_config.yaml
@@ -2,7 +2,7 @@
 {% set esport = salt['pillar.get']('master:es_port', '') %}
 # This is the folder that contains the rule yaml files
 # Any .yaml file will be loaded as a rule
-rules_folder: /etc/elastalert/rules/
+rules_folder: /opt/elastalert/rules/
 # Sets whether or not ElastAlert should recursively descend
 # the rules directory - true or false
--- a/salt/elastalert/files/modules/so/thehive.py
+++ b/salt/elastalert/files/modules/so/thehive.py
@@ -1,107 +0,0 @@
 # -*- coding: utf-8 -*-
 # HiveAlerter modified from original at: https://raw.githubusercontent.com/Nclose-ZA/elastalert_hive_alerter/master/elastalert_hive_alerter/hive_alerter.py
 import uuid
 from elastalert.alerts import Alerter
 from thehive4py.api import TheHiveApi
 from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper
 class TheHiveAlerter(Alerter):
    """
    Use matched data to create alerts containing observables in an instance of TheHive
    """
    required_options = set(['hive_connection', 'hive_alert_config'])
    def get_aggregation_summary_text(self, matches):
        text = super(TheHiveAlerter, self).get_aggregation_summary_text(matches)
        if text:
            text = '```\n{0}```\n'.format(text)
        return text
    def create_artifacts(self, match):
        artifacts = []
        context = {'rule': self.rule, 'match': match}
        for mapping in self.rule.get('hive_observable_data_mapping', []):
            for observable_type, match_data_key in mapping.items():
                try:
                    artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context)))
                except KeyError as e:
                    print(('format string {} fail cause no key {} in {}'.format(e, match_data_key, context)))
        return artifacts
    def create_alert_config(self, match):
        context = {'rule': self.rule, 'match': match}
        alert_config = {
            'artifacts': self.create_artifacts(match),
            'sourceRef': str(uuid.uuid4())[0:6],
            'title': '{rule[name]}'.format(**context)
        }
        alert_config.update(self.rule.get('hive_alert_config', {}))
        for alert_config_field, alert_config_value in alert_config.items():
            if alert_config_field == 'customFields':
                custom_fields = CustomFieldHelper()
                for cf_key, cf_value in alert_config_value.items():
                    try:
                        func = getattr(custom_fields, 'add_{}'.format(cf_value['type']))
                    except AttributeError:
                        raise Exception('unsupported custom field type {}'.format(cf_value['type']))
                    value = cf_value['value'].format(**context)
                    func(cf_key, value)
                alert_config[alert_config_field] = custom_fields.build()
            elif isinstance(alert_config_value, str):
                alert_config[alert_config_field] = alert_config_value.format(**context)
            elif isinstance(alert_config_value, (list, tuple)):
                formatted_list = []
                for element in alert_config_value:
                    try:
                        formatted_list.append(element.format(**context))
                    except (AttributeError, KeyError, IndexError):
                        formatted_list.append(element)
                alert_config[alert_config_field] = formatted_list
        return alert_config
    def send_to_thehive(self, alert_config):
        connection_details = self.rule['hive_connection']
        api = TheHiveApi(
            connection_details.get('hive_host', ''),
            connection_details.get('hive_apikey', ''),
            proxies=connection_details.get('hive_proxies', {'http': '', 'https': ''}),
            cert=connection_details.get('hive_verify', False))
        alert = Alert(**alert_config)
        response = api.create_alert(alert)
        if response.status_code != 201:
            raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
    def alert(self, matches):
        if self.rule.get('hive_alert_config_type', 'custom') != 'classic':
            for match in matches:
                alert_config = self.create_alert_config(match)
                self.send_to_thehive(alert_config)
        else:
            alert_config = self.create_alert_config(matches[0])
            artifacts = []
            for match in matches:
                artifacts += self.create_artifacts(match)
                if 'related_events' in match:
                    for related_event in match['related_events']:
                        artifacts += self.create_artifacts(related_event)
            alert_config['artifacts'] = artifacts
            alert_config['title'] = self.create_title(matches)
            alert_config['description'] = self.create_alert_body(matches)
            self.send_to_thehive(alert_config)
    def get_info(self):
        return {
            'type': 'hivealerter',
            'hive_host': self.rule.get('hive_connection', {}).get('hive_host', '')
        }
--- a/salt/elastalert/files/rules/so/nids2hive.yaml
+++ b/salt/elastalert/files/rules/so/nids2hive.yaml
@@ -1,6 +1,8 @@
 {% set es = salt['pillar.get']('static:masterip', '') %}
 {% set hivehost = salt['pillar.get']('static:masterip', '') %}
 {% set hivekey = salt['pillar.get']('static:hivekey', '') %}
 {% set MASTER = salt['pillar.get']('master:url_base', '') %}
 # hive.yaml
 # Elastalert rule to forward IDS alerts from Security Onion to a specified TheHive instance.
 #
@@ -15,7 +17,7 @@ timeframe:
 buffer_time:
    minutes: 10
 allow_buffer_time_overlap: true
-query_key: ["rule.signature_id"]
+query_key: ["rule.uuid"]
 realert:
    days: 1
 filter:
@@ -23,12 +25,13 @@ filter:
   query_string:
      query: "event.module: suricata"
-alert: modules.so.thehive.TheHiveAlerter
+alert: hivealerter
 hive_connection:
-  hive_host: https://{{hivehost}}/thehive/
+  hive_host: http://{{hivehost}}
  hive_port: 9000/thehive
  hive_apikey: {{hivekey}}
-
+  
 hive_proxies:
  http: ''
  https: ''
@@ -37,9 +40,9 @@ hive_alert_config:
  title: '{match[rule][name]}'
  type: 'NIDS'
  source: 'SecurityOnion'
-  description: "`NIDS Dashboard:` \n\n <https://{{es}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))> \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
+  description: "`Hunting Pivot:` \n\n <https://{{MASTER}}/#/hunt?q=event.module%3A%20suricata%20AND%20rule.uuid%3A{match[rule][uuid]}%20%7C%20groupby%20source.ip%20destination.ip%20rule.name>  \n\n `Kibana Dashboard - Signature Drilldown:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'sid:')),sort:!('@timestamp',desc))> \n\n `Kibana Dashboard - Community_ID:` \n\n <https://{{MASTER}}/kibana/app/kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'*:so-*',key:network.community_id,negate:!f,params:(query:'{match[network][community_id]}'),type:phrase),query:(match_phrase:(network.community_id:'{match[network][community_id]}')))),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:now))>  \n\n `IPs: `{match[source][ip]}:{match[source][port]} --> {match[destination][ip]}:{match[destination][port]} \n\n `Signature:`{match[rule][rule]}"
  severity: 2
-  tags: ['{match[rule][signature_id]}','{match[source][ip]}','{match[destination][ip]}']
+  tags: ['{match[rule][uuid]}','{match[source][ip]}','{match[destination][ip]}']
  tlp: 3
  status: 'New'
  follow: True
--- a/salt/elastalert/init.sls
+++ b/salt/elastalert/init.sls
@@ -12,26 +12,15 @@
 #
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.1') %}
+{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
 {% set MASTER = salt['grains.get']('master') %}
 {% if grains['role'] == 'so-master' %}
 {% set esalert = salt['pillar.get']('master:elastalert', '1') %}
 {% set esip = salt['pillar.get']('master:mainip', '') %}
 {% set esport = salt['pillar.get']('master:es_port', '') %}
 {% elif grains['role'] in ['so-eval','so-mastersearch'] %}
 {% set esalert = salt['pillar.get']('master:elastalert', '1') %}
 {% set esip = salt['pillar.get']('master:mainip', '') %}
 {% set esport = salt['pillar.get']('master:es_port', '') %}
 {% if grains['role'] in ['so-eval','so-mastersearch', 'so-master', 'so-standalone'] %}
  {% set esalert = salt['pillar.get']('master:elastalert', '1') %}
  {% set esip = salt['pillar.get']('master:mainip', '') %}
  {% set esport = salt['pillar.get']('master:es_port', '') %}
 {% elif grains['role'] == 'so-node' %}
-
+  {% set esalert = salt['pillar.get']('node:elastalert', '0') %}
 {% set esalert = salt['pillar.get']('node:elastalert', '0') %}
 {% endif %}
 # Elastalert
@@ -55,35 +44,35 @@ elastalogdir:
  file.directory:
    - name: /opt/so/log/elastalert
    - user: 933
-    - group: 939
+    - group: 933
    - makedirs: True
 elastarules:
  file.directory:
    - name: /opt/so/rules/elastalert
    - user: 933
-    - group: 939
+    - group: 933
    - makedirs: True
 elastaconfdir:
  file.directory:
    - name: /opt/so/conf/elastalert
    - user: 933
-    - group: 939
+    - group: 933
    - makedirs: True
 elastasomodulesdir:
  file.directory:
    - name: /opt/so/conf/elastalert/modules/so
    - user: 933
-    - group: 939
+    - group: 933
    - makedirs: True
 elastacustmodulesdir:
  file.directory:
    - name: /opt/so/conf/elastalert/modules/custom
    - user: 933
-    - group: 939
+    - group: 933
    - makedirs: True
 elastasomodulesync:
@@ -91,7 +80,7 @@ elastasomodulesync:
    - name: /opt/so/conf/elastalert/modules/so
    - source: salt://elastalert/files/modules/so
    - user: 933
-    - group: 939
+    - group: 933
    - makedirs: True
 elastarulesync:
@@ -99,7 +88,7 @@ elastarulesync:
    - name: /opt/so/rules/elastalert
    - source: salt://elastalert/files/rules/so
    - user: 933
-    - group: 939
+    - group: 933
    - template: jinja
 elastaconf:
@@ -107,7 +96,7 @@ elastaconf:
    - name: /opt/so/conf/elastalert/elastalert_config.yaml
    - source: salt://elastalert/files/elastalert_config.yaml
    - user: 933
-    - group: 939
+    - group: 933
    - template: jinja
 so-elastalert:
@@ -118,16 +107,9 @@ so-elastalert:
    - user: elastalert
    - detach: True
    - binds:
-      - /opt/so/rules/elastalert:/etc/elastalert/rules/:ro
+      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
      - /opt/so/log/elastalert:/var/log/elastalert:rw
      - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
-      - /opt/so/conf/elastalert/elastalert_config.yaml:/etc/elastalert/conf/elastalert_config.yaml:ro
+      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/config/elastalert_config.yaml:ro
    - environment:
      - ELASTICSEARCH_HOST: {{ esip }}
      - ELASTICSEARCH_PORT: {{ esport }}
      - ELASTALERT_CONFIG: /etc/elastalert/conf/elastalert_config.yaml
      - ELASTALERT_SUPERVISOR_CONF: /etc/elastalert/conf/elastalert_supervisord.conf
      - RULES_DIRECTORY: /etc/elastalert/rules/
      - LOG_DIR: /var/log/elastalert
 {% endif %}
--- a/salt/elasticsearch/files/elasticsearch.yml
+++ b/salt/elasticsearch/files/elasticsearch.yml
@@ -22,3 +22,7 @@ transport.bind_host: 0.0.0.0
 transport.publish_host: {{ nodeip }}
 transport.publish_port: 9300
 {%- endif %}
 cluster.routing.allocation.disk.threshold_enabled: true
 cluster.routing.allocation.disk.watermark.low: 95%
 cluster.routing.allocation.disk.watermark.high: 98%
 cluster.routing.allocation.disk.watermark.flood_stage: 98%
--- a/salt/elasticsearch/files/ingest/beats.common
+++ b/salt/elasticsearch/files/ingest/beats.common
@@ -0,0 +1,35 @@
 {
  "description" : "beats.common",
  "processors" : [
    {"community_id":   {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}},    
    { "set":           { "if": "ctx.winlog?.channel != null",   "field": "dataset", "value": "wel-{{winlog.channel}}", "override": true }  },
    { "set":           { "if": "ctx.agent?.type != null",   "field": "module", "value": "{{agent.type}}", "override": true }  },   
    { "set":           { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3",   "field": "event.category", "value": "host,process,network", "override": true }  },
    { "set":           { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1",   "field": "event.category", "value": "host,process", "override": true }  },
    { "rename": 	   { "field": "agent.hostname", 			            "target_field": "agent.name",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.SubjectUserName", 			  "target_field": "user.name",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.DestinationHostname", 	  "target_field": "destination.hostname",	"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.DestinationIp", 		      "target_field": "destination.ip",	"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.DestinationPort", 	      "target_field": "destination.port",	"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.Image", 			            "target_field": "process.executable",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.ProcessID", 			        "target_field": "process.pid",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.ProcessGuid", 			      "target_field": "process.entity_id",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.CommandLine", 			      "target_field": "process.command_line",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.CurrentDirectory", 			"target_field": "process.working_directory",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.Description", 			      "target_field": "process.pe.description",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.Product", 			          "target_field": "process.pe.product",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.OriginalFileName", 			"target_field": "process.pe.original_file_name",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.FileVersion", 			      "target_field": "process.pe.file_version",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.ParentCommandLine", 			"target_field": "process.parent.command_line",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.ParentImage", 			      "target_field": "process.parent.executable",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.ParentProcessGuid", 			"target_field": "process.parent.entity_id",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.ParentProcessId", 			  "target_field": "process.ppid",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.Protocol", 	              "target_field": "network.transport",	"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.User", 			            "target_field": "user.name",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.SourceHostname", 	      "target_field": "source.hostname",	"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.SourceIp", 		          "target_field": "source.ip",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "winlog.event_data.SourcePort", 		        "target_field": "source.port",		"ignore_missing": true 	} },   
    { "rename": 	   { "field": "winlog.event_data.targetFilename",		      "target_field": "file.target",	"ignore_missing": true 	} },
    { "pipeline":    { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/common
+++ b/salt/elasticsearch/files/ingest/common
@@ -4,7 +4,7 @@
    { 	
 	"geoip":  { 
 		"field": "destination.ip",
-		"target_field": "geo",
+		"target_field": "destination.geo",
 		"database_file": "GeoLite2-City.mmdb",
 		"ignore_missing": true, 
 		"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
@@ -13,7 +13,7 @@
    { 
 	"geoip":  {
 		"field": "source.ip",
-		"target_field": "geo",
+		"target_field": "source.geo",
 		"database_file": "GeoLite2-City.mmdb",
 		"ignore_missing": true,
 		"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
@@ -38,12 +38,15 @@
    { "rename":         { "field": "module",              "target_field": "event.module",                  "ignore_missing": true  } },
    { "rename":         { "field": "dataset",              "target_field": "event.dataset",                  "ignore_missing": true  } },
    { "rename":         { "field": "category",              "target_field": "event.category",                  "ignore_missing": true  } },
-    { "rename":         { "field": "message2.community_id",              "target_field": "network.community_id",                  "ignore_missing": true  } },
+    { "rename":         { "field": "message2.community_id", "target_field": "network.community_id",  "ignore_failure": true,  "ignore_missing": true  } },
    { "convert":         { "field": "destination.port", "type": "integer",  "ignore_failure": true,  "ignore_missing": true  } },
    { "convert":         { "field": "source.port", "type": "integer",  "ignore_failure": true,  "ignore_missing": true  } },
    { "convert":         { "field": "log.id.uid", "type": "string",  "ignore_failure": true,  "ignore_missing": true  } },
    { 
-	"remove": {
+        "remove": {
-		"field": [ "index_name_prefix", "message2"],
+                "field": [ "index_name_prefix", "message2", "type" ],
-		"ignore_failure": false
+                "ignore_failure": true
-	}
+        }
    }
  ]
 }
--- a/salt/elasticsearch/files/ingest/osquery.query_result
+++ b/salt/elasticsearch/files/ingest/osquery.query_result
@@ -24,8 +24,14 @@
    { "rename":      { "field": "message3.columns.pid",                                     "target_field": "process.pid",              "ignore_missing": true  } },
    { "rename":      { "field": "message3.columns.parent",                                  "target_field": "process.ppid",              "ignore_missing": true  } },
    { "rename":      { "field": "message3.columns.cwd",                                     "target_field": "process.working_directory",              "ignore_missing": true  } },
    { "rename":      { "field": "message3.columns.community_id",                            "target_field": "network.community_id",   "ignore_missing": true  } },
    { "rename":      { "field": "message3.columns.local_address",                           "target_field": "local.ip",              "ignore_missing": true  } },
    { "rename":      { "field": "message3.columns.local_port",                              "target_field": "local.port",              "ignore_missing": true  } },
    { "rename":      { "field": "message3.columns.remote_address",                          "target_field": "remote.ip",              "ignore_missing": true  } },
    { "rename":      { "field": "message3.columns.remote_port",                             "target_field": "remote.port",              "ignore_missing": true  } },
    { "rename":      { "field": "message3.columns.process_name",                            "target_field": "process.name",              "ignore_missing": true  } },
    { "rename": 	   { "field": "message3.columns.eventid", 			                          "target_field": "event.code",		"ignore_missing": true 	} },
-    { "set":         { "if": "ctx.message3.columns.data != null",   "field": "dataset", "value": "wel-{{message3.columns.source}}", "override": true }  },
+    { "set":         { "if": "ctx.message3.columns?.data != null",   "field": "dataset", "value": "wel-{{message3.columns.source}}", "override": true }  },
    { "rename": 	   { "field": "message3.columns.winlog.EventData.SubjectUserName", 			  "target_field": "user.name",		"ignore_missing": true 	} },
    { "rename": 	   { "field": "message3.columns.winlog.EventData.destinationHostname", 	  "target_field": "destination.hostname",	"ignore_missing": true 	} },
    { "rename": 	   { "field": "message3.columns.winlog.EventData.destinationIp", 		      "target_field": "destination.ip",	"ignore_missing": true 	} },
--- a/salt/elasticsearch/files/ingest/suricata.alert
+++ b/salt/elasticsearch/files/ingest/suricata.alert
@@ -1,11 +1,12 @@
 {
  "description" : "suricata.alert",
  "processors" : [
    { "json":           { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
    { "rename":{ "field": "message2.comunity_id",       "target_field": "network.comunity_id",  "ignore_failure": true  } },
    { "rename":{ "field": "message2.alert",	"target_field": "rule",	"ignore_failure": true 	} },
    { "rename":{ "field": "rule.signature",     "target_field": "rule.name", "ignore_failure": true  } },
    { "rename":{ "field": "rule.ref",     "target_field": "rule.version", "ignore_failure": true  } },
-    { "pipeline": { "name": "suricata.common" } }
+    { "rename":{ "field": "rule.signature_id",     "target_field": "rule.uuid", "ignore_failure": true  } },
    { "rename":{ "field": "rule.signature_id",     "target_field": "rule.signature", "ignore_failure": true  } },
    { "rename":{ "field": "message2.payload_printable",     "target_field": "network.data.decoded", "ignore_failure": true  } },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.common
+++ b/salt/elasticsearch/files/ingest/suricata.common
@@ -1,15 +1,18 @@
 {
  "description" : "suricata.common",
  "processors" : [
    { "json":           { "field": "message",                   "target_field": "message2",             "ignore_failure": true  } },
    { "rename":{ "field": "message2.proto",		"target_field": "network.transport",		"ignore_failure": true 	} },
-    { "rename":{ "field": "message2.flow_id",		"target_field": "event.id",		"ignore_failure": true 	} },
+    { "rename":{ "field": "message2.flow_id",		"target_field": "log.id.uid",		"ignore_failure": true 	} },
    { "rename":{ "field": "message2.src_ip",       "target_field": "source.ip",  "ignore_failure": true  } },
    { "rename":{ "field": "message2.src_port",       "target_field": "source.port",  "ignore_failure": true  } },
    { "rename":{ "field": "message2.dest_ip",       "target_field": "destination.ip",  "ignore_failure": true  } },
    { "rename":{ "field": "message2.dest_port",       "target_field": "destination.port",  "ignore_failure": true  } },
    { "rename":         { "field": "message2.community_id",        "target_field": "network.community_id",     "ignore_missing": true  } },
    { "remove":{ "field": "dataset", 						"ignore_failure": true	} },
    { "rename":{ "field": "message2.event_type",		"target_field": "dataset",		"ignore_failure": true 	} },
    { "set":         { "field": "observer.name",        "value": "{{agent.name}}"  } },
-    { "remove":         { "field": ["agent"],     "ignore_failure": true                                                                  } },
+    { "remove":{ "field": "agent", 						"ignore_failure": true	} },
-    { "pipeline": { "name": "common" } }
+    { "pipeline": { "name": "suricata.{{dataset}}" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.dhcp
+++ b/salt/elasticsearch/files/ingest/suricata.dhcp
@@ -0,0 +1,14 @@
 {
  "description" : "suricata.dhcp",
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dhcp.assigned_ip", 		"target_field": "dhcp.assigned_ip",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dhcp.client_mac", 		"target_field": "host.mac",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dhcp.dhcp_type", 		"target_field": "dhcp.message_types",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dhcp.assigned_ip", 		"target_field": "dhcp.assigned_ip",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dhcp.type", 		"target_field": "dhcp.type",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dhcp.id", 		"target_field": "dhcp.id",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.dnp3
+++ b/salt/elasticsearch/files/ingest/suricata.dnp3
@@ -0,0 +1,8 @@
 {
  "description" : "suricata.dnp3",
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.dns
+++ b/salt/elasticsearch/files/ingest/suricata.dns
@@ -0,0 +1,14 @@
 {
  "description" : "suricata.dns",
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dns.type", 		"target_field": "dns.type",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dns.tx_id",		"target_field": "dns.id",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dns.version", 		"target_field": "dns.version",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.dns.rrname", 		"target_field": "dns.query.name",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.grouped.A", 		"target_field": "dns.answers",			"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.fileinfo
+++ b/salt/elasticsearch/files/ingest/suricata.fileinfo
@@ -0,0 +1,8 @@
 {
  "description" : "suricata.fileinfo",
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.flow
+++ b/salt/elasticsearch/files/ingest/suricata.flow
@@ -0,0 +1,14 @@
 {
  "description" : "suricata.flow",
  "processors" : [
    { "set":      { "field": "dataset",        "value": "conn"  } },
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.flow.state", 		"target_field": "connection.state",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.flow.bytes_toclient", 		"target_field": "server.ip_bytes",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.flow.bytes_toserver", 		"target_field": "client.ip_bytes",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.flow.start", 		"target_field": "connection.start",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.flow.end", 		"target_field": "connection.end",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.ftp
+++ b/salt/elasticsearch/files/ingest/suricata.ftp
@@ -0,0 +1,14 @@
 {
  "description" : "suricata.ftp",
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.ftp.reply", 		"target_field": "server.reply_message",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.ftp.completion_code", 		"target_field": "server.reply_code",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.ftp.reply_received", 		"target_field": "server.reply_received",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.ftp.command", 		"target_field": "ftp.command",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.ftp.command_data", 		"target_field": "ftp.command_data",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.ftp.dynamic_port", 		"target_field": "ftp.data_channel_destination.port",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.http
+++ b/salt/elasticsearch/files/ingest/suricata.http
@@ -0,0 +1,17 @@
 {
  "description" : "suricata.http",
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.http.hostname", 		"target_field": "http.virtual_host",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.http.http_user_agent", 		"target_field": "http.useragent",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.http.url", 		"target_field": "http.uri",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.http.http_content_type", 		"target_field": "file.resp_mime_types",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.http.http_refer", 		"target_field": "http.referrer",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.http.http_method", 		"target_field": "http.method",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.http.protocol", 		"target_field": "http.version",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.http.status", 		"target_field": "http.status_code",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.http.length", 		"target_field": "http.request.body.length",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.ikev2
+++ b/salt/elasticsearch/files/ingest/suricata.ikev2
@@ -0,0 +1,8 @@
 {
  "description" : "suricata.ikev2",
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.krb5
+++ b/salt/elasticsearch/files/ingest/suricata.krb5
@@ -0,0 +1,8 @@
 {
  "description" : "suricata.krb5",
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/salt/elasticsearch/files/ingest/suricata.nfs
+++ b/salt/elasticsearch/files/ingest/suricata.nfs
@@ -0,0 +1,8 @@
 {
  "description" : "suricata.nfs",
  "processors" : [
    { "rename": 	{ "field": "message2.proto", 		"target_field": "network.transport",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.app_proto", 		"target_field": "network.protocol",		"ignore_missing": true 	} },
    { "pipeline": { "name": "common" } }
  ]
 }
--- a/Show More
+++ b/Show More
`@@ -17,4 +17,4 @@`

	`. /usr/sbin/so-common`	`. /usr/sbin/so-common`

	`/usr/sbin/so-start cortex $1`	`/usr/sbin/so-start thehive $1`