Merge pull request #14479 from Security-Onion-Solutions/patch/2.4.141

2.4.141
Merge pull request #14478 from Security-Onion-Solutions/2.4.141
2026-04-25 14:07:49 +02:00 · 2025-03-31 11:21:30 -04:00 · 2025-03-31 10:38:30 -04:00 · 2025-03-31 10:37:04 -04:00 · 2025-03-26 12:11:53 -04:00 · 2025-03-24 15:08:43 -04:00
850 changed files with 270941 additions and 392298 deletions
@@ -536,11 +536,10 @@ secretGroup = 4

 [allowlist]
 description = "global allow lists"
-regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''']
+regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''', '''.*:.*StrelkaHexDump.*''', '''.*:.*PLACEHOLDER.*''', '''ssl_.*password''', '''integration_key\s=\s"so-logs-"''']
 paths = [
    '''gitleaks.toml''',
    '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''',
    '''(go.mod|go.sum)$''',
-    
    '''salt/nginx/files/enterprise-attack.json'''
 ]
@@ -0,0 +1,195 @@
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ⚠️ This category is solely for conversations related to Security Onion 2.4 ⚠️
+
+        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
+  - type: dropdown
+    attributes:
+      label: Version
+      description: Which version of Security Onion 2.4.x are you asking about?
+      options:
+        -
+        - 2.4.10
+        - 2.4.20
+        - 2.4.30
+        - 2.4.40
+        - 2.4.50
+        - 2.4.60
+        - 2.4.70
+        - 2.4.80
+        - 2.4.90
+        - 2.4.100
+        - 2.4.110
+        - 2.4.111
+        - 2.4.120
+        - 2.4.130
+        - 2.4.140
+        - Other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Installation Method
+      description: How did you install Security Onion?
+      options:
+        -
+        - Security Onion ISO image
+        - Cloud image (Amazon, Azure, Google)
+        - Network installation on Red Hat derivative like Oracle, Rocky, Alma, etc. (unsupported)
+        - Network installation on Ubuntu (unsupported)
+        - Network installation on Debian (unsupported)
+        - Other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Description
+      description: >
+        Is this discussion about installation, configuration, upgrading, or other?
+      options:
+        -
+        - installation
+        - configuration
+        - upgrading
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Installation Type
+      description: >
+        When you installed, did you choose Import, Eval, Standalone, Distributed, or something else?
+      options:
+        -
+        - Import
+        - Eval
+        - Standalone
+        - Distributed
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Location
+      description: >
+        Is this deployment in the cloud, on-prem with Internet access, or airgap?
+      options:
+        -
+        - cloud
+        - on-prem with Internet access
+        - airgap
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Hardware Specs
+      description: >
+        Does your hardware meet or exceed the minimum requirements for your installation type as shown at https://docs.securityonion.net/en/2.4/hardware.html?
+      options:
+        -
+        - Meets minimum requirements
+        - Exceeds minimum requirements
+        - Does not meet minimum requirements
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: CPU
+      description: How many CPU cores do you have?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: RAM
+      description: How much RAM do you have?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Storage for /
+      description: How much storage do you have for the / partition?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Storage for /nsm
+      description: How much storage do you have for the /nsm partition?
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Network Traffic Collection
+      description: >
+        Are you collecting network traffic from a tap or span port?
+      options:
+        -
+        - tap
+        - span port
+        - other (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Network Traffic Speeds
+      description: >
+        How much network traffic are you monitoring?
+      options:
+        -
+        - Less than 1Gbps
+        - 1Gbps to 10Gbps
+        - more than 10Gbps
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Status
+      description: >
+        Does SOC Grid show all services on all nodes as running OK?
+      options:
+        -
+        - Yes, all services on all nodes are running OK
+        - No, one or more services are failed (please provide detail below)
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Salt Status
+      description: >
+        Do you get any failures when you run "sudo salt-call state.highstate"?
+      options:
+        -
+        - Yes, there are salt failures (please provide detail below)
+        - No, there are no failures
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Logs
+      description: >
+        Are there any additional clues in /opt/so/log/?
+      options:
+        -
+        - Yes, there are additional clues in /opt/so/log/ (please provide detail below)
+        - No, there are no additional clues
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Detail
+      description: Please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and then provide detailed information to help us help you.
+      placeholder: |-
+        STOP! Before typing, please read our discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 in their entirety!
+
+        If your organization needs more immediate, enterprise grade professional support, with one-on-one virtual meetings and screensharing, contact us via our website: https://securityonion.com/support
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Guidelines
+      options:
+        - label: I have read the discussion guidelines at https://github.com/Security-Onion-Solutions/securityonion/discussions/1720 and assert that I have followed the guidelines.
+          required: true
@@ -1,12 +0,0 @@
-PLEASE STOP AND READ THIS INFORMATION!
-
-If you are creating an issue just to ask a question, you will likely get faster and better responses by posting to our discussions forum instead:
-https://securityonion.net/discuss
-
-If you think you have found a possible bug or are observing a behavior that you weren't expecting, use the discussion forum to start a conversation about it instead of creating an issue.
-
-If you are very familiar with the latest version of the product and are confident you have found a bug in Security Onion, you can continue with creating an issue here, but please make sure you have done the following:
- duplicated the issue on a fresh installation of the latest version
- provide information about your system and how you installed Security Onion
- include relevant log files
- include reproduction steps
@@ -0,0 +1,38 @@
+---
+name: Bug report
+about: This option is for experienced community members to report a confirmed, reproducible bug
+title: ''
+labels: ''
+assignees: ''
+
+---
+PLEASE STOP AND READ THIS INFORMATION!
+
+If you are creating an issue just to ask a question, you will likely get faster and better responses by posting to our discussions forum at https://securityonion.net/discuss.
+
+If you think you have found a possible bug or are observing a behavior that you weren't expecting, use the discussion forum at https://securityonion.net/discuss to start a conversation about it instead of creating an issue.
+
+If you are very familiar with the latest version of the product and are confident you have found a bug in Security Onion, you can continue with creating an issue here, but please make sure you have done the following:
+- duplicated the issue on a fresh installation of the latest version
+- provide information about your system and how you installed Security Onion
+- include relevant log files
+- include reproduction steps
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.
@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security Onion Discussions
+    url: https://securityonion.com/discussions
+    about: Please ask and answer questions here
@@ -0,0 +1,33 @@
+name: 'Close Threads'
+
+on:
+  schedule:
+    - cron: '50 1 * * *'
+  workflow_dispatch:
+
+permissions:
+  issues: write
+  pull-requests: write
+  discussions: write
+
+concurrency:
+  group: lock-threads
+
+jobs:
+  close-threads:
+    if: github.repository_owner == 'security-onion-solutions'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v5
+        with:
+          days-before-issue-stale: -1
+          days-before-issue-close: 60
+          stale-issue-message: "This issue is stale because it has been inactive for an extended period. Stale issues convey that the issue, while important to someone, is not critical enough for the author, or other community members to work on, sponsor, or otherwise shepherd the issue through to a resolution."
+          close-issue-message: "This issue was closed because it has been stale for an extended period. It will be automatically locked in 30 days, after which no further commenting will be available."
+          days-before-pr-stale: 45
+          days-before-pr-close: 60
+          stale-pr-message: "This PR is stale because it has been inactive for an extended period. The longer a PR remains stale the more out of date with the main branch it becomes."
+          close-pr-message: "This PR was closed because it has been stale for an extended period. It will be automatically locked in 30 days. If there is still a commitment to finishing this PR re-open it before it is locked."
@@ -11,14 +11,14 @@ jobs:
    steps:
      - name: "Contributor Check"
        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: cla-assistant/github-action@v2.1.3-beta
+        uses: cla-assistant/github-action@v2.3.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PERSONAL_ACCESS_TOKEN : ${{ secrets.PERSONAL_ACCESS_TOKEN }}
        with:
          path-to-signatures: 'signatures_v1.json'
          path-to-document: 'https://securityonionsolutions.com/cla' 
-          allowlist: dependabot[bot],jertel,dougburks,TOoSmOotH,weslambert,defensivedepth,m0duspwnens
+          allowlist: dependabot[bot],jertel,dougburks,TOoSmOotH,defensivedepth,m0duspwnens
          remote-organization-name: Security-Onion-Solutions
          remote-repository-name: licensing

@@ -0,0 +1,26 @@
+name: 'Lock Threads'
+
+on:
+  schedule:
+    - cron: '50 2 * * *'
+  workflow_dispatch:
+
+permissions:
+  issues: write
+  pull-requests: write
+  discussions: write
+
+concurrency:
+  group: lock-threads
+
+jobs:
+  lock-threads:
+    if: github.repository_owner == 'security-onion-solutions'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: jertel/lock-threads@main
+        with:
+          include-discussion-currently-open: true
+          discussion-inactive-days: 90
+          issue-inactive-days: 30
+          pr-inactive-days: 30
@@ -4,9 +4,11 @@ on:
  push:
    paths: 
      - "salt/sensoroni/files/analyzers/**"
+      - "salt/manager/tools/sbin"
  pull_request:
    paths:
      - "salt/sensoroni/files/analyzers/**"
+      - "salt/manager/tools/sbin"

 jobs:
  build:
@@ -16,7 +18,7 @@ jobs:
      fail-fast: false
      matrix:
        python-version: ["3.10"]
-        python-code-path: ["salt/sensoroni/files/analyzers"]
+        python-code-path: ["salt/sensoroni/files/analyzers", "salt/manager/tools/sbin"]

    steps:
    - uses: actions/checkout@v3
@@ -34,4 +36,4 @@ jobs:
        flake8 ${{ matrix.python-code-path }} --show-source --max-complexity=12  --doctests --max-line-length=200 --statistics
    - name: Test with pytest
      run: |
-        pytest ${{ matrix.python-code-path }} --cov=${{ matrix.python-code-path }} --doctest-modules --cov-report=term --cov-fail-under=100 --cov-config=${{ matrix.python-code-path }}/pytest.ini
+        pytest ${{ matrix.python-code-path }} --cov=${{ matrix.python-code-path }} --doctest-modules --cov-report=term --cov-fail-under=100 --cov-config=pytest.ini
@@ -1,18 +1,17 @@
-### 2.4.20-20231012 ISO image released on 2023/10/12
-
+### 2.4.141-20250331 ISO image released on 2025/03/31


 ### Download and Verify

-2.4.20-20231012 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231012.iso
+2.4.141-20250331 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.141-20250331.iso
 
-MD5: 7D6ACA843068BA9432B3FF63BFD1EF0F  
-SHA1: BEF2B906066A1B04921DF0B80E7FDD4BC8ECED5C  
-SHA256: 5D511D50F11666C69AE12435A47B9A2D30CB3CC88F8D38DC58A5BC0ECADF1BF5  
+MD5: CAE347BC0437A93DC8F4089973ED0EA7  
+SHA1: 3A6F0C2F3B6E3625E06F67EB251372D7E592CB0E  
+SHA256: D0426D8E55E01A0FBA15AFE0BB7887CCB724C07FE82DA706CD1592E6001CD12B  

 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231012.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.141-20250331.iso.sig

 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,27 +25,29 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.

 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.20-20231012.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.141-20250331.iso.sig
 ```

 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.20-20231012.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.141-20250331.iso
 ```

 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.20-20231012.iso.sig securityonion-2.4.20-20231012.iso
+gpg --verify securityonion-2.4.141-20250331.iso.sig securityonion-2.4.141-20250331.iso
 ```

 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Thu 12 Oct 2023 01:28:32 PM EDT using RSA key ID FE507013
+gpg: Signature made Fri 28 Mar 2025 06:28:11 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.
 Primary key fingerprint: C804 A93D 36BE 0C73 3EA1  9644 7C10 60B7 FE50 7013
 ```

+If it fails to verify, try downloading again. If it still fails to verify, try downloading from another computer or another network.
+
 Once you've verified the ISO image, you're ready to proceed to our Installation guide:  
 https://docs.securityonion.net/en/2.4/installation.html
@@ -1 +0,0 @@
-20231012
@@ -0,0 +1,53 @@
+Elastic License 2.0 (ELv2)
+
+Acceptance
+
+  By using the software, you agree to all of the terms and conditions below.
+
+Copyright License
+
+  The licensor grants you a non-exclusive, royalty-free, worldwide, non-sublicensable, non-transferable license to use, copy, distribute, make available, and prepare derivative works of the software, in each case subject to the limitations and conditions below.
+
+Limitations
+
+  You may not provide the software to third parties as a hosted or managed service, where the service provides users with access to any substantial set of the features or functionality of the software.
+
+  You may not move, change, disable, or circumvent the license key functionality in the software, and you may not remove or obscure any functionality in the software that is protected by the license key.
+
+  You may not alter, remove, or obscure any licensing, copyright, or other notices of the licensor in the software. Any use of the licensor’s trademarks is subject to applicable law.
+
+Patents
+
+  The licensor grants you a license, under any patent claims the licensor can license, or becomes able to license, to make, have made, use, sell, offer for sale, import and have imported the software, in each case subject to the limitations and conditions in this license. This license does not cover any patent claims that you cause to be infringed by modifications or additions to the software. If you or your company make any written claim that the software infringes or contributes to infringement of any patent, your patent license for the software granted under these terms ends immediately. If your company makes such a claim, your patent license ends immediately for work on behalf of your company.
+
+Notices
+
+  You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms.
+
+  If you modify the software, you must include in any modified copies of the software prominent notices stating that you have modified the software.
+
+No Other Rights
+
+  These terms do not imply any licenses other than those expressly granted in these terms.
+
+Termination
+
+  If you use the software in violation of these terms, such use is not licensed, and your licenses will automatically terminate. If the licensor provides you with a notice of your violation, and you cease all violation of this license no later than 30 days after you receive that notice, your licenses will be reinstated retroactively. However, if you violate these terms after such reinstatement, any additional violation of these terms will cause your licenses to terminate automatically and permanently.
+
+No Liability
+
+  As far as the law allows, the software comes as is, without any warranty or condition, and the licensor will not be liable to you for any damages arising out of these terms or the use or nature of the software, under any kind of legal claim.
+
+Definitions
+
+  The licensor is the entity offering these terms, and the software is the software the licensor makes available under these terms, including any portion of it.
+
+  you refers to the individual or entity agreeing to these terms.
+
+  your company is any legal entity, sole proprietorship, or other kind of organization that you work for, plus all organizations that have control over, are under the control of, or are under common control with that organization. control means ownership of substantially all the assets of an entity, or the power to direct its management and policies by vote, contract, or otherwise. Control can be direct or indirect.
+
+  your licenses are all the licenses granted to you for the software under these terms.
+
+  use means anything you do with the software requiring one of your licenses.
+  
+  trademark means trademarks, service marks, and similar rights.
@@ -8,19 +8,22 @@ Alerts
 ![Alerts](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/50_alerts.png)

 Dashboards
-![Dashboards](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/51_dashboards.png)
+![Dashboards](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/53_dashboards.png)

 Hunt
-![Hunt](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/52_hunt.png)
+![Hunt](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/56_hunt.png)
+
+Detections
+![Detections](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/57_detections.png)

 PCAP
-![PCAP](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/53_pcap.png)
+![PCAP](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/62_pcap.png)

 Grid
-![Grid](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/57_grid.png)
+![Grid](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/75_grid.png)

 Config
-![Config](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/61_config.png)
+![Config](https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/2.4/images/87_config.png)

 ### Release Notes

@@ -5,9 +5,11 @@
 | Version | Supported          |
 | ------- | ------------------ |
 | 2.4.x   | :white_check_mark: |
-| 2.3.x   | :white_check_mark: |
+| 2.3.x   | :x:                |
 | 16.04.x | :x:                |

+Security Onion 2.3 has reached End Of Life and is no longer supported.
+
 Security Onion 16.04 has reached End Of Life and is no longer supported.

 ## Reporting a Vulnerability
@@ -1 +1 @@
-2.4.20
+2.4.141
@@ -12,7 +12,6 @@ role:
  eval:
  fleet:
  heavynode:
-  helixsensor:
  idh:
  import:
  manager:
@@ -20,4 +19,4 @@ role:
  receiver:
  standalone:
  searchnode:
-  sensor:
+  sensor:
@@ -41,7 +41,8 @@ file_roots:
  base:
    - /opt/so/saltstack/local/salt
    - /opt/so/saltstack/default/salt
-
+    - /nsm/elastic-fleet/artifacts
+    - /opt/so/rules/nids

 # The master_roots setting configures a master-only copy of the file_roots dictionary,
 # used by the state compiler.
@@ -0,0 +1,34 @@
+{% set node_types = {} %}
+{% for minionid, ip in salt.saltutil.runner(
+    'mine.get',
+    tgt='elasticsearch:enabled:true',
+    fun='network.ip_addrs',
+    tgt_type='pillar') | dictsort()
+%}
+
+# only add a node to the pillar if it returned an ip from the mine
+{%   if ip | length > 0%}
+{%     set hostname = minionid.split('_') | first %}
+{%     set node_type = minionid.split('_') | last %}
+{%     if node_type not in node_types.keys() %}
+{%       do node_types.update({node_type: {hostname: ip[0]}}) %}
+{%     else %}
+{%       if hostname not in node_types[node_type] %}
+{%         do node_types[node_type].update({hostname: ip[0]}) %}
+{%       else %}
+{%         do node_types[node_type][hostname].update(ip[0]) %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+
+
+elasticsearch:
+  nodes:
+{% for node_type, values in node_types.items() %}
+    {{node_type}}:
+{%   for hostname, ip in values.items() %}
+      {{hostname}}:
+        ip: {{ip}}
+{%   endfor %}
+{% endfor %}
@@ -0,0 +1,2 @@
+kafka:
+  nodes:
@@ -1,25 +1,28 @@
 {% set node_types = {} %}
-{% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %}
 {% for minionid, ip in salt.saltutil.runner(
    'mine.get',
-    tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-searchnode or G@role:so-heavynode or G@role:so-receiver or G@role:so-fleet ',
+    tgt='logstash:enabled:true',
    fun='network.ip_addrs',
-    tgt_type='compound') | dictsort()
+    tgt_type='pillar') | dictsort()
 %}

-{%   set hostname = cached_grains[minionid]['host'] %}
-{%   set node_type = minionid.split('_')[1] %}
-{%   if node_type not in node_types.keys() %}
-{%     do node_types.update({node_type: {hostname: ip[0]}}) %}
-{%   else %}
-{%     if hostname not in node_types[node_type] %}
-{%       do node_types[node_type].update({hostname: ip[0]}) %}
+# only add a node to the pillar if it returned an ip from the mine
+{%   if ip | length > 0%}
+{%     set hostname = minionid.split('_') | first %}
+{%     set node_type = minionid.split('_') | last %}
+{%     if node_type not in node_types.keys() %}
+{%       do node_types.update({node_type: {hostname: ip[0]}}) %}
 {%     else %}
-{%       do node_types[node_type][hostname].update(ip[0]) %}
+{%       if hostname not in node_types[node_type] %}
+{%         do node_types[node_type].update({hostname: ip[0]}) %}
+{%       else %}
+{%         do node_types[node_type][hostname].update(ip[0]) %}
+{%       endif %}
 {%     endif %}
 {%   endif %}
 {% endfor %}

+
 logstash:
  nodes:
 {% for node_type, values in node_types.items() %}
@@ -4,18 +4,22 @@
 {%   set hostname = minionid.split('_')[0] %}
 {%   set node_type = minionid.split('_')[1] %}
 {%   set is_alive = False %}
-{%   if minionid in manage_alived.keys() %}
-{%     if ip[0] == manage_alived[minionid] %}
-{%       set is_alive = True %}
+
+# only add a node to the pillar if it returned an ip from the mine
+{%   if ip | length > 0%}
+{%     if minionid in manage_alived.keys() %}
+{%       if ip[0] == manage_alived[minionid] %}
+{%         set is_alive = True %}
+{%       endif %}
 {%     endif %}
-{%   endif %}
-{%   if node_type not in node_types.keys() %}
-{%     do node_types.update({node_type: {hostname: {'ip':ip[0], 'alive':is_alive }}}) %}
-{%   else %}
-{%     if hostname not in node_types[node_type] %}
-{%       do node_types[node_type].update({hostname: {'ip':ip[0], 'alive':is_alive}}) %}
+{%     if node_type not in node_types.keys() %}
+{%       do node_types.update({node_type: {hostname: {'ip':ip[0], 'alive':is_alive }}}) %}
 {%     else %}
-{%       do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %}
+{%       if hostname not in node_types[node_type] %}
+{%         do node_types[node_type].update({hostname: {'ip':ip[0], 'alive':is_alive}}) %}
+{%       else %}
+{%         do node_types[node_type][hostname].update({'ip':ip[0], 'alive':is_alive}) %}
+{%       endif %}
 {%     endif %}
 {%   endif %}
 {% endfor %}
@@ -0,0 +1,34 @@
+{% set node_types = {} %}
+{% for minionid, ip in salt.saltutil.runner(
+    'mine.get',
+    tgt='redis:enabled:true',
+    fun='network.ip_addrs',
+    tgt_type='pillar') | dictsort()
+%}
+
+# only add a node to the pillar if it returned an ip from the mine
+{%   if ip | length > 0%}
+{%     set hostname = minionid.split('_') | first %}
+{%     set node_type = minionid.split('_') | last %}
+{%     if node_type not in node_types.keys() %}
+{%       do node_types.update({node_type: {hostname: ip[0]}}) %}
+{%     else %}
+{%       if hostname not in node_types[node_type] %}
+{%         do node_types[node_type].update({hostname: ip[0]}) %}
+{%       else %}
+{%         do node_types[node_type][hostname].update(ip[0]) %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+
+
+redis:
+  nodes:
+{% for node_type, values in node_types.items() %}
+    {{node_type}}:
+{%   for hostname, ip in values.items() %}
+      {{hostname}}:
+        ip: {{ip}}
+{%   endfor %}
+{% endfor %}
@@ -1,44 +0,0 @@
-thresholding:
-  sids:
-    8675309:
-      - threshold:
-          gen_id: 1
-          type: threshold
-          track: by_src
-          count: 10
-          seconds: 10
-      - threshold:
-          gen_id: 1
-          type: limit
-          track: by_dst
-          count: 100
-          seconds: 30
-      - rate_filter:
-          gen_id: 1
-          track: by_rule
-          count: 50
-          seconds: 30
-          new_action: alert
-          timeout: 30
-      - suppress:
-          gen_id: 1
-          track: by_either
-          ip: 10.10.3.7
-    11223344:
-      - threshold:
-          gen_id: 1
-          type: limit
-          track: by_dst
-          count: 10
-          seconds: 10
-      - rate_filter:
-          gen_id: 1
-          track: by_src
-          count: 50
-          seconds: 20
-          new_action: pass
-          timeout: 60
-      - suppress:
-          gen_id: 1
-          track: by_src
-          ip: 10.10.3.0/24
@@ -1,20 +0,0 @@
-thresholding:
-  sids:
-    <signature id>:
-      - threshold:
-          gen_id: <generator id>
-          type: <threshold | limit | both>
-          track: <by_src | by_dst>
-          count: <count>
-          seconds: <seconds>
-      - rate_filter:
-          gen_id: <generator id>
-          track: <by_src | by_dst | by_rule | by_both>
-          count: <count>
-          seconds: <seconds>
-          new_action: <alert | pass>
-          timeout: <seconds>
-      - suppress:
-          gen_id: <generator id>
-          track: <by_src | by_dst | by_either>
-          ip: <ip | subnet>
@@ -16,6 +16,8 @@ base:
    - sensoroni.adv_sensoroni
    - telegraf.soc_telegraf
    - telegraf.adv_telegraf
+    - versionlock.soc_versionlock
+    - versionlock.adv_versionlock

  '* and not *_desktop':
    - firewall.soc_firewall
@@ -43,16 +45,18 @@ base:
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
-    - soctopus.soc_soctopus
-    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - kratos.soc_kratos
    - kratos.adv_kratos
+    - hydra.soc_hydra
+    - hydra.adv_hydra
+    - redis.nodes
    - redis.soc_redis
    - redis.adv_redis
    - influxdb.soc_influxdb
    - influxdb.adv_influxdb
+    - elasticsearch.nodes
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - elasticfleet.soc_elasticfleet
@@ -61,12 +65,12 @@ base:
    - elastalert.adv_elastalert
    - backup.soc_backup
    - backup.adv_backup
-    - curator.soc_curator
-    - curator.adv_curator
-    - soctopus.soc_soctopus
-    - soctopus.adv_soctopus
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
+    - kafka.nodes
+    - kafka.soc_kafka
+    - kafka.adv_kafka
+    - stig.soc_stig

  '*_sensor':
    - healthcheck.sensor
@@ -82,6 +86,8 @@ base:
    - suricata.adv_suricata
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
+    - stig.soc_stig
+    - soc.license

  '*_eval':
    - secrets
@@ -94,6 +100,7 @@ base:
    - kibana.secrets
    {% endif %}
    - kratos.soc_kratos
+    - kratos.adv_kratos
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - elasticfleet.soc_elasticfleet
@@ -107,16 +114,12 @@ base:
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
-    - soctopus.soc_soctopus
-    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - strelka.soc_strelka
    - strelka.adv_strelka
-    - curator.soc_curator
-    - curator.adv_curator
-    - kratos.soc_kratos
-    - kratos.adv_kratos
+    - hydra.soc_hydra
+    - hydra.adv_hydra
    - redis.soc_redis
    - redis.adv_redis
    - influxdb.soc_influxdb
@@ -151,10 +154,14 @@ base:
    - idstools.adv_idstools
    - kratos.soc_kratos
    - kratos.adv_kratos
+    - hydra.soc_hydra
+    - hydra.adv_hydra
+    - redis.nodes
    - redis.soc_redis
    - redis.adv_redis
    - influxdb.soc_influxdb
    - influxdb.adv_influxdb
+    - elasticsearch.nodes
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - elasticfleet.soc_elasticfleet
@@ -166,14 +173,10 @@ base:
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
-    - soctopus.soc_soctopus
-    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
    - strelka.soc_strelka
    - strelka.adv_strelka
-    - curator.soc_curator
-    - curator.adv_curator
    - backup.soc_backup
    - backup.adv_backup
    - zeek.soc_zeek
@@ -186,6 +189,10 @@ base:
    - suricata.adv_suricata
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
+    - stig.soc_stig
+    - kafka.nodes
+    - kafka.soc_kafka
+    - kafka.adv_kafka

  '*_heavynode':
    - elasticsearch.auth
@@ -194,8 +201,6 @@ base:
    - logstash.adv_logstash
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
-    - curator.soc_curator
-    - curator.adv_curator
    - redis.soc_redis
    - redis.adv_redis
    - zeek.soc_zeek
@@ -221,15 +226,22 @@ base:
    - logstash.nodes
    - logstash.soc_logstash
    - logstash.adv_logstash
+    - elasticsearch.nodes
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
    - elasticsearch.auth
    {% endif %}
+    - redis.nodes
    - redis.soc_redis
    - redis.adv_redis
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
+    - stig.soc_stig
+    - soc.license
+    - kafka.nodes
+    - kafka.soc_kafka
+    - kafka.adv_kafka

  '*_receiver':
    - logstash.nodes
@@ -242,6 +254,10 @@ base:
    - redis.adv_redis
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
+    - kafka.nodes
+    - kafka.soc_kafka
+    - kafka.adv_kafka
+    - soc.license

  '*_import':
    - secrets
@@ -253,6 +269,7 @@ base:
    - kibana.secrets
    {% endif %}
    - kratos.soc_kratos
+    - kratos.adv_kratos
    - elasticsearch.soc_elasticsearch
    - elasticsearch.adv_elasticsearch
    - elasticfleet.soc_elasticfleet
@@ -264,16 +281,12 @@ base:
    - soc.soc_soc
    - soc.adv_soc
    - soc.license
-    - soctopus.soc_soctopus
-    - soctopus.adv_soctopus
    - kibana.soc_kibana
    - kibana.adv_kibana
-    - curator.soc_curator
-    - curator.adv_curator
    - backup.soc_backup
    - backup.adv_backup
-    - kratos.soc_kratos
-    - kratos.adv_kratos
+    - hydra.soc_hydra
+    - hydra.adv_hydra
    - redis.soc_redis
    - redis.adv_redis
    - influxdb.soc_influxdb
@@ -305,3 +318,5 @@ base:
  '*_desktop':
    - minions.{{ grains.id }}
    - minions.adv_{{ grains.id }}
+    - stig.soc_stig
+    - soc.license
@@ -0,0 +1,30 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+if [[ $# -ne 1 ]]; then
+    echo "Usage: $0 <python_script_dir>"
+    echo "Runs tests on all *_test.py files in the given directory."
+    exit 1
+fi
+
+HOME_DIR=$(dirname "$0")
+TARGET_DIR=${1:-.}
+
+PATH=$PATH:/usr/local/bin
+
+if [ ! -d .venv ]; then
+    python -m venv .venv
+fi
+
+source .venv/bin/activate
+
+if ! pip install flake8 pytest pytest-cov pyyaml; then
+    echo "Unable to install dependencies."
+    exit 1
+fi
+
+flake8 "$TARGET_DIR" "--config=${HOME_DIR}/pytest.ini"
+python3 -m pytest "--cov-config=${HOME_DIR}/pytest.ini" "--cov=$TARGET_DIR" --doctest-modules --cov-report=term --cov-fail-under=100  "$TARGET_DIR" 
@@ -24,6 +24,7 @@
          'influxdb',
          'soc',
          'kratos',
+          'hydra',
          'elasticfleet',
          'elastic-fleet-package-registry',
          'firewall',
@@ -34,7 +35,6 @@
          'suricata',
          'utility',
          'schedule',
-          'soctopus',
          'tcpreplay',
          'docker_clean'
          ],
@@ -66,8 +66,10 @@
          'registry',
          'manager',
          'nginx',
+          'strelka.manager',
          'soc',
          'kratos',
+          'hydra',
          'influxdb',
          'telegraf',
          'firewall',
@@ -92,8 +94,10 @@
          'nginx',
          'telegraf',
          'influxdb',
+          'strelka.manager',
          'soc',
          'kratos',
+          'hydra',
          'elasticfleet',
          'elastic-fleet-package-registry',
          'firewall',
@@ -101,8 +105,9 @@
          'suricata.manager',
          'utility',
          'schedule',
-          'soctopus',
-          'docker_clean'
+          'docker_clean',
+          'stig',
+          'kafka'
          ],
      'so-managersearch': [
          'salt.master',
@@ -112,8 +117,10 @@
          'nginx',
          'telegraf',
          'influxdb',
+          'strelka.manager',
          'soc',
          'kratos',
+          'hydra',
          'elastic-fleet-package-registry',
          'elasticfleet',
          'firewall',
@@ -122,8 +129,9 @@
          'suricata.manager',
          'utility',
          'schedule',
-          'soctopus',
-          'docker_clean'
+          'docker_clean',
+          'stig',
+          'kafka'
          ],
      'so-searchnode': [
          'ssl',
@@ -131,7 +139,10 @@
          'telegraf',
          'firewall',
          'schedule',
-          'docker_clean'
+          'docker_clean',
+          'stig',
+          'kafka.ca',
+          'kafka.ssl'
          ],
      'so-standalone': [
          'salt.master',
@@ -144,6 +155,7 @@
          'influxdb',
          'soc',
          'kratos',
+          'hydra',
          'elastic-fleet-package-registry',
          'elasticfleet',
          'firewall',
@@ -154,9 +166,10 @@
          'healthcheck',
          'utility',
          'schedule',
-          'soctopus',
          'tcpreplay',
-          'docker_clean'
+          'docker_clean',
+          'stig',
+          'kafka'
          ],
      'so-sensor': [
          'ssl',
@@ -168,13 +181,15 @@
          'healthcheck',
          'schedule',
          'tcpreplay',
-          'docker_clean'
+          'docker_clean',
+          'stig'
          ],
      'so-fleet': [
          'ssl',
          'telegraf',
          'firewall',
          'logstash',
+          'nginx',
          'healthcheck',
          'schedule',
          'elasticfleet',
@@ -185,19 +200,18 @@
          'telegraf',
          'firewall',
          'schedule',
-          'docker_clean'
+          'docker_clean',
+          'kafka',
+          'stig'
          ],
      'so-desktop': [
          'ssl',
          'docker_clean',
-          'telegraf'
+          'telegraf',
+          'stig'
          ],
  }, grain='role') %}

-  {% if grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
-    {% do allowed_states.append('mysql') %}
-  {% endif %}
-
  {%- if grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
    {% do allowed_states.append('zeek') %}
  {%- endif %}
@@ -219,18 +233,10 @@
    {% do allowed_states.append('kibana.secrets') %}
  {% endif %}

-  {% if grains.role in ['so-eval', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-manager'] %}
-    {% do allowed_states.append('curator') %}
-  {% endif %}
-
  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
    {% do allowed_states.append('elastalert') %}
  {% endif %}

-  {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
-    {% do allowed_states.append('playbook') %}
-  {% endif %}
-
  {% if grains.role in ['so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
    {% do allowed_states.append('logstash') %}
  {% endif %}
@@ -4,4 +4,5 @@ backup:
    - /etc/pki
    - /etc/salt
    - /nsm/kratos
+    - /nsm/hydra
  destination: "/nsm/backup"
@@ -0,0 +1,10 @@
+{% macro remove_comments(bpfmerged, app) %}
+
+{# remove comments from the bpf #}
+{% for bpf in bpfmerged[app] %}
+{%   if bpf.strip().startswith('#') %}
+{%     do bpfmerged[app].pop(loop.index0) %}
+{%   endif %}
+{% endfor %}
+
+{% endmacro %}
@@ -1,4 +1,10 @@
-{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
-{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
-
-{% set PCAPBPF = BPFMERGED.pcap %}
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% if GLOBALS.pcap_engine == "TRANSITION" %}
+{%   set PCAPBPF = ["ip and host 255.255.255.1 and port 1"] %}
+{% else %}
+{%   import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
+{%   set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{%   import 'bpf/macros.jinja' as MACROS %}
+{{   MACROS.remove_comments(BPFMERGED, 'pcap') }}
+{%   set PCAPBPF = BPFMERGED.pcap %}
+{% endif %}
@@ -1,6 +1,6 @@
 bpf:
  pcap:
-    description: List of BPF filters to apply to PCAP.
+    description: List of BPF filters to apply to Stenographer.
    multiline: True
    forcedType: "[]string"
    helpLink: bpf.html
@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% import 'bpf/macros.jinja' as MACROS %}
+
+{{ MACROS.remove_comments(BPFMERGED, 'suricata') }}

 {% set SURICATABPF = BPFMERGED.suricata %}
@@ -1,4 +1,7 @@
 {% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
 {% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
+{% import 'bpf/macros.jinja' as MACROS %}
+
+{{ MACROS.remove_comments(BPFMERGED, 'zeek') }}

 {% set ZEEKBPF = BPFMERGED.zeek %}
@@ -1,6 +1,3 @@
-mine_functions:
-  x509.get_pem_entries: [/etc/pki/ca.crt]
-
 x509_signing_policies:
  filebeat:
    - minions: '*'
@@ -37,7 +34,7 @@ x509_signing_policies:
    - ST: Utah
    - L: Salt Lake City
    - basicConstraints: "critical CA:false"
-    - keyUsage: "critical keyEncipherment"
+    - keyUsage: "critical keyEncipherment digitalSignature"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - extendedKeyUsage: serverAuth
@@ -70,3 +67,17 @@ x509_signing_policies:
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: 820
    - copypath: /etc/pki/issued_certs/
+  kafka:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "digitalSignature, keyEncipherment"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - extendedKeyUsage: "serverAuth, clientAuth"
+    - days_valid: 820
+    - copypath: /etc/pki/issued_certs/
@@ -50,6 +50,12 @@ pki_public_ca_crt:
        attempts: 5
        interval: 30

+mine_update_ca_crt:
+  module.run:
+    - mine.update: []
+    - onchanges:
+      - x509: pki_public_ca_crt
+
 cakeyperms:
  file.managed:
    - replace: False
@@ -4,16 +4,21 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}

 include:
-  - common.soup_scripts
  - common.packages
 {% if GLOBALS.role in GLOBALS.manager_roles %}
  - manager.elasticsearch # needed for elastic_curl_config state
+  - manager.kibana
 {% endif %}

 net.core.wmem_default:
  sysctl.present:
    - value: 26214400

+# Users are not a fan of console messages
+kernel.printk:
+  sysctl.present:
+    - value: "3 4 1 3"
+
 # Remove variables.txt from /tmp - This is temp
 rmvariablesfile:
  file.absent:
@@ -123,6 +128,7 @@ common_sbin:
    - user: 939
    - group: 939
    - file_mode: 755
+    - show_changes: False

 common_sbin_jinja:
  file.recurse:
@@ -132,6 +138,19 @@ common_sbin_jinja:
    - group: 939 
    - file_mode: 755
    - template: jinja
+    - show_changes: False
+
+{% if not GLOBALS.is_manager%}
+# prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
+# these two states remove the scripts from non manager nodes
+remove_soup:
+  file.absent:
+    - name: /usr/sbin/soup
+
+remove_so-firewall:
+  file.absent:
+    - name: /usr/sbin/so-firewall
+{% endif %}

 so-status_script:
  file.managed:
@@ -165,6 +184,7 @@ sostatus_log:
  file.managed:
    - name: /opt/so/log/sostatus/status.log
    - mode: 644
+    - replace: False

 # Install sostatus check cron. This is used to populate Grid.
 so-status_check_cron:
@@ -178,6 +198,14 @@ so-status_check_cron:
    - month: '*'
    - dayweek: '*'

+# This cronjob/script runs a check if the node needs restarted, but should be used for future status checks as well
+common_status_check_cron:
+  cron.present:
+    - name: '/usr/sbin/so-common-status-check > /dev/null 2>&1'
+    - identifier: common_status_check
+    - user: root
+    - minute: '*/10'
+
 remove_post_setup_cron:
  cron.absent:
    - name: 'PATH=$PATH:/usr/sbin salt-call state.highstate'
@@ -27,6 +27,7 @@ commonpkgs:
      - vim
      - tar
      - unzip
+      - bc
      {% if grains.oscodename != 'focal' %}
      - python3-rich
      {% endif %}
@@ -56,6 +57,7 @@ commonpkgs:
    - skip_suggestions: True
    - pkgs:
      - python3-dnf-plugin-versionlock
+      - bc
      - curl
      - device-mapper-persistent-data
      - fuse
@@ -1,23 +1,142 @@
-# Sync some Utilities
-soup_scripts:
-  file.recurse:
-    - name: /usr/sbin
-    - user: root
-    - group: root
-    - file_mode: 755
-    - source: salt://common/tools/sbin
-    - include_pat:
-        - so-common
-        - so-image-common
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.

-soup_manager_scripts:
-  file.recurse:
-    - name: /usr/sbin
-    - user: root
-    - group: root
-    - file_mode: 755
-    - source: salt://manager/tools/sbin
-    - include_pat:
-        - so-firewall
-        - so-repo-sync
-        - soup
+{% if '2.4' in salt['cp.get_file_str']('/etc/soversion') %}
+
+{%   import_yaml '/opt/so/saltstack/local/pillar/global/soc_global.sls' as SOC_GLOBAL %}
+{%   if SOC_GLOBAL.global.airgap %}
+{%     set UPDATE_DIR='/tmp/soagupdate/SecurityOnion' %}
+{%   else %}
+{%     set UPDATE_DIR='/tmp/sogh/securityonion' %}
+{%   endif %}
+{%   set SOVERSION = salt['file.read']('/etc/soversion').strip() %}
+
+remove_common_soup:
+  file.absent:
+    - name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
+
+remove_common_so-firewall:
+  file.absent:
+    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
+
+# This section is used to put the scripts in place in the Salt file system
+# in case a state run tries to overwrite what we do in the next section.
+copy_so-common_common_tools_sbin:
+  file.copy:
+    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-common
+    - source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-common
+    - force: True
+    - preserve: True
+
+copy_so-image-common_common_tools_sbin:
+  file.copy:
+    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-image-common
+    - source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-image-common
+    - force: True
+    - preserve: True
+
+copy_soup_manager_tools_sbin:
+  file.copy:
+    - name: /opt/so/saltstack/default/salt/manager/tools/sbin/soup
+    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/soup
+    - force: True
+    - preserve: True
+
+copy_so-firewall_manager_tools_sbin:
+  file.copy:
+    - name: /opt/so/saltstack/default/salt/manager/tools/sbin/so-firewall
+    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-firewall
+    - force: True
+    - preserve: True
+
+copy_so-yaml_manager_tools_sbin:
+  file.copy:
+    - name: /opt/so/saltstack/default/salt/manager/tools/sbin/so-yaml.py
+    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-yaml.py
+    - force: True
+    - preserve: True
+
+copy_so-repo-sync_manager_tools_sbin:
+  file.copy:
+    - name: /opt/so/saltstack/default/salt/manager/tools/sbin/so-repo-sync
+    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-repo-sync
+    - preserve: True
+
+copy_bootstrap-salt_manager_tools_sbin:
+  file.copy:
+    - name: /opt/so/saltstack/default/salt/salt/scripts/bootstrap-salt.sh
+    - source: {{UPDATE_DIR}}/salt/salt/scripts/bootstrap-salt.sh
+    - preserve: True
+
+# This section is used to put the new script in place so that it can be called during soup.
+# It is faster than calling the states that normally manage them to put them in place.
+copy_so-common_sbin:
+  file.copy:
+    - name: /usr/sbin/so-common
+    - source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-common
+    - force: True
+    - preserve: True
+
+copy_so-image-common_sbin:
+  file.copy:
+    - name: /usr/sbin/so-image-common
+    - source: {{UPDATE_DIR}}/salt/common/tools/sbin/so-image-common
+    - force: True
+    - preserve: True
+
+copy_soup_sbin:
+  file.copy:
+    - name: /usr/sbin/soup
+    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/soup
+    - force: True
+    - preserve: True
+
+copy_so-firewall_sbin:
+  file.copy:
+    - name: /usr/sbin/so-firewall
+    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-firewall
+    - force: True
+    - preserve: True
+
+copy_so-yaml_sbin:
+  file.copy:
+    - name: /usr/sbin/so-yaml.py
+    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-yaml.py
+    - force: True
+    - preserve: True
+
+copy_so-repo-sync_sbin:
+  file.copy:
+    - name: /usr/sbin/so-repo-sync
+    - source: {{UPDATE_DIR}}/salt/manager/tools/sbin/so-repo-sync
+    - force: True
+    - preserve: True
+
+copy_bootstrap-salt_sbin:
+  file.copy:
+    - name: /usr/sbin/bootstrap-salt.sh
+    - source: {{UPDATE_DIR}}/salt/salt/scripts/bootstrap-salt.sh
+    - force: True
+    - preserve: True
+
+{# this is added in 2.4.120 to remove salt repo files pointing to saltproject.io to accomodate the move to broadcom and new bootstrap-salt script #}
+{%   if salt['pkg.version_cmp'](SOVERSION, '2.4.120') == -1 %}
+{%     set saltrepofile = '/etc/yum.repos.d/salt.repo' %}
+{%     if grains.os_family == 'Debian' %}
+{%       set saltrepofile = '/etc/apt/sources.list.d/salt.list' %}
+{%     endif %}
+remove_saltproject_io_repo_manager:
+  file.absent:
+    - name: {{ saltrepofile }}
+{%   endif %}
+
+{% else %}
+fix_23_soup_sbin:
+  cmd.run:
+    - name: curl -s -f -o /usr/sbin/soup https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.3/main/salt/common/tools/sbin/soup
+fix_23_soup_salt:
+  cmd.run:
+    - name: curl -s -f -o /opt/so/saltstack/defalt/salt/common/tools/sbin/soup https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.3/main/salt/common/tools/sbin/soup
+{% endif %}
@@ -5,8 +5,13 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-
-
 . /usr/sbin/so-common

-salt-call state.highstate -l info 
+cat << EOF
+
+so-checkin will run a full salt highstate to apply all salt states. If a highstate is already running, this request will be queued and so it may pause for a few minutes before you see any more output. For more information about so-checkin and salt, please see:
+https://docs.securityonion.net/en/2.4/salt.html
+
+EOF
+
+salt-call state.highstate -l info queue=True
@@ -8,12 +8,6 @@
 # Elastic agent is not managed by salt. Because of this we must store this base information in a 
 # script that accompanies the soup system. Since so-common is one of those special soup files, 
 # and since this same logic is required during installation, it's included in this file.
-ELASTIC_AGENT_TARBALL_VERSION="8.8.2"
-ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
-ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
-ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
-ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
-ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent

 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 DOC_BASE_URL="https://docs.securityonion.net/en/2.4"
@@ -31,6 +25,11 @@ if ! echo "$PATH" | grep -q "/usr/sbin"; then
  export PATH="$PATH:/usr/sbin"
 fi

+# See if a proxy is set. If so use it.
+if [ -f /etc/profile.d/so-proxy.sh ]; then
+  . /etc/profile.d/so-proxy.sh
+fi
+
 # Define a banner to separate sections
 banner="========================================================================="

@@ -133,27 +132,82 @@ check_elastic_license() {
 }

 check_salt_master_status() {
-	local timeout=$1
-	echo "Checking if we can talk to the salt master"
-	salt-call state.show_top concurrent=true
-
-	return
+	local count=0
+    local attempts="${1:- 10}"
+	current_time="$(date '+%b %d %H:%M:%S')"
+	echo "Checking if we can access the salt master and that it is ready at: ${current_time}"
+    while ! salt-call state.show_top -l error concurrent=true 1> /dev/null; do
+        current_time="$(date '+%b %d %H:%M:%S')"
+        echo "Can't access salt master or it is not ready at: ${current_time}"
+        ((count+=1))
+        if [[ $count -eq $attempts ]]; then
+			# 10 attempts takes about 5.5 minutes
+            echo "Gave up trying to access salt-master"
+            return 1
+        fi
+    done
+	current_time="$(date '+%b %d %H:%M:%S')"
+	echo "Successfully accessed and salt master ready at: ${current_time}"
+    return 0
 }

+# this is only intended to be used to check the status of the minion from a salt master
 check_salt_minion_status() {
-	local timeout=$1
-	echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1
-	salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1
+	local minion="$1"
+	local timeout="${2:-5}"
+	local logfile="${3:-'/dev/stdout'}"
+	echo "Checking if the salt minion: $minion will respond to jobs" >> "$logfile" 2>&1
+	salt "$minion" test.ping -t $timeout > /dev/null 2>&1
 	local status=$?
 	if [ $status -gt 0 ]; then
-		echo "  Minion did not respond" >> "$setup_log" 2>&1
+		echo "  Minion did not respond" >> "$logfile" 2>&1
 	else
-		echo "  Received job response from salt minion" >> "$setup_log" 2>&1
+		echo "  Received job response from salt minion" >> "$logfile" 2>&1
 	fi

 	return $status
 }

+# Compare es versions and return the highest version
+compare_es_versions() {
+    # Save the original IFS
+    local OLD_IFS="$IFS"
+
+    IFS=.
+    local i ver1=($1) ver2=($2)
+
+    # Restore the original IFS
+    IFS="$OLD_IFS"
+
+    # Determine the maximum length between the two version arrays
+    local max_len=${#ver1[@]}
+    if [[ ${#ver2[@]} -gt $max_len ]]; then
+        max_len=${#ver2[@]}
+    fi
+
+    # Compare each segment of the versions
+    for ((i=0; i<max_len; i++)); do
+		# If a segment in ver1 or ver2 is missing, set it to 0
+        if [[ -z ${ver1[i]} ]]; then
+            ver1[i]=0
+        fi
+        if [[ -z ${ver2[i]} ]]; then
+            ver2[i]=0
+        fi
+        if ((10#${ver1[i]} > 10#${ver2[i]})); then
+            echo "$1"
+            return 0
+        fi
+        if ((10#${ver1[i]} < 10#${ver2[i]})); then
+            echo "$2"
+            return 0
+        fi
+    done
+
+    echo "$1"  # If versions are equal, return either
+    return 0
+}
+
 copy_new_files() {
  # Copy new files over to the salt dir
  cd $UPDATE_DIR
@@ -164,6 +218,21 @@ copy_new_files() {
  cd /tmp
 }

+create_local_directories() {
+	echo "Creating local pillar and salt directories if needed"
+	PILLARSALTDIR=$1
+	local_salt_dir="/opt/so/saltstack/local"
+	for i in "pillar" "salt"; do
+		for d in $(find $PILLARSALTDIR/$i -type d); do
+			suffixdir=${d//$PILLARSALTDIR/}
+			if [ ! -d "$local_salt_dir/$suffixdir" ]; then
+				mkdir -p $local_salt_dir$suffixdir
+			fi
+		done
+		chown -R socore:socore $local_salt_dir/$i
+	done
+}
+
 disable_fastestmirror() {
 	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
 }
@@ -228,6 +297,30 @@ fail() {
 	exit 1
 }

+get_agent_count() {
+	if [ -f /opt/so/log/agents/agentstatus.log ]; then
+		AGENTCOUNT=$(cat /opt/so/log/agents/agentstatus.log | grep -wF active | awk '{print $2}')
+	else
+		AGENTCOUNT=0
+	fi
+}
+
+get_elastic_agent_vars() {
+	local path="${1:-/opt/so/saltstack/default}"
+	local defaultsfile="${path}/salt/elasticsearch/defaults.yaml"
+
+	if [ -f "$defaultsfile" ]; then
+		ELASTIC_AGENT_TARBALL_VERSION=$(egrep " +version: " $defaultsfile | awk -F: '{print $2}' | tr -d '[:space:]')
+		ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
+		ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
+		ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
+		ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
+		ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent
+	else
+		fail "Could not find salt/elasticsearch/defaults.yaml"
+	fi
+}
+
 get_random_value() {
 	length=${1:-20}
 	head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1
@@ -314,7 +407,7 @@ lookup_salt_value() {
 		local=""
 	fi

-	salt-call --no-color  ${kind}.get ${group}${key} --out=${output} ${local}
+	salt-call -lerror --no-color  ${kind}.get ${group}${key} --out=${output} ${local}
 }

 lookup_pillar() {
@@ -351,6 +444,13 @@ is_feature_enabled() {
 	return 1
 }

+read_feat() {
+	if [ -f /opt/so/log/sostatus/lks_enabled ]; then
+		lic_id=$(cat /opt/so/saltstack/local/pillar/soc/license.sls | grep license_id: | awk '{print $2}')
+		echo "$lic_id/$(cat /opt/so/log/sostatus/lks_enabled)/$(cat /opt/so/log/sostatus/fps_enabled)"
+	fi
+}
+
 require_manager() {
 	if is_manager_node; then
 		echo "This is a manager, so we can proceed."
@@ -382,6 +482,10 @@ retry() {
 								echo "<Start of output>"
 								echo "$output"
 								echo "<End of output>"
+								if [[ $exitcode -eq 0 ]]; then
+									echo "Forcing exit code to 1"
+									exitcode=1
+								fi
                        fi
                elif [ -n "$failedOutput" ]; then
                        if [[ "$output" =~ "$failedOutput" ]]; then
@@ -390,7 +494,7 @@ retry() {
 								echo "$output"
 								echo "<End of output>"
 								if [[ $exitcode -eq 0 ]]; then
-									echo "The exitcode was 0, but we are setting to 1 since we found $failedOutput in the output."
+									echo "Forcing exit code to 1"
 									exitcode=1
 								fi
                        else
@@ -428,6 +532,24 @@ run_check_net_err() {
 	fi
 }

+wait_for_salt_minion() {
+	local minion="$1"
+	local timeout="${2:-5}"
+	local logfile="${3:-'/dev/stdout'}"
+	retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$logfile" 2>&1 || fail
+	local attempt=0
+	# each attempts would take about 15 seconds
+	local maxAttempts=20
+	until check_salt_minion_status "$minion" "$timeout" "$logfile"; do
+		attempt=$((attempt+1))
+		if [[ $attempt -eq $maxAttempts ]]; then
+			return 1
+		fi
+		sleep 10
+	done
+	return 0
+}
+
 salt_minion_count() {
 	local MINIONDIR="/opt/so/saltstack/local/pillar/minions"
 	MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep -v adv_ | wc -l)
@@ -440,19 +562,51 @@ set_os() {
 			OS=rocky
 			OSVER=9
 			is_rocky=true
+			is_rpm=true
 		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
 			OS=centos
 			OSVER=9
 			is_centos=true
-		elif grep -q "Oracle Linux Server release 9" /etc/system-release; then
-			OS=oel
+			is_rpm=true
+		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
+			OS=alma
 			OSVER=9
-			is_oracle=true
+			is_alma=true
+			is_rpm=true
+		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
+			if [ -f /etc/oracle-release ]; then
+				OS=oracle
+				OSVER=9
+				is_oracle=true
+				is_rpm=true
+			else
+				OS=rhel
+				OSVER=9
+				is_rhel=true
+				is_rpm=true
+			fi
 		fi
 		cron_service_name="crond"
-	else
-		OS=ubuntu
-		is_ubuntu=true
+	elif [ -f /etc/os-release ]; then
+		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
+			OSVER=focal
+			UBVER=20.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
+			OSVER=jammy
+			UBVER=22.04
+			OS=ubuntu
+			is_ubuntu=true
+			is_deb=true
+		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
+			OSVER=bookworm
+			DEBVER=12
+			is_debian=true
+			OS=debian
+			is_deb=true
+		fi
 		cron_service_name="cron"
 	fi
 }
@@ -486,6 +640,19 @@ set_version() {
 	fi
 }

+status () {
+    printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
+}
+
+sync_options() {
+	set_version
+	set_os
+	salt_minion_count
+	get_agent_count
+	
+	echo "$VERSION/$OS/$(uname -r)/$MINIONCOUNT:$AGENTCOUNT/$(read_feat)"
+}
+
 systemctl_func() {
 	local action=$1
 	local echo_action=$1
@@ -510,6 +677,8 @@ has_uppercase() {
 }

 update_elastic_agent() {
+	local path="${1:-/opt/so/saltstack/default}"
+	get_elastic_agent_vars "$path"
 	echo "Checking if Elastic Agent update is necessary..."
 	download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR"
 }
@@ -0,0 +1,103 @@
+#!/usr/bin/env python3
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+import sys
+import subprocess
+import os
+import json
+
+sys.path.append('/opt/saltstack/salt/lib/python3.10/site-packages/')
+import salt.config
+import salt.loader
+
+__opts__ = salt.config.minion_config('/etc/salt/minion')
+__grains__ = salt.loader.grains(__opts__)
+
+def check_needs_restarted():
+  osfam = __grains__['os_family']
+  val = '0'
+  outfile = "/opt/so/log/sostatus/needs_restarted"
+
+  if osfam == 'Debian':
+    if os.path.exists('/var/run/reboot-required'):
+      val = '1'
+  elif osfam == 'RedHat':
+    cmd = 'needs-restarting -r > /dev/null 2>&1'
+    try:
+      needs_restarting = subprocess.check_call(cmd, shell=True)
+    except subprocess.CalledProcessError:
+      val = '1'
+  else:
+    fail("Unsupported OS")
+
+  with open(outfile, 'w') as f:
+    f.write(val)
+
+def check_for_fps():
+    feat = 'fps'
+    feat_full = feat.replace('ps', 'ips')
+    fps = 0
+    try:
+        result = subprocess.run([feat_full + '-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
+        if result.returncode == 0:
+            fps = 1
+    except FileNotFoundError:
+        fn = '/proc/sys/crypto/' + feat_full + '_enabled'
+        try:
+          with open(fn, 'r') as f:
+              contents = f.read()
+              if '1' in contents:
+                  fps = 1
+        except:
+          # Unknown, so assume 0
+          fps = 0
+
+    with open('/opt/so/log/sostatus/fps_enabled', 'w') as f:
+       f.write(str(fps))
+
+def check_for_lks():
+    feat = 'Lks'
+    feat_full = feat.replace('ks', 'uks')
+    lks = 0
+    result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
+    data = json.loads(result.stdout)
+    for device in data['blockdevices']:
+        if 'children' in device:
+            for gc in device['children']:
+                if 'children' in gc:
+                    try:
+                        arg = 'is' + feat_full
+                        result = subprocess.run(['cryptsetup', arg, gc['name']], stdout=subprocess.PIPE)
+                        if result.returncode == 0:
+                           lks = 1
+                    except FileNotFoundError:
+                        for ggc in gc['children']:
+                            if 'crypt' in ggc['type']:
+                                lks = 1
+        if lks:
+            break
+    with open('/opt/so/log/sostatus/lks_enabled', 'w') as f:
+       f.write(str(lks))
+
+def fail(msg):
+  print(msg, file=sys.stderr)
+  sys.exit(1)
+
+def main():
+  proc = subprocess.run(['id', '-u'], stdout=subprocess.PIPE, encoding="utf-8")
+  if proc.stdout.strip() != "0":
+    fail("This program must be run as root")
+  # Ensure that umask is 0022 so that files created by this script have rw-r-r permissions
+  org_umask = os.umask(0o022)
+  check_needs_restarted()
+  check_for_fps()
+  check_for_lks()
+  # Restore umask to whatever value was set before this script was run. SXIG sets to 0077 rw---
+  os.umask(org_umask)
+
+if __name__ == "__main__":
+  main()
@@ -29,6 +29,7 @@ container_list() {
      "so-influxdb"
      "so-kibana"
      "so-kratos"
+      "so-hydra"
      "so-nginx"
      "so-pcaptools"
      "so-soc"
@@ -42,7 +43,6 @@ container_list() {
    )
  elif [ $MANAGERCHECK != 'so-helix' ]; then
    TRUSTED_CONTAINERS=(
-      "so-curator"
      "so-elastalert"
      "so-elastic-agent"
      "so-elastic-agent-builder"
@@ -51,16 +51,15 @@ container_list() {
      "so-idh"
      "so-idstools"
      "so-influxdb"
+      "so-kafka"
      "so-kibana"
      "so-kratos"
+      "so-hydra"
      "so-logstash"
-      "so-mysql"
      "so-nginx"
      "so-pcaptools"
-      "so-playbook"
      "so-redis"
      "so-soc"
-      "so-soctopus"
      "so-steno"
      "so-strelka-backend"
      "so-strelka-filestream"
@@ -68,7 +67,7 @@ container_list() {
      "so-strelka-manager"
      "so-suricata"
      "so-telegraf"
-      "so-zeek" 
+      "so-zeek"
    )
  else
    TRUSTED_CONTAINERS=(
@@ -115,6 +114,10 @@ update_docker_containers() {
    container_list
  fi

+  # all the images using ELASTICSEARCHDEFAULTS.elasticsearch.version
+  # does not include so-elastic-fleet since that container uses so-elastic-agent image
+  local IMAGES_USING_ES_VERSION=("so-elasticsearch")
+
  rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 
  mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 

@@ -137,20 +140,41 @@ update_docker_containers() {
  for i in "${TRUSTED_CONTAINERS[@]}"
  do
    if [ -z "$PROGRESS_CALLBACK" ]; then
-      echo "Downloading $i" >> "$LOG_FILE" 2>&1 
+      echo "Downloading $i" >> "$LOG_FILE" 2>&1
    else
      $PROGRESS_CALLBACK $i
    fi

+    if [[ " ${IMAGES_USING_ES_VERSION[*]} " =~ [[:space:]]${i}[[:space:]] ]]; then
+      # this is an es container so use version defined in elasticsearch defaults.yaml
+      local UPDATE_DIR='/tmp/sogh/securityonion'
+      if [ ! -d "$UPDATE_DIR" ]; then
+        UPDATE_DIR=/securityonion
+      fi
+      local v1=0
+      local v2=0
+      if [[ -f "$UPDATE_DIR/salt/elasticsearch/defaults.yaml" ]]; then
+        v1=$(egrep " +version: " "$UPDATE_DIR/salt/elasticsearch/defaults.yaml" | awk -F: '{print $2}' | tr -d '[:space:]')
+      fi
+      if [[ -f "$DEFAULT_SALT_DIR/salt/elasticsearch/defaults.yaml" ]]; then
+        v2=$(egrep " +version: " "$DEFAULT_SALT_DIR/salt/elasticsearch/defaults.yaml" | awk -F: '{print $2}' | tr -d '[:space:]')
+      fi
+      local highest_es_version=$(compare_es_versions "$v1" "$v2")
+      local image=$i:$highest_es_version$IMAGE_TAG_SUFFIX
+      local sig_url=https://sigs.securityonion.net/es-$highest_es_version/$image.sig
+    else
+      # this is not an es container so use the so version for the version
+      local image=$i:$VERSION$IMAGE_TAG_SUFFIX
+      local sig_url=https://sigs.securityonion.net/$VERSION/$image.sig
+    fi
    # Pull down the trusted docker image
-    local image=$i:$VERSION$IMAGE_TAG_SUFFIX
    run_check_net_err \
    "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" \
    "Could not pull $image, please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1 
    
    # Get signature
    run_check_net_err \
-    "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \
+    "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' $sig_url --output $SIGNPATH/$image.sig" \
    "Could not pull signature file for $image, please ensure connectivity to https://sigs.securityonion.net " \
    noretry >> "$LOG_FILE" 2>&1
    # Dump our hash values
@@ -49,10 +49,6 @@ if [ "$CONTINUE" == "y" ]; then
 		sed -i "s|$OLD_IP|$NEW_IP|g" $file
 	done

-	echo "Granting MySQL root user permissions on $NEW_IP"
-	docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'$NEW_IP' IDENTIFIED BY '$(lookup_pillar_secret 'mysql')' WITH GRANT OPTION;" &> /dev/null
-	echo "Removing MySQL root user from $OLD_IP"
-	docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "DROP USER 'root'@'$OLD_IP';" &> /dev/null
 	echo "Updating Kibana dashboards"
 	salt-call state.apply kibana.so_savedobjects_defaults -l info queue=True
 	
@@ -95,6 +95,8 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|shutdown process"             # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|contain valid certificates"   # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failedaction"                 # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|block in start_workers"       # server not yet ready (logstash waiting on elastic)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|block in buffer_initialize"   # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no route to host"             # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|not running"                  # server not yet ready
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|unavailable"                  # server not yet ready
@@ -109,11 +111,23 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout exceeded"             # server not yet ready (telegraf waiting on elasticsearch)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|influxsize kbytes"            # server not yet ready (telegraf waiting on influx)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|expected field at"            # server not yet ready (telegraf waiting on health data)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|connection timed out"         # server not yet ready (telegraf plugin unable to connect)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|command timed out"            # server not yet ready (telegraf plugin waiting for script to finish)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cached the public key"        # server not yet ready (salt minion waiting on key acceptance)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|no ingest nodes"              # server not yet ready (logstash waiting on elastic)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to poll"               # server not yet ready (sensoroni waiting on soc)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|minions returned with non"    # server not yet ready (salt waiting on minions)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|so_long_term"                 # server not yet ready (influxdb not yet setup)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|search_phase_execution_exception" # server not yet ready (elastalert running searches before ES is ready)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving docker"    # Telegraf unable to reach Docker engine, rare
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeout retrieving container" # Telegraf unable to reach Docker engine, rare
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error while communicating"    # Elasticsearch MS -> HN "sensor" temporarily unavailable
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|tls handshake error"          # Docker registry container when new node comes onlines
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished"     # Telegraf script finished just as the auto kill timeout kicked in
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|No shard available"           # Typical error when making a query before ES has finished loading all indices
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|responded with status-code 503" # telegraf getting 503 from ES during startup
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process_cluster_event_timeout_exception" # logstash waiting for elasticsearch to start
 fi

 if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
@@ -136,6 +150,13 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|invalid query input"          # false positive (Invalid user input in hunt query)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|example"                      # false positive (example test data)
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|status 200"                   # false positive (request successful, contained error string in content)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|app_layer.error"              # false positive (suricata 7) in stats.log e.g. app_layer.error.imap.parser | Total | 0
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|is not an ip string literal"  # false positive (Open Canary logging out blank IP addresses)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncing rule"                 # false positive (rule sync log line includes rule name which can contain 'error') 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request_unauthorized"         # false positive (login failures to Hydra result in an 'error' log) 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index lifecycle policy" # false positive (elasticsearch policy names contain 'error') 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding ingest pipeline"       # false positive (elasticsearch ingest pipeline names contain 'error') 
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|updating index template"      # false positive (elasticsearch index or template names contain 'error') 
 fi

 if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
@@ -144,19 +165,22 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|fail\\(error\\)"              # redis/python generic stack line, rely on other lines for actual error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|urlerror"                     # idstools connection timeout
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|timeouterror"                 # idstools connection timeout
-    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|forbidden"                    # playbook
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|_ml"                          # Elastic ML errors 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context canceled"             # elastic agent during shutdown
-    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exited with code 128"         # soctopus errors during forced restart by highstate
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|geoip databases update"       # airgap can't update GeoIP DB
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|filenotfounderror"            # bug in 2.4.10 filecheck salt state caused duplicate cronjobs
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|salt-minion-check"            # bug in early 2.4 place Jinja script in non-jinja salt dir causing cron output errors
-    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|generating elastalert config" # playbook expected error
-    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|activerecord"                 # playbook expected error
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|monitoring.metrics"           # known issue with elastic agent casting the field incorrectly if an integer value shows up before a float
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|repodownload.conf"            # known issue with reposync on pre-2.4.20 
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|missing versions record"      # stenographer corrupt index
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|soc.field."                   # known ingest type collisions issue with earlier versions of SO
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|error parsing signature"      # Malformed Suricata rule, from upstream provider
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sticky buffer has no matches" # Non-critical Suricata error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to determine destination index stats"  # Elastic transform temporary error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|cannot join on an empty table" # InfluxDB flux query, import nodes
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|exhausting result iterator"   # InfluxDB flux query mismatched table results (temporary data issue)
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|failed to finish run"         # InfluxDB rare error, self-recoverable
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to gather disk name"   # InfluxDB known error, can't read disks because the container doesn't have them mounted
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|iteration"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|communication packets"
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|use of closed"
@@ -185,7 +209,16 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|req.LocalMeta.host.ip"        # known issue in GH
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|sendmail"                     # zeek
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|stats.log"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unknown column"               # Elastalert errors from running EQL queries
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|parsing_exception"            # Elastalert EQL parsing issue. Temp.
    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|context deadline exceeded"
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Error running query:"         # Specific issues with detection rules
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|detect-parse"                 # Suricata encountering a malformed rule
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|integrity check failed"       # Detections: Exclude false positive due to automated testing
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncErrors"                   # Detections: Not an actual error
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Initialized license manager"  # SOC log: before fields.status was changed to fields.licenseStatus
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|from NIC checksum offloading" # zeek reporter.log
+    EXCLUDED_ERRORS="$EXCLUDED_ERRORS|marked for removal"           # docker container getting recycled
 fi

 RESULT=0
@@ -194,7 +227,9 @@ RESULT=0
 CONTAINER_IDS=$(docker ps -q)
 exclude_container so-kibana   # kibana error logs are too verbose with large varieties of errors most of which are temporary
 exclude_container so-idstools # ignore due to known issues and noisy logging
-exclude_container so-playbook # ignore due to several playbook known issues
+exclude_container so-playbook # Playbook is removed as of 2.4.70, disregard output in stopped containers
+exclude_container so-mysql    # MySQL is removed as of 2.4.70, disregard output in stopped containers
+exclude_container so-soctopus # Soctopus is removed as of 2.4.70, disregard output in stopped containers

 for container_id in $CONTAINER_IDS; do
    container_name=$(docker ps --format json | jq ". | select(.ID==\"$container_id\")|.Names")
@@ -212,7 +247,18 @@ exclude_log "kibana.log"   # kibana error logs are too verbose with large variet
 exclude_log "spool"        # disregard zeek analyze logs as this is data specific
 exclude_log "import"       # disregard imported test data the contains error strings
 exclude_log "update.log"   # ignore playbook updates due to several known issues
-exclude_log "playbook.log" # ignore due to several playbook known issues
+exclude_log "cron-cluster-delete.log" # ignore since Curator has been removed
+exclude_log "cron-close.log" # ignore since Curator has been removed
+exclude_log "curator.log"  # ignore since Curator has been removed
+exclude_log "playbook.log" # Playbook is removed as of 2.4.70, logs may still be on disk
+exclude_log "mysqld.log"   # MySQL is removed as of 2.4.70, logs may still be on disk
+exclude_log "soctopus.log" # Soctopus is removed as of 2.4.70, logs may still be on disk
+exclude_log "agentstatus.log" # ignore this log since it tracks agents in error state
+exclude_log "detections_runtime-status_yara.log" # temporarily ignore this log until Detections is more stable
+exclude_log "/nsm/kafka/data/" # ignore Kafka data directory from log check.
+
+# Include Zeek reporter.log to detect errors after running known good pcap(s) through sensor
+echo "/nsm/zeek/spool/logger/reporter.log" >> /tmp/log_check_files

 for log_file in $(cat /tmp/log_check_files); do
    status "Checking log file $log_file"
@@ -230,4 +276,4 @@ else
    echo -e "\nResult: One or more errors found"
 fi

-exit $RESULT
+exit $RESULT
@@ -0,0 +1,98 @@
+#!/bin/bash
+#
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0."
+
+set -e
+# This script is intended to be used in the case the ISO install did not properly setup TPM decrypt for LUKS partitions at boot.
+if [ -z $NOROOT ]; then
+	# Check for prerequisites
+	if [ "$(id -u)" -ne 0 ]; then
+		echo "This script must be run using sudo!"
+		exit 1
+	fi
+fi
+ENROLL_TPM=N
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --enroll-tpm)
+      ENROLL_TPM=Y
+      ;;
+    *)
+      echo "Usage: $0 [options]"
+      echo ""
+      echo "where options are:"
+      echo "  --enroll-tpm            for when TPM enrollment was not selected during ISO install."
+      echo ""
+      exit 1
+      ;;
+  esac
+  shift
+done
+
+check_for_tpm() {
+  echo -n "Checking for TPM: "
+  if [ -d /sys/class/tpm/tpm0 ]; then
+    echo -e "tpm0 found."
+    TPM="yes"
+    # Check if TPM is using sha1 or sha256
+    if [ -d /sys/class/tpm/tpm0/pcr-sha1 ]; then
+      echo -e "TPM is using sha1.\n"
+      TPM_PCR="sha1"
+    elif [ -d /sys/class/tpm/tpm0/pcr-sha256 ]; then
+      echo -e "TPM is using sha256.\n"
+      TPM_PCR="sha256"
+    fi
+  else
+    echo -e "No TPM found.\n"
+    exit 1
+  fi
+}
+
+check_for_luks_partitions() {
+  echo "Checking for LUKS partitions"
+  for part in $(lsblk -o NAME,FSTYPE -ln | grep crypto_LUKS | awk '{print $1}'); do
+    echo "Found LUKS partition: $part"
+    LUKS_PARTITIONS+=("$part")
+  done
+  if [ ${#LUKS_PARTITIONS[@]} -eq 0 ]; then
+    echo -e "No LUKS partitions found.\n"
+    exit 1
+  fi
+  echo ""
+}
+
+enroll_tpm_in_luks() {
+  read -s -p "Enter the LUKS passphrase used during ISO install: " LUKS_PASSPHRASE
+  echo ""
+  for part in "${LUKS_PARTITIONS[@]}"; do
+    echo "Enrolling TPM for LUKS device: /dev/$part"
+    if [ "$TPM_PCR" == "sha1" ]; then
+      clevis luks bind -d /dev/$part tpm2 '{"pcr_bank":"sha1","pcr_ids":"7"}' <<< $LUKS_PASSPHRASE
+    elif [ "$TPM_PCR" == "sha256" ]; then
+      clevis luks bind -d /dev/$part tpm2 '{"pcr_bank":"sha256","pcr_ids":"7"}' <<< $LUKS_PASSPHRASE
+    fi
+  done
+ }
+
+regenerate_tpm_enrollment_token() {
+  for part in "${LUKS_PARTITIONS[@]}"; do
+    clevis luks regen -d /dev/$part -s 1 -q
+  done
+}
+
+check_for_tpm
+check_for_luks_partitions
+
+if [[ $ENROLL_TPM == "Y" ]]; then
+  enroll_tpm_in_luks
+else
+  regenerate_tpm_enrollment_token
+fi
+
+echo "Running dracut"
+dracut -fv
+echo -e "\nTPM configuration complete. Reboot the system to verify the TPM is correctly decrypting the LUKS partition(s) at boot.\n"
@@ -41,8 +41,13 @@ done
 if [ $SKIP -ne 1 ]; then
        # Inform user we are about to delete all data
        echo
-        echo "This script will delete all NIDS data (PCAP, Suricata, Zeek)" 
-        echo "If you would like to proceed, please type "AGREE" and hit ENTER."
+        echo "This script will delete all NSM data from /nsm."
+        echo
+        echo "This includes Suricata data, Zeek data, and full packet capture (PCAP)."
+        echo
+        echo "This will NOT delete any Suricata or Zeek logs that have already been ingested into Elasticsearch."
+        echo
+        echo "If you would like to proceed, then type AGREE and press ENTER."
        echo
        # Read user input
        read INPUT
@@ -54,8 +59,8 @@ delete_pcap() {
  [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start
 }
 delete_suricata() {
-  SURI_LOG="/opt/so/log/suricata/eve.json"
-  [ -f $SURI_LOG ] && so-suricata-stop && rm -f $SURI_LOG && so-suricata-start
+  SURI_LOG="/nsm/suricata/"
+  [ -d $SURI_LOG ] && so-suricata-stop && rm -rf $SURI_LOG/* && so-suricata-start
 }
 delete_zeek() {
  ZEEK_LOG="/nsm/zeek/logs/"
@@ -1,67 +0,0 @@
-#!/bin/bash
-local_salt_dir=/opt/so/saltstack/local
-
-zeek_logs_enabled() {
-  echo "zeeklogs:" > $local_salt_dir/pillar/zeeklogs.sls
-  echo "  enabled:" >> $local_salt_dir/pillar/zeeklogs.sls
-  for BLOG in "${BLOGS[@]}"; do
-    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/zeeklogs.sls
-  done
-}
-
-whiptail_manager_adv_service_zeeklogs() {
-  BLOGS=$(whiptail --title "so-zeek-logs" --checklist "Please Select Logs to Send:" 24 78 12 \
-  "conn" "Connection Logging" ON \
-  "dce_rpc" "RPC Logs" ON \
-  "dhcp" "DHCP Logs" ON \
-  "dnp3" "DNP3 Logs" ON \
-  "dns" "DNS Logs" ON \
-  "dpd" "DPD Logs" ON \
-  "files" "Files Logs" ON \
-  "ftp" "FTP Logs" ON \
-  "http" "HTTP Logs" ON \
-  "intel" "Intel Hits Logs" ON \
-  "irc" "IRC Chat Logs" ON \
-  "kerberos" "Kerberos Logs" ON \
-  "modbus" "MODBUS Logs" ON \
-  "notice" "Zeek Notice Logs" ON \
-  "ntlm" "NTLM Logs" ON \
-  "pe" "PE Logs" ON \
-  "radius" "Radius Logs" ON \
-  "rfb" "RFB Logs" ON \
-  "rdp" "RDP Logs" ON \
-  "sip" "SIP Logs" ON \
-  "smb_files" "SMB Files Logs" ON \
-  "smb_mapping" "SMB Mapping Logs" ON \
-  "smtp" "SMTP Logs" ON \
-  "snmp" "SNMP Logs" ON \
-  "ssh" "SSH Logs" ON \
-  "ssl" "SSL Logs" ON \
-  "syslog" "Syslog Logs" ON \
-  "tunnel" "Tunnel Logs" ON \
-  "weird" "Zeek Weird Logs" ON \
-  "mysql" "MySQL Logs" ON \
-  "socks" "SOCKS Logs" ON \
-  "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
-  
-  local exitstatus=$?
-
-  IFS=' ' read -ra BLOGS <<< "$BLOGS"
-
-  return $exitstatus
-}
-
-whiptail_manager_adv_service_zeeklogs
-return_code=$?
-case $return_code in
-  1)
-    whiptail --title "so-zeek-logs" --msgbox "Cancelling. No changes have been made." 8 75
-    ;;
-  255)
-    whiptail --title "so-zeek-logs" --msgbox "Whiptail error occured, exiting." 8 75
-    ;;
-  *)
-    zeek_logs_enabled
-    ;;
-esac
-
@@ -63,7 +63,7 @@ function status {
 function pcapinfo() {
  PCAP=$1
  ARGS=$2
-  docker run --rm -v "$PCAP:/input.pcap" --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap $ARGS
+  docker run --rm -v "$PCAP:/input.pcap" --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -ae $ARGS
 }

 function pcapfix() {
@@ -89,6 +89,7 @@ function suricata() {
    -v ${LOG_PATH}:/var/log/suricata/:rw \
    -v ${NSM_PATH}/:/nsm/:rw \
    -v "$PCAP:/input.pcap:ro" \
+    -v /dev/null:/nsm/suripcap:rw \
    -v /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro \
    {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-suricata:{{ VERSION }} \
    --runmode single -k none -r /input.pcap > $LOG_PATH/console.log 2>&1
@@ -247,7 +248,7 @@ fi
 START_OLDEST_SLASH=$(echo $START_OLDEST | sed -e 's/-/%2F/g')
 END_NEWEST_SLASH=$(echo $END_NEWEST | sed -e 's/-/%2F/g')
 if [[ $VALID_PCAPS_COUNT -gt 0 ]] || [[ $SKIPPED_PCAPS_COUNT -gt 0 ]]; then
-  URL="https://{{ URLBASE }}/#/dashboards?q=$HASH_FILTERS%20%7C%20groupby%20-sankey%20event.dataset%20event.category%2a%20%7C%20groupby%20-pie%20event.category%20%7C%20groupby%20-bar%20event.module%20%7C%20groupby%20event.dataset%20%7C%20groupby%20event.module%20%7C%20groupby%20event.category%20%7C%20groupby%20observer.name%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC"
+  URL="https://{{ URLBASE }}/#/dashboards?q=$HASH_FILTERS%20%7C%20groupby%20event.module*%20%7C%20groupby%20-sankey%20event.module*%20event.dataset%20%7C%20groupby%20event.dataset%20%7C%20groupby%20source.ip%20%7C%20groupby%20destination.ip%20%7C%20groupby%20destination.port%20%7C%20groupby%20network.protocol%20%7C%20groupby%20rule.name%20rule.category%20event.severity_label%20%7C%20groupby%20dns.query.name%20%7C%20groupby%20file.mime_type%20%7C%20groupby%20http.virtual_host%20http.uri%20%7C%20groupby%20notice.note%20notice.message%20notice.sub_message%20%7C%20groupby%20ssl.server_name%20%7C%20groupby%20source_geo.organization_name%20source.geo.country_name%20%7C%20groupby%20destination_geo.organization_name%20destination.geo.country_name&t=${START_OLDEST_SLASH}%2000%3A00%3A00%20AM%20-%20${END_NEWEST_SLASH}%2000%3A00%3A00%20AM&z=UTC"

  status "Import complete!"
  status
@@ -9,6 +9,9 @@

 . /usr/sbin/so-common

+software_raid=("SOSMN" "SOSMN-DE02" "SOSSNNV" "SOSSNNV-DE02" "SOS10k-DE02" "SOS10KNV" "SOS10KNV-DE02" "SOS10KNV-DE02" "SOS2000-DE02" "SOS-GOFAST-LT-DE02" "SOS-GOFAST-MD-DE02" "SOS-GOFAST-HV-DE02")
+hardware_raid=("SOS1000" "SOS1000F" "SOSSN7200" "SOS5000" "SOS4000")
+
 {%- if salt['grains.get']('sosmodel', '') %}
 {%- set model = salt['grains.get']('sosmodel') %}
 model={{ model }}
@@ -16,44 +19,70 @@ model={{ model }}
 if [[ $model =~ ^(SO2AMI01|SO2AZI01|SO2GCI01)$ ]]; then
    exit 0
 fi
+
+for i in "${software_raid[@]}"; do
+  if [[ "$model" == $i ]]; then
+    is_softwareraid=true
+    is_hwraid=false
+    break
+  fi
+done
+
+for i in "${hardware_raid[@]}"; do
+  if [[ "$model" == $i ]]; then
+    is_softwareraid=false
+    is_hwraid=true
+    break
+  fi
+done
+
 {%- else %}
 echo "This is not an appliance"
 exit 0
 {%- endif %}
-if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200|SOSSNNV|SOSMN)$ ]]; then
-	is_bossraid=true
-fi
-if [[ $model =~ ^(SOSSNNV|SOSMN)$ ]]; then
-	is_swraid=true
-fi
-if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200)$ ]]; then
-	is_hwraid=true
-fi

 check_nsm_raid() {
  PERCCLI=$(/opt/raidtools/perccli/perccli64 /c0/v0 show|grep RAID|grep Optl)
  MEGACTL=$(/opt/raidtools/megasasctl |grep optimal)
-
-  if [[ $APPLIANCE == '1' ]]; then
+  if [[ "$model" == "SOS500" || "$model" == "SOS500-DE02" ]]; then
+    #This doesn't have raid
+    HWRAID=0
+  else
    if [[ -n $PERCCLI ]]; then
      HWRAID=0
    elif [[ -n $MEGACTL ]]; then
      HWRAID=0
    else
      HWRAID=1
-    fi
-
+    fi   
  fi

 }

 check_boss_raid() {
  MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional)
+  MVTEST=$(/usr/local/bin/mvcli info -o vd | grep "No adapter")
+  BOSSNVMECLI=$(/usr/local/bin/mnv_cli info -o vd -i 0 | grep Functional)

-  if [[ -n $MVCLI ]]; then
-    BOSSRAID=0
+  # Is this NVMe Boss Raid?
+  if [[ "$model" =~ "-DE02" ]]; then
+    if [[ -n $BOSSNVMECLI ]]; then
+      BOSSRAID=0
+    else
+      BOSSRAID=1
+    fi
  else
-    BOSSRAID=1
+    # Check to see if this is a SM based system
+    if [[ -z $MVTEST ]]; then
+      if [[ -n $MVCLI ]]; then
+        BOSSRAID=0
+      else
+        BOSSRAID=1
+      fi
+    else
+      # This doesn't have boss raid so lets make it 0
+      BOSSRAID=0
+    fi
  fi
 }

@@ -72,14 +101,13 @@ SWRAID=0
 BOSSRAID=0
 HWRAID=0

-if [[ $is_hwraid ]]; then
+if [[ "$is_hwraid" == "true" ]]; then
 	check_nsm_raid
+  check_boss_raid
 fi
-if [[ $is_bossraid ]]; then
-	check_boss_raid
-fi
-if [[ $is_swraid ]]; then
+if [[ "$is_softwareraid" == "true" ]]; then
 	check_software_raid
+  check_boss_raid
 fi

 sum=$(($SWRAID + $BOSSRAID + $HWRAID))
@@ -90,4 +118,4 @@ else
  RAIDSTATUS=1
 fi

-echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log
+echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log
@@ -10,7 +10,7 @@
 . /usr/sbin/so-common
 . /usr/sbin/so-image-common

-REPLAYIFACE=${REPLAYIFACE:-$(lookup_pillar interface sensor)}
+REPLAYIFACE=${REPLAYIFACE:-"{{salt['pillar.get']('sensor:interface', '')}}"}
 REPLAYSPEED=${REPLAYSPEED:-10}

 mkdir -p /opt/so/samples
@@ -1,81 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from "curator/map.jinja" import CURATORMERGED %}
-
-# Create the group
-curatorgroup:
-  group.present:
-    - name: curator
-    - gid: 934
-
-# Add user
-curator:
-  user.present:
-    - uid: 934
-    - gid: 934
-    - home: /opt/so/conf/curator
-    - createhome: False
-
-# Create the log directory
-curlogdir:
-  file.directory:
-    - name: /opt/so/log/curator
-    - user: 934
-    - group: 939
-
-curactiondir:
-  file.directory:
-    - name: /opt/so/conf/curator/action
-    - user: 934
-    - group: 939
-    - makedirs: True
-
-actionconfs:
-  file.recurse:
-    - name: /opt/so/conf/curator/action
-    - source: salt://curator/files/action
-    - user: 934
-    - group: 939
-    - template: jinja
-    - defaults:
-        CURATORMERGED: {{ CURATORMERGED.elasticsearch.index_settings }}
-        
-curconf:
-  file.managed:
-    - name: /opt/so/conf/curator/curator.yml
-    - source: salt://curator/files/curator.yml
-    - user: 934
-    - group: 939
-    - mode: 660
-    - template: jinja
-    - show_changes: False
-
-curator_sbin:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://curator/tools/sbin
-    - user: 934
-    - group: 939
-    - file_mode: 755
-
-curator_sbin_jinja:
-  file.recurse:
-    - name: /usr/sbin
-    - source: salt://curator/tools/sbin_jinja
-    - user: 934
-    - group: 939 
-    - file_mode: 755
-    - template: jinja
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
@@ -1,100 +0,0 @@
-curator:
-  enabled: False
-  elasticsearch:
-    index_settings:
-      logs-import-so:
-        close: 73000
-        delete: 73001
-      logs-strelka-so:
-        close: 30
-        delete: 365
-      logs-suricata-so:
-        close: 30
-        delete: 365
-      logs-syslog-so:
-        close: 30
-        delete: 365
-      logs-zeek-so:
-        close: 30
-        delete: 365
-      logs-elastic_agent-metricbeat-default:
-        close: 30
-        delete: 365
-      logs-elastic_agent-osquerybeat-default:
-        close: 30
-        delete: 365
-      logs-elastic_agent-fleet_server-default:
-        close: 30
-        delete: 365
-      logs-elastic_agent-filebeat-default:
-        close: 30
-        delete: 365
-      logs-elastic_agent-default:
-        close: 30
-        delete: 365
-      logs-system-auth-default:
-        close: 30
-        delete: 365
-      logs-system-application-default:
-        close: 30
-        delete: 365
-      logs-system-security-default:
-        close: 30
-        delete: 365
-      logs-system-system-default:
-        close: 30
-        delete: 365
-      logs-system-syslog-default:
-        close: 30
-        delete: 365
-      logs-windows-powershell-default:
-        close: 30
-        delete: 365
-      logs-windows-sysmon_operational-default:
-        close: 30
-        delete: 365
-      so-beats:
-        close: 30
-        delete: 365
-      so-elasticsearch:
-        close: 30
-        delete: 365
-      so-firewall:
-        close: 30
-        delete: 365
-      so-ids:
-        close: 30
-        delete: 365
-      so-import:
-        close: 73000
-        delete: 73001
-      so-kratos:
-        close: 30
-        delete: 365
-      so-kibana:
-        close: 30
-        delete: 365
-      so-logstash:
-        close: 30
-        delete: 365
-      so-netflow:
-        close: 30
-        delete: 365
-      so-osquery:
-        close: 30
-        delete: 365
-      so-ossec:
-        close: 30
-        delete: 365
-      so-redis:
-        close: 30
-        delete: 365
-      so-strelka:
-        close: 30
-        delete: 365
-      so-syslog:
-        close: 30
-        delete: 365
-      so-zeek:
-        close: 30
-        delete: 365
@@ -1,22 +1,17 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-
-include:
-  - curator.sostatus
-  
 so-curator:
  docker_container.absent:
    - force: True

 so-curator_so-status.disabled:
-  file.comment:
+  file.line:
    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-curator$
+    - match: ^so-curator$
+    - mode: delete

 so-curator-cluster-close:
  cron.absent:
@@ -26,10 +21,14 @@ so-curator-cluster-delete:
  cron.absent:
    - identifier: so-curator-cluster-delete

-{% else %}
+delete_curator_configuration:
+  file.absent:
+    - name: /opt/so/conf/curator
+    - recurse: True

-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
+{% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
+{% if files|length > 0 %}
+delete_curator_scripts:
+  file.absent:
+    - names: {{files|yaml}}
+{% endif %}
@@ -1,88 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% from 'allowed_states.map.jinja' import allowed_states %}
-{% if sls.split('.')[0] in allowed_states %}
-{%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
-
-include:
-  - curator.config
-  - curator.sostatus
-
-so-curator:
-  docker_container.running:
-    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }}
-    - start: True
-    - hostname: curator
-    - name: so-curator
-    - user: curator
-    - networks:
-      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
-    - interactive: True
-    - tty: True
-    - binds:
-      - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
-      - /opt/so/conf/curator/action/:/etc/curator/action:ro
-      - /opt/so/log/curator:/var/log/curator:rw
-      {% if DOCKER.containers['so-curator'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-curator'].custom_bind_mounts %}
-      - {{ BIND }}
-        {% endfor %}
-      {% endif %}
-      {% if DOCKER.containers['so-curator'].extra_hosts %}
-    - extra_hosts:
-        {% for XTRAHOST in DOCKER.containers['so-curator'].extra_hosts %}
-      - {{ XTRAHOST }}
-        {% endfor %}
-      {% endif %}
-      {% if DOCKER.containers['so-curator'].extra_env %}
-    - environment:
-        {% for XTRAENV in DOCKER.containers['so-curator'].extra_env %}
-      - {{ XTRAENV }}
-        {% endfor %}
-      {% endif %}
-    - require:
-      - file: actionconfs
-      - file: curconf
-      - file: curlogdir
-    - watch:
-      - file: curconf
-
-delete_so-curator_so-status.disabled:
-  file.uncomment:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - regex: ^so-curator$
-
-so-curator-cluster-close:
-  cron.present:
-    - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1
-    - identifier: so-curator-cluster-close
-    - user: root
-    - minute: '2'
-    - hour: '*/1'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
-
-so-curator-cluster-delete:
-  cron.present:
-    - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1
-    - identifier: so-curator-cluster-delete
-    - user: root
-    - minute: '*/5'
-    - hour: '*'
-    - daymonth: '*'
-    - month: '*'
-    - dayweek: '*'
-
-{% else %}
-
-{{sls}}_state_not_allowed:
-  test.fail_without_changes:
-    - name: {{sls}}_state_not_allowed
-
-{% endif %}
@@ -1,31 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICDEFAULTS %}
-{% set ELASTICMERGED = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) %}
-
-{{ ELASTICMERGED.retention_pct }}
-
-{%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit') %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete indices when {{log_size_limit}}(GB) is exceeded.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(logstash-.*|so-.*|.ds-logs-.*-so.*)$'
-    - filtertype: pattern
-      kind: regex
-      value: '^(so-case.*)$'
-      exclude: True
-    - filtertype: space
-      source: creation_date
-      use_age: True
-      disk_space: {{log_size_limit}}
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent default indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-elastic_agent-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Elastic Agent default indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-elastic_agent-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-filebeat-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent Filebeat indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-filebeat-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Elastic Agent Filebeat indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-fleet_server-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent Fleet Server indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-fleet_server-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete import indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-metricbeat-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent Metricbeat indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-elastic_agent.metricbeat-default-.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-metricbeat-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Elastic Agent Metricbeat indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-elastic_agent.metricbeat-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent Osquerybeat indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Elastic Agent Osquerybeat indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete import indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-import-so.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-import-so'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close import indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-import-so.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete import indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-import-so.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-strelka-so'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Strelka indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-strelka-so.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-strelka-so'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Strelka indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-strelka-so.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-suricata-so'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Suricata indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-suricata-so.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-suricata-so'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Suricata indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-suricata-so.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-syslog-so'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close syslog indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-syslog-so.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete syslog indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-syslog-so.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-system-application-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent system application indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-system.application-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-system-application-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Elastic Agent system application indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-system.application-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent system auth indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-system.auth-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-system.auth-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-system-security-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent system security indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-system.security-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-system-security-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Elastic Agent system security indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-system.security-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-system-syslog-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent system syslog indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-system.syslog-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-system-syslog-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Elastic Agent system syslog indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-system.syslog-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-system-system-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent system system indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-system.system-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-system-system-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Elastic Agent system system indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-system.system-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-windows-powershell-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent Windows Powershell indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-windows.powershell-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-windows-powershell-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Elastic Agent Windows Powershell indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-windows.powershell-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-windows-sysmon_operational-default'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Elastic Agent Windows Sysmon operational indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-windows-sysmon_operational-default'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Elastic Agent Windows Sysmon operational indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['logs-zeek-so'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Zeek indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(.ds-logs-zeek-so.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['logs-zeek-so'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete Zeek indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(.ds-logs-zeek-so.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['so-beats'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Beats indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(logstash-beats.*|so-beats.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['so-beats'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete beats indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(logstash-beats.*|so-beats.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set cur_close_days = CURATORMERGED['so-elasticsearch'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close elasticsearch indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(logstash-elasticsearch.*|so-elasticsearch.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,27 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-{%- set DELETE_DAYS = CURATORMERGED['so-elasticsearch'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete elasticsearch indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(logstash-elasticsearch.*|so-elasticsearch.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
@@ -1,28 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-{%- set cur_close_days = CURATORMERGED['so-firewall'].close %}
-actions:
-  1:
-    action: close
-    description: >-
-      Close Firewall indices older than {{cur_close_days}} days.
-    options:
-      delete_aliases: False
-      timeout_override:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex 
-      value: '^(logstash-firewall.*|so-firewall.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{cur_close_days}}
-      exclude:
@@ -1,28 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-
-{%- set DELETE_DAYS = CURATORMERGED['so-firewall'].delete %}
-actions:
-  1:
-    action: delete_indices
-    description: >-
-      Delete firewall indices when older than {{ DELETE_DAYS }} days.
-    options:
-      ignore_empty_list: True
-      disable_action: False
-    filters:
-    - filtertype: pattern
-      kind: regex
-      value: '^(logstash-firewall.*|so-firewall.*)$'
-    - filtertype: age
-      source: name
-      direction: older
-      timestring: '%Y.%m.%d'
-      unit: days
-      unit_count: {{ DELETE_DAYS }}
-      exclude:
-  
-      
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .4.20
 .4.141