Merge pull request #10868 from Security-Onion-Solutions/2.4/dev

2.4.4
Merge pull request #10867 from Security-Onion-Solutions/2.4.4
2026-04-26 06:27:50 +02:00 · 2023-07-28 16:00:45 -04:00 · 2023-07-28 14:53:23 -04:00 · 2023-07-28 14:49:50 -04:00 · 2023-07-28 14:06:36 -04:00 · 2023-07-28 14:04:27 -04:00
503 changed files with 28021 additions and 38862 deletions
@@ -1,18 +1,18 @@
-### 2.4.2-20230531 ISO image built on 2023/05/31
+### 2.4.4-20230728 ISO image built on 2023/07/28
 ### Download and Verify
-2.4.2-20230531 ISO image:  
+2.4.4-20230728 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.2-20230531.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso
-MD5: EB861EFB7F7DA6FB418075B4C452E4EB  
+MD5: F63E76245F3E745B5BDE9E6E647A7CB6  
-SHA1: 479A72DBB0633CB23608122F7200A24E2C3C3128  
+SHA1: 6CE4E4A3399CD282D4F8592FB19D510388AB3EEA  
-SHA256: B69C1AE4C576BBBC37F4B87C2A8379903421E65B2C4F24C90FABB0EAD6F0471B 
+SHA256: BF8FEB91B1D94B67C3D4A79D209B068F4A46FEC7C15EEF65B0FCE9851D7E6C9F 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.2-20230531.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.2-20230531.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig
 ```
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.2-20230531.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso
 ```
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.2-20230531.iso.sig securityonion-2.4.2-20230531.iso
+gpg --verify securityonion-2.4.4-20230728.iso.sig securityonion-2.4.4-20230728.iso
 ```
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Wed 31 May 2023 05:01:41 PM EDT using RSA key ID FE507013
+gpg: Signature made Tue 11 Jul 2023 06:23:37 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
@@ -49,4 +49,4 @@ Primary key fingerprint: C804 A93D 36BE 0C73 3EA1  9644 7C10 60B7 FE50 7013
 ```
 Once you've verified the ISO image, you're ready to proceed to our Installation guide:  
-https://docs.securityonion.net/en/2.4/installation.html
+https://docs.securityonion.net/en/2.4/installation.html
@@ -1,20 +1,26 @@
-## Security Onion 2.4 Beta 3
+## Security Onion 2.4 Release Candidate 1 (RC1)
-Security Onion 2.4 Beta 3 is here!
+Security Onion 2.4 Release Candidate 1 (RC1) is here!
 ## Screenshots
 Alerts
-![Alerts](./assets/images/screenshots/alerts.png)
+![Alerts](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/50_alerts.png)
 Dashboards
-![Dashboards](./assets/images/screenshots/dashboards.png)
+![Dashboards](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/51_dashboards.png)
 Hunt
-![Hunt](./assets/images/screenshots/hunt.png)
+![Hunt](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/52_hunt.png)
-Cases
+PCAP
-![Cases](./assets/images/screenshots/cases-comments.png)
+![PCAP](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/53_pcap.png)
 Grid
 ![Grid](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/57_grid.png)
 Config
 ![Config](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/61_config.png)
 ### Release Notes
@@ -1 +1 @@
-2.4.2
+2.4.4
@@ -1,13 +0,0 @@
 logrotate:
  conf: | 
    daily
    rotate 14
    missingok
    copytruncate
    compress
    create
    extension .log
    dateext
    dateyesterday
  group_conf: |
    su root socore
@@ -2,7 +2,7 @@
 {% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %}
 {% for minionid, ip in salt.saltutil.runner(
    'mine.get',
-    tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-searchnode or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix ',
+    tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-searchnode or G@role:so-heavynode or G@role:so-receiver or G@role:so-fleet ',
    fun='network.ip_addrs',
    tgt_type='compound') | dictsort()
 %}
@@ -0,0 +1,14 @@
 # Copyright Jason Ertel (github.com/jertel).
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with 
 # the Elastic License 2.0.
 # Note: Per the Elastic License 2.0, the second limitation states:
 #
 #   "You may not move, change, disable, or circumvent the license key functionality
 #    in the software, and you may not remove or obscure any functionality in the
 #    software that is protected by the license key."
 # This file is generated by Security Onion and contains a list of license-enabled features. 
 features: []
@@ -40,6 +40,7 @@ base:
    - logstash.adv_logstash
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - kibana.soc_kibana
@@ -103,6 +104,7 @@ base:
    - idstools.adv_idstools
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - kibana.soc_kibana
@@ -161,6 +163,7 @@ base:
    - manager.adv_manager
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - kibana.soc_kibana
@@ -258,6 +261,7 @@ base:
    - manager.adv_manager
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
    - soctopus.soc_soctopus
    - soctopus.adv_soctopus
    - kibana.soc_kibana
@@ -3,14 +3,14 @@ import subprocess
 def check():
-  os = __grains__['os']
+  osfam = __grains__['os_family']
  retval = 'False'
-  if os == 'Ubuntu':
+  if osfam == 'Debian':
    if path.exists('/var/run/reboot-required'):
      retval = 'True'
-  elif os == 'Rocky':
+  elif osfam == 'RedHat':
    cmd = 'needs-restarting -r > /dev/null 2>&1'
    try:
@@ -46,23 +46,7 @@
          'pcap',
          'suricata',
          'healthcheck',
-          'schedule',
+          'elasticagent',
          'tcpreplay',
          'docker_clean'
          ],
      'so-helixsensor': [
          'salt.master',
          'ca',
          'ssl',
          'registry',
          'telegraf',
          'firewall',
          'idstools',
          'suricata.manager',
          'zeek',
          'redis',
          'elasticsearch',
          'logstash',
          'schedule',
          'tcpreplay',
          'docker_clean'
@@ -203,7 +187,7 @@
          'schedule',
          'docker_clean'
          ],
-      'so-workstation': [
+      'so-desktop': [
          ],
  }, grain='role') %}
@@ -244,7 +228,7 @@
    {% do allowed_states.append('playbook') %}
  {% endif %}
-  {% if grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
+  {% if grains.role in ['so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
    {% do allowed_states.append('logstash') %}
  {% endif %}
@@ -20,7 +20,6 @@ pki_private_key:
    - name: /etc/pki/ca.key
    - keysize: 4096
    - passphrase:
    - cipher: aes_256_cbc
    - backup: True
    {% if salt['file.file_exists']('/etc/pki/ca.key') -%}
    - prereq:
@@ -1,2 +0,0 @@
 #!/bin/bash
 /usr/sbin/logrotate -f /opt/so/conf/log-rotate.conf > /dev/null 2>&1
@@ -1,2 +0,0 @@
 #!/bin/bash
 /usr/sbin/logrotate -f /opt/so/conf/sensor-rotate.conf > /dev/null 2>&1
@@ -1,79 +0,0 @@
 The following GUI tools are available on the analyst workstation:
 chromium
  url: https://www.chromium.org/Home
  To run chromium, click Applications > Internet > Chromium Web Browser
 Wireshark
  url: https://www.wireshark.org/
  To run Wireshark, click Applications > Internet > Wireshark Network Analyzer
 NetworkMiner
  url: https://www.netresec.com
  To run NetworkMiner, click Applications > Internet > NetworkMiner
 The following CLI tools are available on the analyst workstation:
 bit-twist
  url: http://bittwist.sourceforge.net
  To run bit-twist, open a terminal and type: bittwist -h
 chaosreader
  url: http://chaosreader.sourceforge.net
  To run chaosreader, open a terminal and type: chaosreader -h
 dnsiff
  url: https://www.monkey.org/~dugsong/dsniff/
  To run dsniff, open a terminal and type: dsniff -h
 foremost
  url: http://foremost.sourceforge.net
  To run foremost, open a terminal and type: foremost -h
 hping3
  url: http://www.hping.org/hping3.html
  To run hping3, open a terminal and type: hping3 -h
 netsed
  url: http://silicone.homelinux.org/projects/netsed/
  To run netsed, open a terminal and type: netsed -h
 ngrep
  url: https://github.com/jpr5/ngrep
  To run ngrep, open a terminal and type: ngrep -h
 scapy
  url: http://www.secdev.org/projects/scapy/
  To run scapy, open a terminal and type: scapy
 ssldump
  url: http://www.rtfm.com/ssldump/
  To run ssldump, open a terminal and type: ssldump -h
 sslsplit
  url: https://github.com/droe/sslsplit
  To run sslsplit, open a terminal and type: sslsplit -h
 tcpdump
  url: http://www.tcpdump.org
  To run tcpdump, open a terminal and type: tcpdump -h
 tcpflow
  url: https://github.com/simsong/tcpflow
  To run tcpflow, open a terminal and type: tcpflow -h
 tcpstat
  url: https://frenchfries.net/paul/tcpstat/
  To run tcpstat, open a terminal and type: tcpstat -h
 tcptrace
  url: http://www.tcptrace.org
  To run tcptrace, open a terminal and type: tcptrace -h
 tcpxtract
  url: http://tcpxtract.sourceforge.net/
  To run tcpxtract, open a terminal and type: tcpxtract -h
 whois
  url: http://www.linux.it/~md/software/
  To run whois, open a terminal and type: whois -h
@@ -1,13 +1,11 @@
 {%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %}
 {%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %}
 {
  "registry-mirrors": [
    "https://:5000"
  ],
-  "bip": "{{ DOCKERBIND }}",
+  "bip": "172.17.0.1/24",
  "default-address-pools": [
    {
-      "base": "{{ DOCKERRANGE }}",
+      "base": "172.17.0.0/24",
      "size": 24
    }
  ]
@@ -1,37 +0,0 @@
 {%- set logrotate_conf = salt['pillar.get']('logrotate:conf') %}
 {%- set group_conf = salt['pillar.get']('logrotate:group_conf') %}
 /opt/so/log/aptcacher-ng/*.log
 /opt/so/log/idstools/*.log
 /opt/so/log/nginx/*.log
 /opt/so/log/soc/*.log
 /opt/so/log/kratos/*.log
 /opt/so/log/kibana/*.log
 /opt/so/log/influxdb/*.log
 /opt/so/log/elastalert/*.log
 /opt/so/log/soctopus/*.log
 /opt/so/log/curator/*.log
 /opt/so/log/fleet/*.log
 /opt/so/log/suricata/*.log
 /opt/so/log/mysql/*.log
 /opt/so/log/telegraf/*.log
 /opt/so/log/redis/*.log
 /opt/so/log/sensoroni/*.log
 /opt/so/log/stenographer/*.log
 /opt/so/log/salt/so-salt-minion-check
 /opt/so/log/salt/minion
 /opt/so/log/salt/master
 /opt/so/log/logscan/*.log
 /nsm/idh/*.log
 {
    {{ logrotate_conf | indent(width=4) }}
 }
 # Playbook's log directory needs additional configuration
 # because Playbook requires a more permissive directory
 /opt/so/log/playbook/*.log
 {
    {{ logrotate_conf | indent(width=4) }}
    {{ group_conf | indent(width=4) }}
 }
@@ -1,22 +0,0 @@
 /opt/so/log/sensor_clean.log
 {
    daily
    rotate 2
    missingok
    nocompress
    create
    sharedscripts
 }
 /nsm/strelka/log/strelka.log
 {
    daily
    rotate 14
    missingok
    copytruncate
    compress
    create
    extension .log
    dateext
    dateyesterday
 }
@@ -10,6 +10,10 @@ include:
  - manager.elasticsearch # needed for elastic_curl_config state
 {% endif %}
 net.core.wmem_default:
  sysctl.present:
    - value: 26214400
 # Remove variables.txt from /tmp - This is temp
 rmvariablesfile:
  file.absent:
@@ -147,56 +151,8 @@ so-sensor-clean:
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 sensorrotatescript:
  file.managed:
    - name: /usr/local/bin/sensor-rotate
    - source: salt://common/cron/sensor-rotate
    - mode: 755
 sensorrotateconf:
  file.managed:
    - name: /opt/so/conf/sensor-rotate.conf
    - source: salt://common/files/sensor-rotate.conf
    - mode: 644
 sensor-rotate:
  cron.present:
    - name: /usr/local/bin/sensor-rotate
    - identifier: sensor-rotate
    - user: root
    - minute: '1'
    - hour: '0'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 {% endif %}
 commonlogrotatescript:
  file.managed:
    - name: /usr/local/bin/common-rotate
    - source: salt://common/cron/common-rotate
    - mode: 755
 commonlogrotateconf:
  file.managed:
    - name: /opt/so/conf/log-rotate.conf
    - source: salt://common/files/log-rotate.conf
    - template: jinja
    - mode: 644
 common-rotate:
  cron.present:
    - name: /usr/local/bin/common-rotate
    - identifier: common-rotate
    - user: root
    - minute: '1'
    - hour: '0'
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
 # Create the status directory
 sostatusdir:
  file.directory:
@@ -239,7 +195,7 @@ soversionfile:
 {% endif %}
 {% if GLOBALS.so_model and GLOBALS.so_model not in ['SO2AMI01', 'SO2AZI01', 'SO2GCI01'] %}
-  {% if GLOBALS.os == 'Rocky' %}     
+  {% if GLOBALS.os == 'OEL' %}     
 # Install Raid tools
 raidpkgs:
  pkg.installed:
@@ -261,8 +217,7 @@ so-raid-status:
    - month: '*'
    - dayweek: '*'
-{% endif %}
+  {% endif %}
 {% else %}
 {{sls}}_state_not_allowed:
@@ -1,6 +1,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% if GLOBALS.os == 'Ubuntu' %}
+{% if GLOBALS.os_family == 'Debian' %}
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
@@ -14,16 +14,24 @@ commonpkgs:
      - software-properties-common
      - apt-transport-https
      - openssl
-      - netcat
+      - netcat-openbsd
      - sqlite3
      - libssl-dev
      - python3-dateutil
      - python3-docker
      - python3-packaging
      - python3-watchdog
      - python3-lxml
      - git
      - rsync
      - vim
      - tar
      - unzip
      {% if grains.oscodename != 'focal' %}
      - python3-rich
      {% endif %}
 {%     if grains.oscodename == 'focal' %}
 # since Ubuntu requires and internet connection we can use pip to install modules
 python3-pip:
  pkg.installed
@@ -34,34 +42,45 @@ python-rich:
    - target: /usr/local/lib/python3.8/dist-packages/
    - require:
      - pkg: python3-pip
-  
+{%     endif %}
 {% endif %}
-{% elif GLOBALS.os == 'Rocky' %}     
+{% if GLOBALS.os_family == 'RedHat' %}
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - wget
      - jq
      - tcpdump
      - httpd-tools
      - net-tools
      - curl
      - sqlite
      - mariadb-devel
      - python3-dnf-plugin-versionlock
      - nmap-ncat
      - yum-utils
      - device-mapper-persistent-data
-      - lvm2
+      - fuse
-      - openssl
+      - fuse-libs
      - fuse-overlayfs
      - fuse-common
      - fuse3
      - fuse3-libs
      - git
      - httpd-tools
      - jq
      - lvm2
      {% if GLOBALS.os == 'CentOS Stream' %}
      - MariaDB-devel
      {% else %}
      - mariadb-devel
      {% endif %}
      - net-tools
      - nmap-ncat
      - openssl
      - python3-dnf-plugin-versionlock
      - python3-docker
      - python3-m2crypto
      - rsync
      - python3-rich
      - python3-pyyaml
      - python3-watchdog
      - python3-packaging
      - python3-pyyaml
      - python3-rich
      - python3-watchdog
      - rsync
      - sqlite
      - tcpdump
      - unzip
      - wget
      - yum-utils
 {% endif %}
@@ -8,6 +8,15 @@ soup_scripts:
    - source: salt://common/tools/sbin
    - include_pat:
        - so-common
        - so-firewall
        - so-image-common
-        - soup
+
 soup_manager_scripts:
  file.recurse:
    - name: /usr/sbin
    - user: root
    - group: root
    - file_mode: 755
    - source: salt://manager/tools/sbin
    - include_pat:
        - so-firewall
        - soup
@@ -5,6 +5,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 ELASTIC_AGENT_TARBALL_VERSION="8.7.1"
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 DOC_BASE_URL="https://docs.securityonion.net/en/2.4"
@@ -198,19 +199,20 @@ get_random_value() {
 }
 gpg_rpm_import() {
-	if [[ "$OS" == "rocky" ]]; then
+	if [[ $is_oracle ]]; then
 	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-	        local RPMKEYSLOC="../salt/repo/client/files/rocky/keys"
+	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
 	    else
-	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/rocky/keys"
+	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	    fi
-	
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY')
-	    RPMKEYS=('RPM-GPG-KEY-rockyofficial' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+		for RPMKEY in "${RPMKEYS[@]}"; do
 	    for RPMKEY in "${RPMKEYS[@]}"; do
    	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
 	    done
 	elif [[ $is_rpm ]]; then
 		info "Importing the security onion GPG key"
 		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
 }
@@ -242,7 +244,7 @@ is_manager_node() {
 is_sensor_node() {
 	# Check to see if this is a sensor (forward) node
 	is_single_node_grid && return 0
-	grep "role: so-" /etc/salt/grains | grep -E "sensor|heavynode|helix" &> /dev/null
+	grep "role: so-" /etc/salt/grains | grep -E "sensor|heavynode" &> /dev/null
 }
 is_single_node_grid() {
@@ -300,6 +302,17 @@ lookup_role() {
 	echo ${pieces[1]}
 }
 is_feature_enabled() {
 	feature=$1
 	enabled=$(lookup_salt_value features)
 	for cur in $enabled; do
 		if [[ "$feature" == "$cur" ]]; then
 			return 0
 		fi
 	done
 	return 1
 }
 require_manager() {
 	if is_manager_node; then
 		echo "This is a manager, so we can proceed."
@@ -383,19 +396,22 @@ salt_minion_count() {
 }
 set_cron_service_name() {
 	if [[ "$OS" == "rocky" ]]; then
 		cron_service_name="crond"
 	else
 		cron_service_name="cron"
 	fi
 }
 set_os() {
 	if [ -f /etc/redhat-release ]; then
-		OS=rocky
+		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
 			OS=rocky
 			OSVER=9
 			is_rocky=true
 		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
 			OS=centos
 			OSVER=9
 			is_centos=true
 		fi
 		cron_service_name="crond"
 	else
 		OS=ubuntu
 		is_ubuntu=true
 		cron_service_name="cron"
 	fi
 }
@@ -404,7 +420,7 @@ set_minionid() {
 }
 set_palette() {
-	if [ "$OS" == ubuntu ]; then
+	if [[ $is_deb ]]; then
 	    update-alternatives --set newt-palette /etc/newt/palette.original
    fi
 }
@@ -6,17 +6,17 @@
 # Elastic License 2.0.
-{# we only want the script to install the workstation if it is Rocky -#}
+{# we only want the script to install the desktop if it is Rocky -#}
 {% if grains.os == 'Rocky' -%}
 {#   if this is a manager -#}
 {%   if grains.master == grains.id.split('_')|first -%}
 source /usr/sbin/so-common
-doc_workstation_url="$DOC_BASE_URL/analyst-vm.html"
+doc_desktop_url="$DOC_BASE_URL/desktop.html"
 pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls"
 if [ -f "$pillar_file" ]; then
-  if ! grep -q "^workstation:$" "$pillar_file"; then
+  if ! grep -q "^desktop:$" "$pillar_file"; then
    FIRSTPASS=yes
    while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do
@@ -26,7 +26,7 @@ if [ -f "$pillar_file" ]; then
        echo "##    _______________________________    ##"
        echo "##                                       ##"
        echo "##    Installing the Security Onion      ##"
-        echo "##   analyst node on this device will    ##"
+        echo "##     Desktop on this device will       ##"
        echo "##       make permanent changes to       ##"
        echo "##              the system.              ##"
        echo "##    A system reboot will be required   ##"
@@ -42,40 +42,40 @@ if [ -f "$pillar_file" ]; then
    done
    if [[ $INSTALL == "no" ]]; then
-      echo "Exiting analyst node installation."
+      echo "Exiting desktop node installation."
      exit 0
    fi
-    # Add workstation pillar to the minion's pillar file
+    # Add desktop pillar to the minion's pillar file
    printf '%s\n'\
-      "workstation:"\
+      "desktop:"\
      "  gui:"\
      "    enabled: true"\
 		  "" >> "$pillar_file"
-    echo "Applying the workstation state. This could take some time since there are many packages that need to be installed."
+    echo "Applying the desktop state. This could take some time since there are many packages that need to be installed."
-    if salt-call state.apply workstation -linfo queue=True; then # make sure the state ran successfully
+    if salt-call state.apply desktop -linfo queue=True; then # make sure the state ran successfully
      echo ""
-      echo "Analyst workstation has been installed!"
+      echo "Security Onion Desktop has been installed!"
      echo "Press ENTER to reboot or Ctrl-C to cancel."
      read pause
      reboot;
    else
-      echo "There was an issue applying the workstation state. Please review the log above or at /opt/so/log/salt/minion."
+      echo "There was an issue applying the desktop state. Please review the log above or at /opt/so/log/salt/minion."
    fi
-  else # workstation is already added
+  else # desktop is already added
-    echo "The workstation pillar already exists in $pillar_file."
+    echo "The desktop pillar already exists in $pillar_file."
-    echo "To enable/disable the gui, set 'workstation:gui:enabled' to true or false in $pillar_file."
+    echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file."
-    echo "Additional documentation can be found at $doc_workstation_url."
+    echo "Additional documentation can be found at $doc_desktop_url."
  fi
 else # if the pillar file doesn't exist
-  echo "Could not find $pillar_file and add the workstation pillar."
+  echo "Could not find $pillar_file and add the desktop pillar."
 fi
 {#-  if this is not a manager #}
 {%   else -%}
-echo "Since this is not a manager, the pillar values to enable analyst workstation must be set manually. Please view the documentation at $doc_workstation_url."
+echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. Please view the documentation at $doc_desktop_url."
 {#- endif if this is a manager #}
 {%   endif -%}
@@ -83,7 +83,7 @@ echo "Since this is not a manager, the pillar values to enable analyst workstati
 {#- if not Rocky #}
 {%- else %}
-echo "The Analyst Workstation can only be installed on Rocky. Please view the documentation at $doc_workstation_url."
+echo "The Security Onion Desktop can only be installed on Rocky Linux. Please view the documentation at $doc_desktop_url."
 {#- endif grains.os == Rocky #}
 {% endif -%}
@@ -14,19 +14,56 @@
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 INDEX_DATE=$(date +'%Y.%m.%d')
 RUNID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
 LOG_FILE=/nsm/import/evtx-import.log
 . /usr/sbin/so-common
 function usage {
  cat << EOF
-Usage: $0 <evtx-file-1> [evtx-file-2] [evtx-file-*]
+Usage: $0 [options] <evtx-file-1> [evtx-file-2] [evtx-file-*]
 Imports one or more evtx files into Security Onion. The evtx files will be analyzed and made available for review in the Security Onion toolset.
 Options:
  --json      Outputs summary in JSON format. Implies --quiet.
  --quiet     Silences progress information to stdout.
 EOF
 }
 quiet=0
 json=0
 INPUT_FILES=
 while [[ $# -gt 0 ]]; do
  param=$1
  shift
  case "$param" in
    --json)
      json=1
      quiet=1
      ;;
    --quiet)
      quiet=1
      ;;
    -*) 
      echo "Encountered unexpected parameter: $param"
      usage
      exit 1
      ;;
    *) 
      if [[ "$INPUT_FILES" != "" ]]; then
        INPUT_FILES="$INPUT_FILES $param"
      else
        INPUT_FILES="$param"
      fi
      ;;
  esac
 done
 function status {
  msg=$1
  [[ $quiet -eq 1 ]] && return
  echo "$msg"
 }
 function evtx2es() {
  EVTX=$1
@@ -42,31 +79,30 @@ function evtx2es() {
 }
 # if no parameters supplied, display usage
-if [ $# -eq 0 ]; then
+if [ "$INPUT_FILES" == "" ]; then
  usage
  exit 1
 fi
 # ensure this is a Manager node
-require_manager
+require_manager @> /dev/null
 # verify that all parameters are files
-for i in "$@"; do
+for i in $INPUT_FILES; do
  if ! [ -f "$i" ]; then
    usage
    echo "\"$i\" is not a valid file!"
    exit 2
  fi
 done
 # track if we have any valid or invalid evtx
 INVALID_EVTXS="no"
 VALID_EVTXS="no"
 # track oldest start and newest end so that we can generate the Kibana search hyperlink at the end
 START_OLDEST="2050-12-31"
 END_NEWEST="1971-01-01"
 INVALID_EVTXS_COUNT=0
 VALID_EVTXS_COUNT=0
 SKIPPED_EVTXS_COUNT=0
 touch /nsm/import/evtx-start_oldest
 touch /nsm/import/evtx-end_newest
@@ -74,27 +110,39 @@ echo $START_OLDEST > /nsm/import/evtx-start_oldest
 echo $END_NEWEST > /nsm/import/evtx-end_newest
 # paths must be quoted in case they include spaces
-for EVTX in "$@"; do
+for EVTX in $INPUT_FILES; do
  EVTX=$(/usr/bin/realpath "$EVTX")
-  echo "Processing Import: ${EVTX}"
+  status "Processing Import: ${EVTX}"
  # generate a unique hash to assist with dedupe checks
  HASH=$(md5sum "${EVTX}" | awk '{ print $1 }')
  HASH_DIR=/nsm/import/${HASH}
-  echo "- assigning unique identifier to import: $HASH"
+  status "- assigning unique identifier to import: $HASH"
  if [[ "$HASH_FILTERS" == "" ]]; then
    HASH_FILTERS="import.id:${HASH}"
    HASHES="${HASH}"
  else
    HASH_FILTERS="$HASH_FILTERS%20OR%20import.id:${HASH}"
    HASHES="${HASHES} ${HASH}"
  fi
  if [ -d $HASH_DIR ]; then
-    echo "- this EVTX has already been imported; skipping"
+    status "- this EVTX has already been imported; skipping"
-    INVALID_EVTXS="yes"
+    SKIPPED_EVTXS_COUNT=$((SKIPPED_EVTXS_COUNT + 1))
  else
    VALID_EVTXS="yes"
    EVTX_DIR=$HASH_DIR/evtx
    mkdir -p $EVTX_DIR
    # import evtx and write them to import ingest pipeline
-    echo "- importing logs to Elasticsearch..."
+    status "- importing logs to Elasticsearch..."
    evtx2es "${EVTX}" $HASH
    if [[ $? -ne 0 ]]; then
      INVALID_EVTXS_COUNT=$((INVALID_EVTXS_COUNT + 1))
      status "- WARNING: This evtx file may not have fully imported successfully"
    else
      VALID_EVTXS_COUNT=$((VALID_EVTXS_COUNT + 1))
    fi
    # compare $START to $START_OLDEST
    START=$(cat /nsm/import/evtx-start_oldest)
@@ -118,38 +166,60 @@ for EVTX in "$@"; do
  fi # end of valid evtx
-  echo
+  status
 done # end of for-loop processing evtx files
 # remove temp files
 echo "Cleaning up:"
 for TEMP_EVTX in ${TEMP_EVTXS[@]}; do
  echo "- removing temporary evtx $TEMP_EVTX"
  rm -f $TEMP_EVTX
 done
 # output final messages
-if [ "$INVALID_EVTXS" = "yes" ]; then
+if [[ $INVALID_EVTXS_COUNT -gt 0 ]]; then
-  echo
+  status
-  echo "Please note!  One or more evtx was invalid!  You can scroll up to see which ones were invalid."
+  status "Please note!  One or more evtx was invalid!  You can scroll up to see which ones were invalid."
 fi
 START_OLDEST_FORMATTED=`date +%Y-%m-%d --date="$START_OLDEST"`
 START_OLDEST_SLASH=$(echo $START_OLDEST_FORMATTED | sed -e 's/-/%2F/g')
 END_NEWEST_SLASH=$(echo $END_NEWEST | sed -e 's/-/%2F/g')
-if [ "$VALID_EVTXS" = "yes" ]; then
+if [[ $VALID_EVTXS_COUNT -gt 0 ]] || [[ $SKIPPED_EVTXS_COUNT -gt 0 ]]; then
-cat << EOF
+  URL="https://{{ URLBASE }}/#/dashboards?q=$HASH_FILTERS%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC"
-Import complete!
+  status "Import complete!"
-
+  status
-You can use the following hyperlink to view data in the time range of your import.  You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
+  status "Use the following hyperlink to view the imported data. Triple-click to quickly highlight the entire hyperlink and then copy it into a browser:"
-https://{{ URLBASE }}/#/dashboards?q=import.id:${RUNID}%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
+  status
-
+  status "$URL"
-or you can manually set your Time Range to be (in UTC):
+  status
-From: $START_OLDEST_FORMATTED    To: $END_NEWEST
+  status "or, manually set the Time Range to be (in UTC):"
-
+  status
-Please note that it may take 30 seconds or more for events to appear in Security Onion Console.
+  status "From: $START_OLDEST_FORMATTED    To: $END_NEWEST"
-EOF
+  status
  status "Note: It can take 30 seconds or more for events to appear in Security Onion Console."
  RESULT=0
 else
  START_OLDEST=
  END_NEWEST=
  URL=
  RESULT=1
 fi
 if [[ $json -eq 1 ]]; then
  jq -n \
    --arg success_count "$VALID_EVTXS_COUNT" \
    --arg fail_count "$INVALID_EVTXS_COUNT" \
    --arg skipped_count "$SKIPPED_EVTXS_COUNT" \
    --arg begin_date "$START_OLDEST" \
    --arg end_date "$END_NEWEST" \
    --arg url "$URL" \
    --arg hashes "$HASHES" \
    '''{
      success_count: $success_count,
      fail_count: $fail_count,
      skipped_count: $skipped_count,
      begin_date: $begin_date,
      end_date: $end_date,
      url: $url,
      hash: ($hashes / " ")
    }'''
 fi
 exit $RESULT
@@ -15,12 +15,51 @@
 function usage {
  cat << EOF
-Usage: $0 <pcap-file-1> [pcap-file-2] [pcap-file-N]
+Usage: $0 [options] <pcap-file-1> [pcap-file-2] [pcap-file-N]
 Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and made available for review in the Security Onion toolset.
 Options:
  --json      Outputs summary in JSON format. Implies --quiet.
  --quiet     Silences progress information to stdout.
 EOF
 }
 quiet=0
 json=0
 INPUT_FILES=
 while [[ $# -gt 0 ]]; do
  param=$1
  shift
  case "$param" in
    --json)
      json=1
      quiet=1
      ;;
    --quiet)
      quiet=1
      ;;
    -*) 
      echo "Encountered unexpected parameter: $param"
      usage
      exit 1
      ;;
    *) 
      if [[ "$INPUT_FILES" != "" ]]; then
        INPUT_FILES="$INPUT_FILES $param"
      else
        INPUT_FILES="$param"
      fi
      ;;
  esac
 done
 function status {
  msg=$1
  [[ $quiet -eq 1 ]] && return
  echo "$msg"
 }
 function pcapinfo() {
  PCAP=$1
  ARGS=$2
@@ -84,7 +123,7 @@ function zeek() {
 }
 # if no parameters supplied, display usage
-if [ $# -eq 0 ]; then
+if [ "$INPUT_FILES" == "" ]; then
  usage
  exit 1
 fi
@@ -96,31 +135,30 @@ if [ ! -d /opt/so/conf/suricata ]; then
 fi
 # verify that all parameters are files
-for i in "$@"; do
+for i in $INPUT_FILES; do
  if ! [ -f "$i" ]; then
    usage
    echo "\"$i\" is not a valid file!"
    exit 2
  fi
 done
 # track if we have any valid or invalid pcaps
 INVALID_PCAPS="no"
 VALID_PCAPS="no"
 # track oldest start and newest end so that we can generate the Kibana search hyperlink at the end
 START_OLDEST="2050-12-31"
 END_NEWEST="1971-01-01"
 INVALID_PCAPS_COUNT=0
 VALID_PCAPS_COUNT=0
 SKIPPED_PCAPS_COUNT=0
 # paths must be quoted in case they include spaces
-for PCAP in "$@"; do
+for PCAP in $INPUT_FILES; do
  PCAP=$(/usr/bin/realpath "$PCAP")
-  echo "Processing Import: ${PCAP}"
+  status "Processing Import: ${PCAP}"
-  echo "- verifying file"
+  status "- verifying file"
  if ! pcapinfo "${PCAP}" > /dev/null 2>&1; then
    # try to fix pcap and then process the fixed pcap directly
    PCAP_FIXED=`mktemp /tmp/so-import-pcap-XXXXXXXXXX.pcap`
-    echo "- attempting to recover corrupted PCAP file"
+    status "- attempting to recover corrupted PCAP file"
    pcapfix "${PCAP}" "${PCAP_FIXED}"
    # Make fixed file world readable since the Suricata docker container will runas a non-root user
    chmod a+r "${PCAP_FIXED}"
@@ -131,33 +169,44 @@ for PCAP in "$@"; do
  # generate a unique hash to assist with dedupe checks
  HASH=$(md5sum "${PCAP}" | awk '{ print $1 }')
  HASH_DIR=/nsm/import/${HASH}
-  echo "- assigning unique identifier to import: $HASH"
+  status "- assigning unique identifier to import: $HASH"
-  if [ -d $HASH_DIR ]; then
+  pcap_data=$(pcapinfo "${PCAP}")
-    echo "- this PCAP has already been imported; skipping"
+  if ! echo "$pcap_data" | grep -q "First packet time:" || echo "$pcap_data" |egrep -q "Last packet time:    1970-01-01|Last packet time:    n/a"; then
-    INVALID_PCAPS="yes"
+    status "- this PCAP file is invalid; skipping"
-  elif pcapinfo "${PCAP}" |egrep -q "Last packet time:    1970-01-01|Last packet time:    n/a"; then
+    INVALID_PCAPS_COUNT=$((INVALID_PCAPS_COUNT + 1))
    echo "- this PCAP file is invalid; skipping"
    INVALID_PCAPS="yes"
  else
-    VALID_PCAPS="yes"
+    if [ -d $HASH_DIR ]; then
      status "- this PCAP has already been imported; skipping"
      SKIPPED_PCAPS_COUNT=$((SKIPPED_PCAPS_COUNT + 1))
    else
      VALID_PCAPS_COUNT=$((VALID_PCAPS_COUNT + 1))
-    PCAP_DIR=$HASH_DIR/pcap
+      PCAP_DIR=$HASH_DIR/pcap
-    mkdir -p $PCAP_DIR
+      mkdir -p $PCAP_DIR
-    # generate IDS alerts and write them to standard pipeline
+      # generate IDS alerts and write them to standard pipeline
-    echo "- analyzing traffic with Suricata"
+      status "- analyzing traffic with Suricata"
-    suricata "${PCAP}" $HASH
+      suricata "${PCAP}" $HASH
-    {% if salt['pillar.get']('global:mdengine') == 'ZEEK' %}
+      {% if salt['pillar.get']('global:mdengine') == 'ZEEK' %}
-    # generate Zeek logs and write them to a unique subdirectory in /nsm/import/zeek/
+      # generate Zeek logs and write them to a unique subdirectory in /nsm/import/zeek/
-    # since each run writes to a unique subdirectory, there is no need for a lock file
+      # since each run writes to a unique subdirectory, there is no need for a lock file
-    echo "- analyzing traffic with Zeek"
+      status "- analyzing traffic with Zeek"
-    zeek "${PCAP}" $HASH
+      zeek "${PCAP}" $HASH
-    {% endif %}
+      {% endif %}
    fi
    if [[ "$HASH_FILTERS" == "" ]]; then
      HASH_FILTERS="import.id:${HASH}"
      HASHES="${HASH}"
    else
      HASH_FILTERS="$HASH_FILTERS%20OR%20import.id:${HASH}"
      HASHES="${HASHES} ${HASH}"
    fi
    START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}')
    END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}')
-    echo "- saving PCAP data spanning dates $START through $END"
+    status "- found PCAP data spanning dates $START through $END"
    # compare $START to $START_OLDEST
    START_COMPARE=$(date -d $START +%s)
@@ -179,37 +228,62 @@ for PCAP in "$@"; do
  fi # end of valid pcap
-  echo
+  status
 done # end of for-loop processing pcap files
 # remove temp files
 echo "Cleaning up:"
 for TEMP_PCAP in ${TEMP_PCAPS[@]}; do
-  echo "- removing temporary pcap $TEMP_PCAP"
+  status "- removing temporary pcap $TEMP_PCAP"
  rm -f $TEMP_PCAP
 done
 # output final messages
-if [ "$INVALID_PCAPS" = "yes" ]; then
+if [[ $INVALID_PCAPS_COUNT -gt 0 ]]; then
-  echo
+  status
-  echo "Please note!  One or more pcaps was invalid!  You can scroll up to see which ones were invalid."
+  status "WARNING: One or more pcaps was invalid. Scroll up to see which ones were invalid."
 fi
 START_OLDEST_SLASH=$(echo $START_OLDEST | sed -e 's/-/%2F/g')
 END_NEWEST_SLASH=$(echo $END_NEWEST | sed -e 's/-/%2F/g')
 if [[ $VALID_PCAPS_COUNT -gt 0 ]] || [[ $SKIPPED_PCAPS_COUNT -gt 0 ]]; then
  URL="https://{{ URLBASE }}/#/dashboards?q=$HASH_FILTERS%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC"
-if [ "$VALID_PCAPS" = "yes" ]; then
+  status "Import complete!"
-cat << EOF
+  status
-
+  status "Use the following hyperlink to view the imported data. Triple-click to quickly highlight the entire hyperlink and then copy it into a browser:"
-Import complete!
+  status "$URL"
-
+  status
-You can use the following hyperlink to view data in the time range of your import.  You can triple-click to quickly highlight the entire hyperlink and you can then copy it into your browser:
+  status "or, manually set the Time Range to be (in UTC):"
-https://{{ URLBASE }}/#/dashboards?q=import.id:${HASH}%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC
+  status "From: $START_OLDEST    To: $END_NEWEST"
-
+  status
-or you can manually set your Time Range to be (in UTC):
+  status "Note: It can take 30 seconds or more for events to appear in Security Onion Console."
-From: $START_OLDEST    To: $END_NEWEST
+  RESULT=0
-
+else
-Please note that it may take 30 seconds or more for events to appear in Security Onion Console.
+  START_OLDEST=
-EOF
+  END_NEWEST=
  URL=
  RESULT=1
 fi
 if [[ $json -eq 1 ]]; then
  jq -n \
    --arg success_count "$VALID_PCAPS_COUNT" \
    --arg fail_count "$INVALID_PCAPS_COUNT" \
    --arg skipped_count "$SKIPPED_PCAPS_COUNT" \
    --arg begin_date "$START_OLDEST" \
    --arg end_date "$END_NEWEST" \
    --arg url "$URL" \
    --arg hashes "$HASHES" \
    '''{
      success_count: $success_count,
      fail_count: $fail_count,
      skipped_count: $skipped_count,
      begin_date: $begin_date,
      end_date: $end_date,
      url: $url,
      hash: ($hashes / " ")
    }'''
 fi
 exit $RESULT
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -13,7 +13,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -13,7 +13,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -12,7 +12,7 @@ actions:
    options:
      delete_aliases: False
      timeout_override:
-      continue_if_exception: False
+      ignore_empty_list: True
      disable_action: False
    filters:
    - filtertype: pattern
@@ -1,7 +1,7 @@
 include:
-  - workstation.xwindows
+  - desktop.xwindows
 {# If the master is 'salt' then the minion hasn't been configured and isn't connected to the grid. #}
 {# We need this since the trusted-ca state uses mine data. #}
 {% if grains.master != 'salt' %}
-  - workstation.trusted-ca
+  - desktop.trusted-ca
 {% endif %}
@@ -0,0 +1,442 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {# we only want this state to run it is CentOS #}
 {% if GLOBALS.os == 'OEL' %}
 desktop_packages:
  pkg.installed:
    - pkgs:
      - ModemManager
      - ModemManager-glib
      - NetworkManager
      - NetworkManager-adsl
      - NetworkManager-bluetooth
      - NetworkManager-config-server
      - NetworkManager-libnm
      - NetworkManager-team
      - NetworkManager-tui
      - NetworkManager-wifi
      - NetworkManager-wwan
      - PackageKit
      - PackageKit-command-not-found
      - PackageKit-glib
      - PackageKit-gstreamer-plugin
      - PackageKit-gtk3-module
      - audit
      - audit-libs
      - authselect
      - authselect-libs
      - avahi
      - avahi-glib
      - avahi-libs
      - baobab
      - basesystem
      - bc
      - bcache-tools
      - bluez
      - bluez-libs
      - bluez-obexd
      - bolt
      - bzip2
      - bzip2-libs
      - c-ares
      - ca-certificates
      - cairo
      - cairo-gobject
      - cairomm
      - checkpolicy
      - chkconfig
      - chrome-gnome-shell
      - chromium
      - clutter
      - clutter-gst3
      - clutter-gtk
      - cogl
      - color-filesystem
      - colord
      - colord-gtk
      - colord-libs
      - conmon
      - cups
      - cups-client
      - cups-filesystem
      - cups-filters
      - cups-filters-libs
      - cups-ipptool
      - cups-libs
      - cups-pk-helper
      - dconf
      - dejavu-sans-fonts
      - dejavu-sans-mono-fonts
      - dejavu-serif-fonts
      - desktop-file-utils
      - dsniff
      - ethtool
      - evolution-data-server
      - evolution-data-server-langpacks
      - file
      - flac-libs
      - flashrom
      - flatpak
      - flatpak-libs
      - flatpak-selinux
      - flatpak-session-helper
      - fontconfig
      - fonts-filesystem
      - foomatic
      - foomatic-db
      - foomatic-db-filesystem
      - foomatic-db-ppds
      - freetype
      - fuse
      - fuse-common
      - fuse-libs
      - fuse-overlayfs
      - fuse3
      - fuse3-libs
      - fwupd
      - fwupd-plugin-flashrom
      - gcr
      - gcr-base
      - gd
      - gdbm-libs
      - gdisk
      - gdk-pixbuf2
      - gdk-pixbuf2-modules
      - gdm
      - gedit
      - geoclue2
      - geoclue2-libs
      - geocode-glib
      - gettext
      - gettext-libs
      - ghostscript
      - ghostscript-tools-fonts
      - ghostscript-tools-printing
      - giflib
      - glx-utils
      - gmp
      - gnome-autoar
      - gnome-bluetooth
      - gnome-bluetooth-libs
      - gnome-calculator
      - gnome-characters
      - gnome-classic-session
      - gnome-color-manager
      - gnome-control-center
      - gnome-control-center-filesystem
      - gnome-desktop3
      - gnome-disk-utility
      - gnome-font-viewer
      - gnome-initial-setup
      - gnome-keyring
      - gnome-keyring-pam
      - gnome-logs
      - gnome-menus
      - gnome-online-accounts
      - gnome-remote-desktop
      - gnome-screenshot
      - gnome-session
      - gnome-session-wayland-session
      - gnome-session-xsession
      - gnome-settings-daemon
      - gnome-shell
      - gnome-shell-extension-apps-menu
      - gnome-shell-extension-background-logo
      - gnome-shell-extension-common
      - gnome-shell-extension-desktop-icons
      - gnome-shell-extension-launch-new-instance
      - gnome-shell-extension-places-menu
      - gnome-shell-extension-window-list
      - gnome-software
      - gnome-system-monitor
      - gnome-terminal
      - gnome-terminal-nautilus
      - gnome-tour
      - gnome-user-docs
      - gnome-video-effects
      - gobject-introspection
      - gom
      - google-droid-sans-fonts
      - google-noto-cjk-fonts-common
      - google-noto-emoji-color-fonts
      - google-noto-fonts-common
      - google-noto-sans-cjk-ttc-fonts
      - google-noto-sans-gurmukhi-fonts
      - google-noto-sans-sinhala-vf-fonts
      - google-noto-serif-cjk-ttc-fonts
      - gpgme
      - gpm-libs
      - graphene
      - graphite2
      - gsettings-desktop-schemas
      - gsm
      - gsound
      - gspell
      - gstreamer1
      - gstreamer1-plugins-bad-free
      - gstreamer1-plugins-base
      - gstreamer1-plugins-good
      - gstreamer1-plugins-good-gtk
      - gstreamer1-plugins-ugly-free
      - gtk-update-icon-cache
      - gtk3
      - gtk4
      - gtkmm30
      - gtksourceview4
      - gutenprint
      - gutenprint-cups
      - gutenprint-doc
      - gutenprint-libs
      - gvfs
      - gvfs-client
      - gvfs-fuse
      - gvfs-goa
      - gvfs-gphoto2
      - gvfs-mtp
      - gvfs-smb
      - gzip
      - harfbuzz
      - harfbuzz-icu
      - hdparm
      - hicolor-icon-theme
      - highcontrast-icon-theme
      - hplip-common
      - hplip-libs
      - hunspell
      - hunspell-en
      - hunspell-en-GB
      - hunspell-en-US
      - hunspell-filesystem
      - hyphen
      - ibus
      - ibus-gtk3
      - ibus-libs
      - ibus-setup
      - iio-sensor-proxy
      - ima-evm-utils
      - inih
      - initscripts-rename-device
      - initscripts-service
      - iso-codes
      - jansson
      - jbig2dec-libs
      - jbigkit-libs
      - jomolhari-fonts
      - jose
      - jq
      - json-c
      - json-glib
      - julietaula-montserrat-fonts
      - kbd
      - kbd-misc
      - khmer-os-system-fonts
      - langpacks-core-en
      - langpacks-core-font-en
      - langpacks-en
      - lcms2
      - libICE
      - libSM
      - libX11
      - libX11-common
      - libX11-xcb
      - libXau
      - libXcomposite
      - libXcursor
      - libXdamage
      - libXdmcp
      - libXext
      - libXfixes
      - libXfont2
      - libXft
      - libXi
      - libXinerama
      - libXmu
      - libXpm
      - libXrandr
      - libXrender
      - libXres
      - libXt
      - libXtst
      - libXv
      - libXxf86dga
      - libXxf86vm
      - libappstream-glib
      - liberation-fonts-common
      - liberation-mono-fonts
      - liberation-sans-fonts
      - liberation-serif-fonts
      - libertas-sd8787-firmware
      - libglvnd-gles
      - libglvnd-glx
      - libglvnd-opengl
      - libgnomekbd
      - libgomp
      - libgphoto2
      - lockdev
      - lohit-assamese-fonts
      - lohit-bengali-fonts
      - lohit-devanagari-fonts
      - lohit-gujarati-fonts
      - lohit-kannada-fonts
      - lohit-odia-fonts
      - lohit-tamil-fonts
      - lohit-telugu-fonts
      - lshw
      - lsof
      - mesa-dri-drivers
      - mesa-filesystem
      - mesa-libEGL
      - mesa-libGL
      - mesa-libgbm
      - mesa-libglapi
      - mesa-libxatracker
      - mesa-vulkan-drivers
      - microcode_ctl
      - mobile-broadband-provider-info
      - mpfr
      - mpg123-libs
      - mtdev
      - mtr
      - nautilus
      - nautilus-extensions
      - net-tools
      - nvme-cli
      - open-vm-tools-desktop
      - oracle-backgrounds
      - oracle-indexhtml
      - oracle-logos
      - pcaudiolib
      - pciutils
      - pinentry
      - pinentry-gnome3
      - pinfo
      - pipewire
      - pipewire-alsa
      - pipewire-gstreamer
      - pipewire-jack-audio-connection-kit
      - pipewire-libs
      - pipewire-pulseaudio
      - pipewire-utils
      - pixman
      - plymouth
      - plymouth-core-libs
      - plymouth-graphics-libs
      - plymouth-plugin-label
      - plymouth-plugin-two-step
      - plymouth-scripts
      - plymouth-system-theme
      - plymouth-theme-spinner
      - policycoreutils
      - policycoreutils-python-utils
      - pt-sans-fonts
      - pulseaudio-libs
      - pulseaudio-libs-glib2
      - pulseaudio-utils
      - sane-airscan
      - sane-backends
      - sane-backends-drivers-cameras
      - sane-backends-drivers-scanners
      - sane-backends-libs
      - sil-abyssinica-fonts
      - sil-nuosu-fonts
      - sil-padauk-fonts
      - smartmontools
      - smc-meera-fonts
      - snappy
      - sound-theme-freedesktop
      - soundtouch
      - speech-dispatcher
      - speech-dispatcher-espeak-ng
      - speex
      - spice-vdagent
      - switcheroo-control
      - symlinks
      - system-config-printer-libs
      - system-config-printer-udev
      - taglib
      - tcpdump
      - tcpflow
      - thai-scalable-fonts-common
      - thai-scalable-waree-fonts
      - totem
      - totem-pl-parser
      - totem-video-thumbnailer
      - tpm2-tools
      - tpm2-tss
      - tracer-common
      - tracker
      - tracker-miners
      - tree
      - tuned
      - twolame-libs
      - tzdata
      - udisks2
      - udisks2-iscsi
      - udisks2-lvm2
      - unzip
      - upower
      - urw-base35-bookman-fonts
      - urw-base35-c059-fonts
      - urw-base35-d050000l-fonts
      - urw-base35-fonts
      - urw-base35-fonts-common
      - urw-base35-gothic-fonts
      - urw-base35-nimbus-mono-ps-fonts
      - urw-base35-nimbus-roman-fonts
      - urw-base35-nimbus-sans-fonts
      - urw-base35-p052-fonts
      - urw-base35-standard-symbols-ps-fonts
      - urw-base35-z003-fonts
      - usb_modeswitch
      - usb_modeswitch-data
      - usbutils
      - usermode
      - userspace-rcu
      - vdo
      - vulkan-loader
      - wavpack
      - webkit2gtk3
      - webkit2gtk3-jsc
      - webrtc-audio-processing
      - whois
      - wireless-regdb
      - wireplumber
      - wireplumber-libs
      - wireshark
      - woff2
      - words
      - wpa_supplicant
      - wpebackend-fdo
      - xdg-dbus-proxy
      - xdg-desktop-portal
      - xdg-desktop-portal-gnome
      - xdg-desktop-portal-gtk
      - xdg-user-dirs
      - xdg-user-dirs-gtk
      - xdg-utils
      - xkeyboard-config
      - xorg-x11-drv-evdev
      - xorg-x11-drv-fbdev
      - xorg-x11-drv-libinput
      - xorg-x11-drv-vmware
      - xorg-x11-drv-wacom
      - xorg-x11-drv-wacom-serial-support
      - xorg-x11-server-Xorg
      - xorg-x11-server-Xwayland
      - xorg-x11-server-common
      - xorg-x11-server-utils
      - xorg-x11-utils
      - xorg-x11-xauth
      - xorg-x11-xinit
      - xorg-x11-xinit-session
      - zip
 {% else %}
 desktop_packages_os_fail:
  test.fail_without_changes:
    - comment: 'SO desktop can only be installed on Oracle Linux'
 {% endif %}
@@ -1,7 +1,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}
 remove_graphical_target:
  file.symlink:
@@ -10,8 +10,8 @@ remove_graphical_target:
    - force: True
 {% else %}
-workstation_trusted-ca_os_fail:
+desktop_trusted-ca_os_fail:
  test.fail_without_changes:
-    - comment: 'SO Analyst Workstation can only be installed on CentOS'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'
 {% endif %}
@@ -1,7 +1,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}
  {% set global_ca_text = [] %}
  {% set global_ca_server = [] %}
@@ -29,8 +29,8 @@ update_ca_certs:
 {% else %}
-workstation_trusted-ca_os_fail:
+desktop_trusted-ca_os_fail:
  test.fail_without_changes:
-    - comment: 'SO Analyst Workstation can only be installed on CentOS'
+    - comment: 'SO Desktop can only be installed on CentOS'
 {% endif %}
@@ -1,10 +1,10 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}
 include:
-  - workstation.packages
+  - desktop.packages
 graphical_target:
  file.symlink:
@@ -12,13 +12,12 @@ graphical_target:
    - target: /lib/systemd/system/graphical.target
    - force: True
    - require:
-      - pkg: X Window System
+      - desktop_packages
      - pkg: graphical_extras
 {% else %}
-workstation_xwindows_os_fail:
+desktop_xwindows_os_fail:
  test.fail_without_changes:
-    - comment: 'SO Analyst Workstation can only be installed on CentOS'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'
 {% endif %}
@@ -1,8 +1,6 @@
 docker:
-  bip: '172.17.0.1'
+  range: '172.17.1.0/24'
-  range: '172.17.0.0/24'
+  gateway: '172.17.1.1'
  sorange: '172.17.1.0/24'
  sobip: '172.17.1.1'
  containers:
    'so-dockerregistry':
      final_octet: 20
@@ -178,6 +176,11 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
    'so-elastic-agent':
      final_octet: 46
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
    'so-telegraf':
      final_octet: 99
      custom_bind_mounts: []
@@ -197,4 +200,4 @@ docker:
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
-      extra_env: []
+      extra_env: []
@@ -1,6 +1,6 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
 {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKER.sorange.split('.') %}
+{% set RANGESPLIT = DOCKER.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
 {% for container, vals in DOCKER.containers.items() %}
@@ -12,7 +12,28 @@ dockergroup:
    - name: docker
    - gid: 920
-{% if GLOBALS.os == 'Ubuntu' %}
+{% if GLOBALS.os_family == 'Debian' %}
 {%    if grains.oscodename == 'bookworm' %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.6.21-1
      - docker-ce: 5:24.0.3-1~debian.12~bookworm
      - docker-ce-cli: 5:24.0.3-1~debian.12~bookworm
      - docker-ce-rootless-extras: 5:24.0.3-1~debian.12~bookworm
    - hold: True
    - update_holds: True
 {%    elif grains.oscodename == 'jammy' %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.6.21-1
      - docker-ce: 5:24.0.2-1~ubuntu.22.04~jammy
      - docker-ce-cli: 5:24.0.2-1~ubuntu.22.04~jammy
      - docker-ce-rootless-extras: 5:24.0.2-1~ubuntu.22.04~jammy
    - hold: True
    - update_holds: True
 {%    else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
@@ -22,14 +43,15 @@ dockerheldpackages:
      - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal
    - hold: True
    - update_holds: True
 {% endif %}
 {% else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
-      - containerd.io: 1.6.20-3.1.el9
+      - containerd.io: 1.6.21-3.1.el9
-      - docker-ce: 23.0.5-1.el9
+      - docker-ce: 24.0.4-1.el9
-      - docker-ce-cli: 23.0.5-1.el9
+      - docker-ce-cli: 24.0.4-1.el9
-      - docker-ce-rootless-extras: 23.0.5-1.el9
+      - docker-ce-rootless-extras: 24.0.4-1.el9
    - hold: True
    - update_holds: True
 {% endif %}
@@ -80,8 +102,8 @@ dockerreserveports:
 sos_docker_net:
  docker_network.present:
    - name: sobridge
-    - subnet: {{ DOCKER.sorange }}
+    - subnet: {{ DOCKER.range }}
-    - gateway: {{ DOCKER.sobip }}
+    - gateway: {{ DOCKER.gateway }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
@@ -1,20 +1,12 @@
 docker:
-  bip:
+  gateway:
-    description: Bind IP for the default docker interface.
+    description: Gateway for the default docker interface.
    helpLink: docker.html
    advanced: True
  range:
    description: Default docker IP range for containers.
    helpLink: docker.html
    advanced: True
  sobip:
    description: Bind IP for the SO docker interface.
    helpLink: docker.html
    advanced: True
  sorange:
    description: IP range for the SO docker containers.
    helpLink: docker.html
    advanced: True
  containers:
    so-curator: &dockerOptions
      final_octet:
@@ -68,4 +60,4 @@ docker:
    so-strelka-filestream: *dockerOptions
    so-strelka-frontend: *dockerOptions
    so-strelka-gatekeeper: *dockerOptions
-    so-strelka-manager: *dockerOptions
+    so-strelka-manager: *dockerOptions
@@ -13,7 +13,6 @@ elastalert:
    es_port: 9200
    es_conn_timeout: 55
    max_query_size: 5000
    eql: true
    use_ssl: true
    verify_certs: false
    writeback_index: elastalert
@@ -30,8 +30,8 @@ class PlaybookESAlerter(Alerter):
            if 'es_username' in self.rule and 'es_password' in self.rule:
                creds = (self.rule['es_username'], self.rule['es_password'])
-            payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp}
+            payload = {"tags":"alert","rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp}
-            url = f"{self.rule['es_hosts']}/so-playbook-alerts-{today}/_doc/"
+            url = f"https://{self.rule['es_host']}:{self.rule['es_port']}/logs-playbook.alerts-so/_doc/"
            requests.post(url, data=json.dumps(payload), headers=headers, verify=False, auth=creds)
    def get_info(self):
@@ -8,7 +8,7 @@
 {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %}
-{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_hosts': 'https://' + GLOBALS.manager + ':' + ELASTALERTDEFAULTS.elastalert.config.es_port|string}) %}
+{% do ELASTALERTDEFAULTS.elastalert.config.update({'es_host': GLOBALS.manager}) %}
 {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %}
 {% do ELASTALERTDEFAULTS.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %}
@@ -0,0 +1,55 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% if sls.split('.')[0] in allowed_states %}
 # Add EA Group
 elasticagentgroup:
  group.present:
    - name: elastic-agent
    - gid: 949
 # Add EA user
 elastic-agent:
  user.present:
    - uid: 949
    - gid: 949
    - home: /opt/so/conf/elastic-agent
    - createhome: False
 elasticagentconfdir:
  file.directory:
    - name: /opt/so/conf/elastic-agent
    - user: 949
    - group: 939
    - makedirs: True
 elasticagent_sbin_jinja:
  file.recurse:
    - name: /usr/sbin
    - source: salt://elasticagent/tools/sbin_jinja
    - user: 949
    - group: 939
    - file_mode: 755
    - template: jinja
 # Create config
 create-elastic-agent-config:
  file.managed:
    - name: /opt/so/conf/elastic-agent/elastic-agent.yml
    - source: salt://elasticagent/files/elastic-agent.yml.jinja
    - user: 949
    - group: 939
    - template: jinja
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
@@ -0,0 +1,2 @@
 elasticagent:
  enabled: False
@@ -0,0 +1,27 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 include:
  - elasticagent.sostatus
 so-elastic-agent:
  docker_container.absent:
    - force: True
 so-elastic-agent_so-status.disabled:
  file.comment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-elastic-agent$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
@@ -0,0 +1,65 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 include:
  - elasticagent.config
  - elasticagent.sostatus
 so-elastic-agent:
  docker_container.running:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }}
    - name: so-elastic-agent
    - hostname: {{ GLOBALS.hostname }}
    - detach: True
    - user: 949
    - networks:
      - sobridge:
        - ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
        {% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
          {% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - binds:
      - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
      - /nsm:/nsm:ro
     {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}      
    - environment:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
        {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    - watch:
      - file: create-elastic-agent-config
 delete_so-elastic-agent_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
    - regex: ^so-elastic-agent$
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
@@ -0,0 +1,119 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 id: aea1ba80-1065-11ee-a369-97538913b6a9
 revision: 2
 outputs:
  default:
    type: elasticsearch
    hosts:
      - 'https://{{ GLOBALS.hostname }}:9200'
    username: '{{ ES_USER }}'
    password: '{{ ES_PASS }}'
    ssl.verification_mode: full
 output_permissions: {}
 agent:
  download:
    sourceURI: 'http://{{ GLOBALS.manager }}:8443/artifacts/'
  monitoring:
    enabled: false
    logs: false
    metrics: false
  features: {}
 inputs:
  - id: logfile-logs-80ffa884-2cfc-459a-964a-34df25714d85
    name: suricata-logs
    revision: 1
    type: logfile
    use_output: default
    meta:
      package:
        name: log
        version: 
    data_stream:
      namespace: so
    package_policy_id: 80ffa884-2cfc-459a-964a-34df25714d85
    streams:
      - id: logfile-log.log-80ffa884-2cfc-459a-964a-34df25714d85
        data_stream:
          dataset: suricata
        paths:
          - /nsm/suricata/eve*.json
        processors:
          - add_fields:
              target: event
              fields:
                category: network
                module: suricata
        pipeline: suricata.common
  - id: logfile-logs-90103ac4-f6bd-4a4a-b596-952c332390fc
    name: strelka-logs
    revision: 1
    type: logfile
    use_output: default
    meta:
      package:
        name: log
        version: 
    data_stream:
      namespace: so
    package_policy_id: 90103ac4-f6bd-4a4a-b596-952c332390fc
    streams:
      - id: logfile-log.log-90103ac4-f6bd-4a4a-b596-952c332390fc
        data_stream:
          dataset: strelka
        paths:
          - /nsm/strelka/log/strelka.log
        processors:
          - add_fields:
              target: event
              fields:
                category: file
                module: strelka
        pipeline: strelka.file
  - id: logfile-logs-6197fe84-9b58-4d9b-8464-3d517f28808d
    name: zeek-logs
    revision: 1
    type: logfile
    use_output: default
    meta:
      package:
        name: log
        version: 
    data_stream:
      namespace: so
    package_policy_id: 6197fe84-9b58-4d9b-8464-3d517f28808d
    streams:
      - id: logfile-log.log-6197fe84-9b58-4d9b-8464-3d517f28808d
        data_stream:
          dataset: zeek
        paths:
          - /nsm/zeek/logs/current/*.log
        processors:
          - dissect:
              tokenizer: '/nsm/zeek/logs/current/%{pipeline}.log'
              field: log.file.path
              trim_chars: .log
              target_prefix: ''
          - script:
              lang: javascript
              source: |
                function process(event) {
                  var pl = event.Get("pipeline");
                  event.Put("@metadata.pipeline", "zeek." + pl);
                }
          - add_fields:
              target: event
              fields:
                category: network
                module: zeek
          - add_tags:
              tags: ics
              when:
                regexp:
                  pipeline: >-
                    ^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*
        exclude_files:
          - >-
            broker|capture_loss|cluster|ecat_arp_info|known_hosts|known_services|loaded_scripts|ntp|ocsp|packet_filter|reporter|stats|stderr|stdout.log$
@@ -0,0 +1,13 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'elasticagent/map.jinja' import ELASTICAGENTMERGED %}
 include:
 {% if ELASTICAGENTMERGED.enabled %}
  - elasticagent.enabled
 {% else %}
  - elasticagent.disabled
 {% endif %}
@@ -0,0 +1,7 @@
 {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
   https://securityonion.net/license; you may not use this file except in compliance with the
   Elastic License 2.0. #}
 {% import_yaml 'elasticagent/defaults.yaml' as ELASTICAGENTDEFAULTS %}
 {% set ELASTICAGENTMERGED = salt['pillar.get']('elasticagent', ELASTICAGENTDEFAULTS.elasticagent, merge=True) %}
@@ -0,0 +1,21 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 append_so-elastic-agent_so-status.conf:
  file.append:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-elastic-agent
    - unless: grep -q so-elastic-agent$ /opt/so/conf/so-status/so-status.conf
 {% else %}
 {{sls}}_state_not_allowed:
  test.fail_without_changes:
    - name: {{sls}}_state_not_allowed
 {% endif %}
@@ -0,0 +1,16 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent inspect
 {% else %}
 /bin/elastic-agent inspect
 {% endif %}
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 {% if grains.role == 'so-heavynode' %}
 /usr/sbin/so-stop elastic-agent $1
 /usr/sbin/so-start elasticagent $1
 {% else %}
 service elastic-agent restart
 {% endif %}
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 {% if grains.role == 'so-heavynode' %}
 /usr/sbin/so-start elasticagent $1
 {% else %}
 service elastic-agent start
 {% endif %}
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent status
 {% else %}
 /bin/elastic-agent status
 {% endif %}
@@ -9,4 +9,9 @@
 . /usr/sbin/so-common
-docker exec -it so-redis redis-cli llen logstash:unparsed
+{% if grains.role == 'so-heavynode' %}
 /usr/sbin/so-stop elastic-agent $1
 {% else %}
 service elastic-agent stop
 {% endif %}
@@ -0,0 +1,17 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 . /usr/sbin/so-common
 {% if grains.role == 'so-heavynode' %}
 docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent version
 {% else %}
 /bin/elastic-agent version
 {% endif %}
@@ -8,13 +8,13 @@
 {% if sls.split('.')[0] in allowed_states %}
 # Add EA Group
-elasticsagentgroup:
+elasticfleetgroup:
  group.present:
-    - name: elastic-agent
+    - name: elastic-fleet
    - gid: 947
 # Add EA user
-elastic-agent:
+elastic-fleet:
  user.present:
    - uid: 947
    - gid: 947
@@ -45,6 +45,13 @@ eaconfdir:
    - group: 939
    - makedirs: True
 ealogdir:
  file.directory:
    - name: /opt/so/log/elasticfleet
    - user: 947
    - group: 939
    - makedirs: True
 eastatedir:
  file.directory:
    - name: /opt/so/conf/elastic-fleet/state
@@ -2,22 +2,34 @@ elasticfleet:
  enabled: False
  config:
    server:
      custom_fqdn: ''
      enable_auto_configuration: True
      endpoints_enrollment: ''
      es_token: ''
      grid_enrollment: ''
      url: ''
  logging:
    zeek:
      excluded:
        - broker
        - capture_loss
        - cluster
        - ecat_arp_info
        - known_hosts
        - known_services
        - loaded_scripts
        - ntp
        - ocsp
        - packet_filter
        - reporter
        - stats
        - stderr
        - stdout
  packages:
    - aws
    - azure
    - cloudflare
    - endpoint
    - fim
    - github
    - google_workspace
    - 1password
@@ -7,6 +7,8 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 {#   This value is generated during node install and stored in minion pillar #}
 {%   set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %}
@@ -14,6 +16,27 @@ include:
  - elasticfleet.config
  - elasticfleet.sostatus
 # If enabled, automatically update Fleet Logstash Outputs
 {% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %}
 so-elastic-fleet-auto-configure-logstash-outputs:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-outputs-update
 {% endif %}
 # If enabled, automatically update Fleet Server URLs & ES Connection
 {% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-fleet'] %}
 so-elastic-fleet-auto-configure-server-urls:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-urls-update
 {% endif %}
 # Automatically update Fleet Server Elasticsearch URLs
 {% if grains.role not in ['so-fleet'] %}
 so-elastic-fleet-auto-configure-elasticsearch-urls:
  cmd.run:
    - name: /usr/sbin/so-elastic-fleet-es-url-update
 {% endif %}
 {%   if SERVICETOKEN != '' %}
 so-elastic-fleet:
  docker_container.running:
@@ -39,7 +62,11 @@ so-elastic-fleet:
      {% endfor %}
    - binds:
      - /etc/pki:/etc/pki:ro
      {% if GLOBALS.os_family == 'Debian' %}
      - /etc/ssl:/etc/ssl:ro
      {% endif %}
      #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
      - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
     {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
        {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
      - {{ BIND }}
@@ -47,14 +74,20 @@ so-elastic-fleet:
      {% endif %}      
    - environment:
      - FLEET_SERVER_ENABLE=true
-      - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
+      - FLEET_URL=https://{{ GLOBALS.hostname }}:8220
      - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
      - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
      - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
-      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
+      - FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt
-      - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt
+      - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key
-      - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key
+      {% if GLOBALS.os_family == 'Debian' %}
      - FLEET_CA=/etc/ssl/certs/intca.crt     
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt
      {% else %}
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      {% endif %}
      - LOGS_PATH=logs
      {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
        {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
      - {{ XTRAENV }}
@@ -8,7 +8,7 @@
  "name": "import-zeek-logs",
  "namespace": "so",
  "description": "Zeek Import logs",
-  "policy_id": "so-grid-nodes",
+  "policy_id": "so-grid-nodes_general",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
@@ -9,7 +9,7 @@
  "name": "zeek-logs",
  "namespace": "so",
  "description": "Zeek logs",
-  "policy_id": "so-grid-nodes",
+  "policy_id": "so-grid-nodes_general",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
@@ -13,9 +13,14 @@
        "system.auth": {
          "enabled": true,
          "vars": {
            "ignore_older": "72h",
            "paths": [
              "/var/log/auth.log*",
              "/var/log/secure*"
            ],
            "preserve_original_event": false,
            "tags": [
              "system-auth"
            ]
          }
        },
@@ -24,34 +29,49 @@
          "vars": {
            "paths": [
              "/var/log/messages*",
-              "/var/log/syslog*"
+              "/var/log/syslog*",
-            ]
+              "/var/log/system*"
            ],
            "tags": [],
            "ignore_older": "72h"
          }
        }
      }
    },
    "system-winlog": {
      "enabled": true,
      "vars": {
        "preserve_original_event": false
      },
      "streams": {
        "system.application": {
          "enabled": true,
          "vars": {
            "preserve_original_event": false,
            "ignore_older": "72h",
            "language": 0,
            "tags": []
          }
        },
        "system.security": {
          "enabled": true,
          "vars": {
            "preserve_original_event": false,
            "ignore_older": "72h",
            "language": 0,
            "tags": []
          }
        },
        "system.system": {
          "enabled": true,
          "vars": {
            "preserve_original_event": false,
            "ignore_older": "72h",
            "language": 0,
            "tags": []
          }
        }
-        }
+      }
-      },
+    },
-      "system-system/metrics": {
+    "system-system/metrics": {
-        "enabled": false
+      "enabled": false
    }
  }
 }
@@ -1,29 +0,0 @@
 {
  "package": {
    "name": "log",
    "version": ""
  },
  "name": "import-evtx-logs",
  "namespace": "so",
  "description": "Import Windows EVTX logs",
  "policy_id": "so-grid-nodes",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
      "streams": {
        "log.log": {
          "enabled": true,
          "vars": {
            "paths": [
              "/nsm/import/*/evtx/data.json"
            ],
            "data_stream.dataset": "import",
            "tags": [],
            "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- add_fields:\n    target: event\n    fields:\n      module: windows_eventlog\n      imported: true",
            "custom": "pipeline: import.wel"
          }
        }
      }
    }
  }
 }
@@ -0,0 +1,106 @@
 {
  "package": {
    "name": "elasticsearch",
    "version": ""
  },
  "name": "elasticsearch-logs",
  "namespace": "default",
  "description": "Elasticsearch Logs",
  "policy_id": "so-grid-nodes_general",
  "inputs": {
    "elasticsearch-logfile": {
      "enabled": true,
      "streams": {
        "elasticsearch.audit": {
          "enabled": false,
          "vars": {
            "paths": [
              "/var/log/elasticsearch/*_audit.json"
            ]
          }
        },
        "elasticsearch.deprecation": {
          "enabled": false,
          "vars": {
            "paths": [
              "/var/log/elasticsearch/*_deprecation.json"
            ]
          }
        },
        "elasticsearch.gc": {
          "enabled": false,
          "vars": {
            "paths": [
              "/var/log/elasticsearch/gc.log.[0-9]*",
              "/var/log/elasticsearch/gc.log"
            ]
          }
        },
        "elasticsearch.server": {
          "enabled": true,
          "vars": {
            "paths": [
              "/opt/so/log/elasticsearch/*.log"
            ]
          }
        },
        "elasticsearch.slowlog": {
          "enabled": false,
          "vars": {
            "paths": [
              "/var/log/elasticsearch/*_index_search_slowlog.json",
              "/var/log/elasticsearch/*_index_indexing_slowlog.json"
            ]
          }
        }
      }
    },
    "elasticsearch-elasticsearch/metrics": {
      "enabled": false,
      "vars": {
        "hosts": [
          "http://localhost:9200"
        ],
        "scope": "node"
      },
      "streams": {
        "elasticsearch.stack_monitoring.ccr": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.cluster_stats": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.enrich": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.index": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.index_recovery": {
          "enabled": false,
          "vars": {
            "active.only": true
          }
        },
        "elasticsearch.stack_monitoring.index_summary": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.ml_job": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.node": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.node_stats": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.pending_tasks": {
          "enabled": false
        },
        "elasticsearch.stack_monitoring.shard": {
          "enabled": false
        }
      }
    }
  }
 }
@@ -6,7 +6,7 @@
  "name": "idh-logs",
  "namespace": "so",
  "description": "IDH integration",
-  "policy_id": "so-grid-nodes",
+  "policy_id": "so-grid-nodes_general",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
@@ -0,0 +1,32 @@
 {
  "package": {
    "name": "log",
    "version": ""
  },
  "name": "import-evtx-logs",
  "namespace": "so",
  "description": "Import Windows EVTX logs",
  "policy_id": "so-grid-nodes_general",
  "vars": {},
  "inputs": {
    "logs-logfile": {
      "enabled": true,
      "streams": {
        "log.log": {
          "enabled": true,
          "vars": {
            "paths": [
              "/nsm/import/*/evtx/*.json"
            ],
            "data_stream.dataset": "import",
            "custom": "",
            "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- drop_fields:\n    fields: [\"host\"]\n    ignore_missing: true\n- add_fields:\n    target: data_stream\n    fields:\n      namespace: default\n      type: logs\n      dataset: system.security\n- add_fields:\n    target: event\n    fields:\n      dataset: system.security\n      module: system\n      imported: true  \n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.sysmon_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.sysmon_operational\n          module: windows\n          imported: true\n- if:\n    equals:\n      winlog.channel: 'Application'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.application\n- if:\n    equals:\n      winlog.channel: 'System'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.system\n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.powershell_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.powershell_operational\n          module: windows",
            "tags": [
              "import"
            ]
          }
        }
      }
    }
  }
 }
@@ -6,7 +6,7 @@
  "name": "import-suricata-logs",
  "namespace": "so",
  "description": "Import Suricata logs",
-  "policy_id": "so-grid-nodes",
+  "policy_id": "so-grid-nodes_general",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
@@ -0,0 +1,29 @@
 {
  "package": {
    "name": "log",
    "version": ""
  },
  "name": "kratos-logs",
  "namespace": "so",
  "description": "Kratos logs",
  "policy_id": "so-grid-nodes_general",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
      "streams": {
        "log.log": {
          "enabled": true,
          "vars": {
            "paths": [
              "/opt/so/log/kratos/kratos.log"
            ],
            "data_stream.dataset": "kratos",
            "tags": ["so-kratos"],
            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: iam\n      module: kratos",
            "custom": "pipeline: kratos"
          }
        }
      }
    }
  }
 }
@@ -0,0 +1,20 @@
 {
  "package": {
    "name": "osquery_manager",
    "version": ""
  },
  "name": "osquery-grid-nodes",
  "namespace": "default",
  "policy_id": "so-grid-nodes_general",
  "inputs": {
    "osquery_manager-osquery": {
      "enabled": true,
      "streams": {
        "osquery_manager.result": {
          "enabled": true,
          "vars": {}
        }
      }
    }
  }
 }
@@ -0,0 +1,76 @@
 {
  "package": {
    "name": "redis",
    "version": ""
  },
  "name": "redis-logs",
  "namespace": "default",
  "description": "Redis logs",
  "policy_id": "so-grid-nodes_general",
  "inputs": {
    "redis-logfile": {
      "enabled": true,
      "streams": {
        "redis.log": {
          "enabled": true,
          "vars": {
            "paths": [
              "/opt/so/log/redis/redis.log"
            ],
            "tags": [
              "redis-log"
            ],
            "preserve_original_event": false
          }
        }
      }
    },
    "redis-redis": {
      "enabled": false,
      "streams": {
        "redis.slowlog": {
          "enabled": false,
          "vars": {
            "hosts": [
              "127.0.0.1:6379"
            ],
            "password": ""
          }
        }
      }
    },
    "redis-redis/metrics": {
      "enabled": false,
      "vars": {
        "hosts": [
          "127.0.0.1:6379"
        ],
        "idle_timeout": "20s",
        "maxconn": 10,
        "network": "tcp",
        "password": ""
      },
      "streams": {
        "redis.info": {
          "enabled": false,
          "vars": {
            "period": "10s"
          }
        },
        "redis.key": {
          "enabled": false,
          "vars": {
            "key.patterns": "- limit: 20\n  pattern: *\n",
            "period": "10s"
          }
        },
        "redis.keyspace": {
          "enabled": false,
          "vars": {
            "period": "10s"
          }
        }
      }
    }
  }
 }
@@ -0,0 +1,29 @@
 {
  "package": {
    "name": "log",
    "version": ""
  },
  "name": "soc-auth-sync-logs",
  "namespace": "so",
  "description": "Security Onion - Elastic Auth Sync - Logs",
  "policy_id": "so-grid-nodes_general",
  "inputs": {
    "logs-logfile": {
      "enabled": true,
      "streams": {
        "log.log": {
          "enabled": true,
          "vars": {
            "paths": [
              "/opt/so/log/soc/sync.log"
            ],
            "data_stream.dataset": "soc",
            "tags": ["so-soc"],
            "processors": "- dissect:\n    tokenizer: \"%{event.action}\"\n    field: \"message\"\n    target_prefix: \"\"\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: auth_sync",
            "custom": "pipeline: common"
          }
        }
      }
    }
  }
 }
--- a/Show More
+++ b/Show More
		`@@ -1,2 +0,0 @@`
			`#!/bin/bash`
			`/usr/sbin/logrotate -f /opt/so/conf/log-rotate.conf > /dev/null 2>&1`
		`@@ -1,2 +0,0 @@`
			`#!/bin/bash`
			`/usr/sbin/logrotate -f /opt/so/conf/sensor-rotate.conf > /dev/null 2>&1`