Merge pull request #11127 from Security-Onion-Solutions/hotfix/2.4.10

Hotfix/2.4.10

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.4.5-20230807 ISO image released on 2023/08/07
+### 2.4.10-20230821 ISO image released on 2023/08/21
 
 
 
 ### Download and Verify
 
-2.4.5-20230807 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso
+2.4.10-20230821 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso
  
-MD5: F83FD635025A3A65B380EAFCEB61A92E  
-SHA1: 5864D4CD520617E3328A3D956CAFCC378A8D2D08  
-SHA256: D333BAE0DD198DFD80DF59375456D228A4E18A24EDCDB15852CD4CA3F92B69A7  
+MD5: 353EB36F807DC947F08F79B3DCFA420E  
+SHA1: B25E3BEDB81BBEF319DC710267E6D78422F39C56  
+SHA256: 3D369E92FEB65D14E1A981E99FA223DA52C92057A037C243AD6332B6B9A6D9BC  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230821.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230821.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.5-20230807.iso.sig securityonion-2.4.5-20230807.iso
+gpg --verify securityonion-2.4.10-20230821.iso.sig securityonion-2.4.10-20230821.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Sat 05 Aug 2023 10:12:46 AM EDT using RSA key ID FE507013
+gpg: Signature made Mon 21 Aug 2023 09:47:50 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

HOTFIX

@@ -1 +1 @@
-
+20230821

README.md

@@ -1,6 +1,6 @@
-## Security Onion 2.4 Release Candidate 2 (RC2)
+## Security Onion 2.4
 
-Security Onion 2.4 Release Candidate 2 (RC2) is here!
+Security Onion 2.4 is here!
 
 ## Screenshots
 

VERSION

@@ -1 +1 @@
-2.4.5
+2.4.10

salt/common/tools/sbin_jinja/so-desktop-install

@@ -5,15 +5,15 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
+source /usr/sbin/so-common
+doc_desktop_url="$DOC_BASE_URL/desktop.html"
 
-{# we only want the script to install the desktop if it is Rocky -#}
-{% if grains.os == 'Rocky' -%}
+{# we only want the script to install the desktop if it is OEL -#}
+{% if grains.os == 'OEL' -%}
 {#   if this is a manager -#}
 {%   if grains.master == grains.id.split('_')|first -%}
 
-source /usr/sbin/so-common
-doc_desktop_url="$DOC_BASE_URL/desktop.html"
-pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls"
+pillar_file="/opt/so/saltstack/local/pillar/minions/adv_{{grains.id}}.sls"
 
 if [ -f "$pillar_file" ]; then
   if ! grep -q "^desktop:$" "$pillar_file"; then
@@ -65,7 +65,7 @@ if [ -f "$pillar_file" ]; then
     fi
   else # desktop is already added
     echo "The desktop pillar already exists in $pillar_file."
-    echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file."
+    echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file. Alternatively, this can be set in the SOC UI under advanced."
     echo "Additional documentation can be found at $doc_desktop_url."
   fi
 else # if the pillar file doesn't exist
@@ -75,17 +75,22 @@ fi
 {#-  if this is not a manager #}
 {%   else -%}
 
-echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. Please view the documentation at $doc_desktop_url."
+echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. This can be enabled in the SOC UI under advanced by adding the following:"
+echo "desktop:"
+echo "  gui:"
+echo "    enabled: true"
+echo ""
+echo "Please view the documentation at $doc_desktop_url."
 
 {#- endif if this is a manager #}
 {%   endif -%}
 
-{#- if not Rocky #}
+{#- if not OEL #}
 {%- else %}
 
-echo "The Security Onion Desktop can only be installed on Rocky Linux. Please view the documentation at $doc_desktop_url."
+echo "The Security Onion Desktop can only be installed on Oracle Linux. Please view the documentation at $doc_desktop_url."
 
-{#- endif grains.os == Rocky #}
+{#- endif grains.os == OEL #}
 {% endif -%}
 
 exit 0

salt/desktop/files/00-background

@@ -0,0 +1,8 @@
+# Specify the dconf path
+[org/gnome/desktop/background]
+
+# Specify the path to the desktop background image file
+picture-uri='file:///usr/local/share/backgrounds/so-wallpaper.jpg'
+
+# Specify one of the rendering options for the background image:
+picture-options='zoom'

salt/desktop/packages.sls

@@ -3,7 +3,6 @@
 {# we only want this state to run it is CentOS #}
 {% if GLOBALS.os == 'OEL' %}
 
-
 desktop_packages:
   pkg.installed:
     - pkgs:

salt/desktop/trusted-ca.sls

@@ -31,6 +31,6 @@ update_ca_certs:
 
 desktop_trusted-ca_os_fail:
   test.fail_without_changes:
-    - comment: 'SO Desktop can only be installed on CentOS'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'
 
 {% endif %}

salt/desktop/xwindows.sls

@@ -35,6 +35,23 @@ convert_gnome_classic:
 {%     endif %}
 {%   endfor %}
 
+desktop_wallpaper:
+  file.managed:
+    - name: /usr/local/share/backgrounds/so-wallpaper.jpg
+    - source: salt://desktop/files/so-wallpaper.jpg
+    - makedirs: True
+
+set_wallpaper:
+  file.managed:
+    - name: /etc/dconf/db/local.d/00-background
+    - source: salt://desktop/files/00-background
+
+run_dconf_update:
+  cmd.run:
+    - name: 'dconf update'
+    - onchanges:
+      - file: set_wallpaper
+
 {% else %}
 
 desktop_xwindows_os_fail:

salt/elasticfleet/defaults.yaml

@@ -28,9 +28,17 @@ elasticfleet:
     - aws
     - azure
     - cloudflare
+    - elasticsearch
     - endpoint
+    - fleet_server
     - fim
     - github
     - google_workspace
     - log
+    - osquery_manager
+    - redis
+    - system
+    - tcp
+    - udp
+    - windows
     - 1password

salt/elasticfleet/enabled.sls

@@ -22,6 +22,7 @@ include:
 so-elastic-fleet-auto-configure-logstash-outputs:
   cmd.run:
     - name: /usr/sbin/so-elastic-fleet-outputs-update
+    - retry: True
 {% endif %}
 
 # If enabled, automatically update Fleet Server URLs & ES Connection
@@ -29,6 +30,7 @@ so-elastic-fleet-auto-configure-logstash-outputs:
 so-elastic-fleet-auto-configure-server-urls:
   cmd.run:
     - name: /usr/sbin/so-elastic-fleet-urls-update
+    - retry: True
 {% endif %}
 
 # Automatically update Fleet Server Elasticsearch URLs
@@ -36,6 +38,7 @@ so-elastic-fleet-auto-configure-server-urls:
 so-elastic-fleet-auto-configure-elasticsearch-urls:
   cmd.run:
     - name: /usr/sbin/so-elastic-fleet-es-url-update
+    - retry: True
 {% endif %}
 
 {%   if SERVICETOKEN != '' %}
@@ -106,6 +109,11 @@ so-elastic-fleet:
 so-elastic-fleet-integrations:
   cmd.run:
     - name: /usr/sbin/so-elastic-fleet-integration-policy-load
+
+so-elastic-agent-grid-upgrade:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-agent-grid-upgrade
+    - retry: True
 {%  endif %}
 
 delete_so-elastic-fleet_so-status.disabled:

salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json

@@ -20,7 +20,7 @@
             ],
             "data_stream.dataset": "import",
             "custom": "",
-            "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- drop_fields:\n    fields: [\"host\"]\n    ignore_missing: true\n- add_fields:\n    target: data_stream\n    fields:\n      namespace: default\n      type: logs\n      dataset: system.security\n- add_fields:\n    target: event\n    fields:\n      dataset: system.security\n      module: system\n      imported: true  \n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.sysmon_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.sysmon_operational\n          module: windows\n          imported: true\n- if:\n    equals:\n      winlog.channel: 'Application'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.application\n- if:\n    equals:\n      winlog.channel: 'System'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.system\n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.powershell_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.powershell_operational\n          module: windows",
+	    "processors": "- dissect:\n    tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n    field: \"log.file.path\"\n    target_prefix: \"\"\n- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n- drop_fields:\n    fields: [\"host\"]\n    ignore_missing: true\n- add_fields:\n    target: data_stream\n    fields:\n      type: logs\n      dataset: system.security\n- add_fields:\n    target: event\n    fields:\n      dataset: system.security\n      module: system\n      imported: true\n- add_fields:\n    target: \"@metadata\"\n    fields:\n        pipeline: logs-system.security-1.34.0\n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.sysmon_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.sysmon_operational\n          module: windows\n          imported: true\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-windows.sysmon_operational-1.24.0\n- if:\n    equals:\n      winlog.channel: 'Application'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.application\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-system.application-1.34.0\n- if:\n    equals:\n      winlog.channel: 'System'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: event\n        fields:\n          dataset: system.system\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-system.system-1.34.0\n    \n- if:\n    equals:\n      winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n  then: \n    - add_fields:\n        target: data_stream\n        fields:\n          dataset: windows.powershell_operational\n    - add_fields:\n        target: event\n        fields:\n          dataset: windows.powershell_operational\n          module: windows\n    - add_fields:\n        target: \"@metadata\"\n        fields:\n            pipeline: logs-windows.powershell_operational-1.24.0\n- add_fields:\n    target: data_stream\n    fields:\n        dataset: import",
 	    "tags": [
               "import"
             ]

salt/elasticfleet/tools/sbin/so-elastic-fleet-common

@@ -56,9 +56,15 @@ elastic_fleet_package_version_check() {
     curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version'
 }
 
+elastic_fleet_package_latest_version_check() {
+    PACKAGE=$1
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.latestVersion'
+}
+
 elastic_fleet_package_install() {
-    PKGKEY=$1
-    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY"
+    PKG=$1
+    VERSION=$2
+    curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json'  -d '{"force":true}' "localhost:5601/api/fleet/epm/packages/$PKG/$VERSION"
 }
 
 elastic_fleet_package_is_installed() {

salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load

@@ -9,6 +9,9 @@
 RETURN_CODE=0
 
 if [ ! -f /opt/so/state/eaintegrations.txt ]; then
+  # First, check for any package upgrades
+  /usr/sbin/so-elastic-fleet-package-upgrade
+
   # Initial Endpoints
   for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
   do

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade

@@ -0,0 +1,38 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# this file except in compliance with the Elastic License 2.0.
+
+. /usr/sbin/so-common
+
+# Only run on Managers
+if ! is_manager_node; then
+    printf "Not a Manager Node... Exiting"
+    exit 0
+fi
+
+# Get current list of Grid Node Agents that need to be upgraded
+RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=policy_id%20%3A%20so-grid-nodes_%2A&showInactive=false&showUpgradeable=true&getStatusSummary=true")
+
+# Check to make sure that the server responded with good data - else, bail from script
+CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON")
+if [ "$CHECKSUM" -ne 1 ]; then
+ printf "Failed to query for current Grid Agents...\n"
+ exit 1
+fi
+
+# Generate list of Node Agents that need updates
+OUTDATED_LIST=$(jq -r '.items | map(.id) | (tojson)'  <<<  "$RAW_JSON")
+
+if [ "$OUTDATED_LIST" != '[]' ]; then
+   AGENTNUMBERS=$(jq -r '.total' <<< "$RAW_JSON")
+   printf "Initiating upgrades for $AGENTNUMBERS Agents to Elastic $ELASTIC_AGENT_TARBALL_VERSION...\n\n"
+
+   # Generate updated JSON payload
+   JSON_STRING=$(jq -n --arg ELASTICVERSION $ELASTIC_AGENT_TARBALL_VERSION --arg UPDATELIST $OUTDATED_LIST '{"version": $ELASTICVERSION,"agents": $UPDATELIST }')
+
+   # Update Node Agents
+   curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "http://localhost:5601/api/fleet/agents/bulk_upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
+else
+    printf "No Agents need updates... Exiting\n\n"
+    exit 0
+fi

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update

@@ -12,9 +12,13 @@ if ! is_manager_node; then
 fi
 
 function update_es_urls() {
-	# Generate updated JSON payload
-    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":false,"is_default_monitoring":false,"config_yaml":""}')
 	
+    # Generate updated JSON payload
+{% if grains.role not in ['so-import', 'so-eval'] %}
+    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"config_yaml":""}')
+{%- else %}
+    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":""}')
+{%- endif %}
     # Update Fleet Elasticsearch URLs
     curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
 }
@@ -42,6 +46,13 @@ NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "$
 NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
 
 # Compare the current & new list of URLs - if different, update the Fleet Elasticsearch URLs
+if [ "$1" = "--force" ]; then
+    printf "\nUpdating List, since --force was specified.\n"
+    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
+    update_es_urls
+    exit 0
+fi
+
 if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
     printf "\nHashes match - no update needed.\n"
     printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load

@@ -11,7 +11,7 @@
 {%- for PACKAGE in SUPPORTED_PACKAGES %}
 echo "Setting up {{ PACKAGE }} package..."
 VERSION=$(elastic_fleet_package_version_check "{{ PACKAGE }}")
-elastic_fleet_package_install "{{ PACKAGE }}-$VERSION"
+elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION"
 echo
 {%- endfor %}
 echo

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# this file except in compliance with the Elastic License 2.0.
+{%- import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %}
+{%- set SUPPORTED_PACKAGES = salt['pillar.get']('elasticfleet:packages', default=ELASTICFLEETDEFAULTS.elasticfleet.packages, merge=True) %}
+
+. /usr/sbin/so-elastic-fleet-common
+
+{%- for PACKAGE in SUPPORTED_PACKAGES %}
+echo "Upgrading {{ PACKAGE }} package..."
+VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}")
+elastic_fleet_package_install "{{ PACKAGE }}" "$VERSION"
+echo
+{%- endfor %}
+echo

salt/elasticsearch/defaults.yaml

@@ -113,7 +113,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true  
-    so-logs-system.auth:
+    so-logs-system_x_auth:
       index_sorting: False
       index_template:
         index_patterns:
@@ -132,7 +132,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-system.syslog:
+    so-logs-system_x_syslog:
       index_sorting: False
       index_template:
         index_patterns:
@@ -151,7 +151,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-system.system:
+    so-logs-system_x_system:
       index_sorting: False
       index_template:
         index_patterns:
@@ -170,7 +170,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-system.application:
+    so-logs-system_x_application:
       index_sorting: False
       index_template:
         index_patterns:
@@ -189,7 +189,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-system.security:
+    so-logs-system_x_security:
       index_sorting: False
       index_template:
         index_patterns:
@@ -208,7 +208,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-windows.forwarded:
+    so-logs-windows_x_forwarded:
       index_sorting: False
       index_template:
         index_patterns:
@@ -226,7 +226,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-windows.powershell:
+    so-logs-windows_x_powershell:
       index_sorting: False
       index_template:
         index_patterns:
@@ -244,7 +244,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-windows.powershell_operational:
+    so-logs-windows_x_powershell_operational:
       index_sorting: False
       index_template:
         index_patterns:
@@ -262,7 +262,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-windows.sysmon_operational:
+    so-logs-windows_x_sysmon_operational:
       index_sorting: False
       index_template:
         index_patterns:
@@ -280,7 +280,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-aws.cloudtrail:
+    so-logs-aws_x_cloudtrail:
       index_sorting: False
       index_template:
         index_patterns:
@@ -298,7 +298,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-aws.cloudwatch_logs:
+    so-logs-aws_x_cloudwatch_logs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -316,7 +316,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-aws.ec2_logs:
+    so-logs-aws_x_ec2_logs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -334,7 +334,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-aws.elb_logs:
+    so-logs-aws_x_elb_logs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -352,7 +352,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-aws.firewall_logs:
+    so-logs-aws_x_firewall_logs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -370,7 +370,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-aws.route53_public_logs:
+    so-logs-aws_x_route53_public_logs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -388,7 +388,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-aws.route53_resolver_logs:
+    so-logs-aws_x_route53_resolver_logs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -406,7 +406,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-aws.s3access:
+    so-logs-aws_x_s3access:
       index_sorting: False
       index_template:
         index_patterns:
@@ -424,7 +424,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-aws.vpcflow:
+    so-logs-aws_x_vpcflow:
       index_sorting: False
       index_template:
         index_patterns:
@@ -442,7 +442,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-aws.waf:
+    so-logs-aws_x_waf:
       index_sorting: False
       index_template:
         index_patterns:
@@ -460,7 +460,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-azure.activitylogs:
+    so-logs-azure_x_activitylogs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -478,7 +478,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-azure.application_gateway:
+    so-logs-azure_x_application_gateway:
       index_sorting: False
       index_template:
         index_patterns:
@@ -496,7 +496,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-azure.auditlogs:
+    so-logs-azure_x_auditlogs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -514,7 +514,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-azure.eventhub:
+    so-logs-azure_x_eventhub:
       index_sorting: False
       index_template:
         index_patterns:
@@ -532,7 +532,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-azure.firewall_logs:
+    so-logs-azure_x_firewall_logs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -550,7 +550,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-azure.identity_protection:
+    so-logs-azure_x_identity_protection:
       index_sorting: False
       index_template:
         index_patterns:
@@ -568,7 +568,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-azure.platformlogs:
+    so-logs-azure_x_platformlogs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -586,7 +586,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-azure.provisioning:
+    so-logs-azure_x_provisioning:
       index_sorting: False
       index_template:
         index_patterns:
@@ -604,7 +604,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-azure.signinlogs:
+    so-logs-azure_x_signinlogs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -622,7 +622,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-azure.springcloudlogs:
+    so-logs-azure_x_springcloudlogs:
       index_sorting: False
       index_template:
         index_patterns:
@@ -640,7 +640,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-cloudflare.audit:
+    so-logs-cloudflare_x_audit:
       index_sorting: False
       index_template:
         index_patterns:
@@ -658,7 +658,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-cloudflare.logpull:
+    so-logs-cloudflare_x_logpull:
       index_sorting: False
       index_template:
         index_patterns:
@@ -676,7 +676,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-fim.event:
+    so-logs-fim_x_event:
       index_sorting: False
       index_template:
         index_patterns:
@@ -694,7 +694,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-github.audit:
+    so-logs-github_x_audit:
       index_sorting: False
       index_template:
         index_patterns:
@@ -712,7 +712,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-github.code_scanning:
+    so-logs-github_x_code_scanning:
       index_sorting: False
       index_template:
         index_patterns:
@@ -730,7 +730,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-github.dependabot:
+    so-logs-github_x_dependabot:
       index_sorting: False
       index_template:
         index_patterns:
@@ -748,7 +748,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-github.issues:
+    so-logs-github_x_issues:
       index_sorting: False
       index_template:
         index_patterns:
@@ -766,7 +766,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-github.secret_scanning:
+    so-logs-github_x_secret_scanning:
       index_sorting: False
       index_template:
         index_patterns:
@@ -784,7 +784,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.access_transparency:
+    so-logs-google_workspace_x_access_transparency:
       index_sorting: False
       index_template:
         index_patterns:
@@ -802,7 +802,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.admin:
+    so-logs-google_workspace_x_admin:
       index_sorting: False
       index_template:
         index_patterns:
@@ -820,7 +820,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.alert:
+    so-logs-google_workspace_x_alert:
       index_sorting: False
       index_template:
         index_patterns:
@@ -838,7 +838,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.context_aware_access:
+    so-logs-google_workspace_x_context_aware_access:
       index_sorting: False
       index_template:
         index_patterns:
@@ -856,7 +856,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.device:
+    so-logs-google_workspace_x_device:
       index_sorting: False
       index_template:
         index_patterns:
@@ -874,7 +874,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.drive:
+    so-logs-google_workspace_x_drive:
       index_sorting: False
       index_template:
         index_patterns:
@@ -892,7 +892,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.gcp:
+    so-logs-google_workspace_x_gcp:
       index_sorting: False
       index_template:
         index_patterns:
@@ -910,7 +910,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.group_enterprise:
+    so-logs-google_workspace_x_group_enterprise:
       index_sorting: False
       index_template:
         index_patterns:
@@ -928,7 +928,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.groups:
+    so-logs-google_workspace_x_groups:
       index_sorting: False
       index_template:
         index_patterns:
@@ -946,7 +946,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.login:
+    so-logs-google_workspace_x_login:
       index_sorting: False
       index_template:
         index_patterns:
@@ -964,7 +964,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.rules:
+    so-logs-google_workspace_x_rules:
       index_sorting: False
       index_template:
         index_patterns:
@@ -982,7 +982,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.saml:
+    so-logs-google_workspace_x_saml:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1000,7 +1000,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.token:
+    so-logs-google_workspace_x_token:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1018,7 +1018,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-google_workspace.user_accounts:
+    so-logs-google_workspace_x_user_accounts:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1036,7 +1036,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-1password.item_usages:
+    so-logs-1password_x_item_usages:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1054,7 +1054,7 @@ elasticsearch:
         data_stream:
           hidden: false
           allow_custom_routing: false
-    so-logs-1password.signin_attempts:
+    so-logs-1password_x_signin_attempts:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1089,7 +1089,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-osquery-manager-action.responses:
+    so-logs-osquery-manager-action_x_responses:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1106,7 +1106,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-elastic_agent.apm_server:
+    so-logs-elastic_agent_x_apm_server:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1160,7 +1160,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-elastic_agent.auditbeat:
+    so-logs-elastic_agent_x_auditbeat:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1214,7 +1214,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-elastic_agent.cloudbeat:
+    so-logs-elastic_agent_x_cloudbeat:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1265,7 +1265,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-elastic_agent.endpoint_security:
+    so-logs-elastic_agent_x_endpoint_security:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1314,7 +1314,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-endpoint.alerts:
+    so-logs-endpoint_x_alerts:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1363,7 +1363,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-endpoint.events.api:
+    so-logs-endpoint_x_events_x_api:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1412,7 +1412,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-endpoint.events.file:
+    so-logs-endpoint_x_events_x_file:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1461,7 +1461,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-endpoint.events.library:
+    so-logs-endpoint_x_events_x_library:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1510,7 +1510,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-endpoint.events.network:
+    so-logs-endpoint_x_events_x_network:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1559,7 +1559,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-endpoint.events.process:
+    so-logs-endpoint_x_events_x_process:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1608,7 +1608,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-endpoint.events.registry:
+    so-logs-endpoint_x_events_x_registry:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1657,7 +1657,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-endpoint.events.security:
+    so-logs-endpoint_x_events_x_security:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1706,7 +1706,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-elastic_agent.filebeat:
+    so-logs-elastic_agent_x_filebeat:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1755,7 +1755,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-elastic_agent.fleet_server:
+    so-logs-elastic_agent_x_fleet_server:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1801,7 +1801,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-elastic_agent.heartbeat:
+    so-logs-elastic_agent_x_heartbeat:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1907,7 +1907,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-elastic_agent.metricbeat:
+    so-logs-elastic_agent_x_metricbeat:
       index_sorting: False
       index_template:
         index_patterns:
@@ -1956,7 +1956,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-elastic_agent.osquerybeat:
+    so-logs-elastic_agent_x_osquerybeat:
       index_sorting: False
       index_template:
         index_patterns:
@@ -2005,7 +2005,7 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
-    so-logs-elastic_agent.packetbeat:
+    so-logs-elastic_agent_x_packetbeat:
       index_sorting: False
       index_template:
         index_patterns:

salt/elasticsearch/files/ingest/.fleet_final_pipeline-1

@@ -78,7 +78,9 @@
     { "set":        { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } },
     { "set":        { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } },
     { "set":        { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
-    {"community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true }  },
+    { "set":        { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.dataset", "value": "import" } },
+    { "set":        { "if": "ctx.tags.0 == 'import'", "override": true, "field": "data_stream.namespace", "value": "so" } },
+    { "community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true }  },
     { "remove":     { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } 
   ],
   "on_failure": [

salt/elasticsearch/soc_elasticsearch.yaml

@@ -47,27 +47,25 @@ elasticsearch:
             global: True
             helpLink: elasticsearch.html
   index_settings:
-    so-elasticsearch: &indexSettings
-      warm: 
-        description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch.
-        global: True
-        helpLink: elasticsearch.html
-      close: 
-        description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index.
-        global: True
-        helpLink: elasticsearch.html
-      delete: 
-        description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable.
-        global: True
-        helpLink: elasticsearch.html
+    so-logs: &indexSettings
       index_sorting: 
         description: Sorts the index by event time, at the cost of additional processing resource consumption.
         global: True
         helpLink: elasticsearch.html
       index_template:
+        index_patterns:
+          description: Patterns for matching multiple indices or tables.
+          forceType: "[]string"
+          multiline: True
+          global: True
+          helpLink: elasticsearch.html
         template:
           settings:
             index:
+              number_of_replicas: 
+                description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
+                global: True
+                helpLink: elasticsearch.html
               mapping:
                 total_fields:
                   limit:
@@ -82,8 +80,50 @@ elasticsearch:
                 description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
                 global: True
                 helpLink: elasticsearch.html
-              number_of_replicas: 
-                  description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
+              sort:
+                field:
+                  description: The field to sort by. Must set index_sorting to True.
+                  global: True
+                  helpLink: elasticsearch.html
+                order:
+                  description: The order to sort by. Must set index_sorting to True.
+                  global: True
+                  helpLink: elasticsearch.html
+          mappings:
+            _meta:
+              package:
+                name:
+                  description: Meta settings for the mapping.
+                  global: True
+                  helpLink: elasticsearch.html
+              managed_by:
+                  description: Meta settings for the mapping.
+                  global: True
+                  helpLink: elasticsearch.html
+              managed:
+                  description: Meta settings for the mapping.
+                  forcedType: bool
+                  global: True
+                  helpLink: elasticsearch.html
+        composed_of:
+          description: The index template is composed of these component templates.
+          forcedType: "[]string"
+          global: True
+          helpLink: elasticsearch.html
+        priority:
+          description: The priority of the index template.
+          forcedType: int
+          global: True
+          helpLink: elasticsearch.html
+        data_stream:
+          hidden:
+            description: Hide the data stream.
+            forcedType: bool
+            global: True
+            helpLink: elasticsearch.html
+          allow_custom_routing:
+            description: Allow custom routing for the data stream.
+            forcedType: bool
             global: True
             helpLink: elasticsearch.html
       policy:
@@ -97,6 +137,7 @@ elasticsearch:
               set_priority:
                 priority:
                   description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
+                  forcedType: int
                   global: True
                   helpLink: elasticsearch.html
               rollover:
@@ -117,19 +158,111 @@ elasticsearch:
               set_priority:
                 priority:
                   description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
+                  forcedType: int
                   global: True
                   helpLink: elasticsearch.html
           delete:
             min_age:
               description: Minimum age of index. This determines when the index should be deleted.
               global: True
-              helpLink: elastic
+              helpLink: elasticsearch.html
+        _meta:
+          package:
+            name:
+              description: Meta settings for the mapping.
+              global: True
+              helpLink: elasticsearch.html
+          managed_by:
+            description: Meta settings for the mapping.
+            global: True
+            helpLink: elasticsearch.html
+          managed:
+            description: Meta settings for the mapping.
+            forcedType: bool
+            global: True
+            helpLink: elasticsearch.html
+    so-logs-system_x_auth: *indexSettings
+    so-logs-system_x_syslog: *indexSettings
+    so-logs-system_x_system: *indexSettings
+    so-logs-system_x_application: *indexSettings
+    so-logs-system_x_security: *indexSettings
+    so-logs-windows_x_forwarded: *indexSettings
+    so-logs-windows_x_powershell: *indexSettings
+    so-logs-windows_x_powershell_operational: *indexSettings
+    so-logs-windows_x_sysmon_operational: *indexSettings
+    so-logs-aws_x_cloudtrail: *indexSettings
+    so-logs-aws_x_cloudwatch_logs: *indexSettings
+    so-logs-aws_x_ec2_logs: *indexSettings
+    so-logs-aws_x_elb_logs: *indexSettings
+    so-logs-aws_x_firewall_logs: *indexSettings
+    so-logs-aws_x_route53_public_logs: *indexSettings
+    so-logs-aws_x_route53_resolver_logs: *indexSettings
+    so-logs-aws_x_s3access: *indexSettings
+    so-logs-aws_x_vpcflow: *indexSettings
+    so-logs-aws_x_waf: *indexSettings
+    so-logs-azure_x_activitylogs: *indexSettings
+    so-logs-azure_x_application_gateway: *indexSettings
+    so-logs-azure_x_auditlogs: *indexSettings
+    so-logs-azure_x_eventhub: *indexSettings
+    so-logs-azure_x_firewall_logs: *indexSettings
+    so-logs-azure_x_identity_protection: *indexSettings
+    so-logs-azure_x_platformlogs: *indexSettings
+    so-logs-azure_x_provisioning: *indexSettings
+    so-logs-azure_x_signinlogs: *indexSettings
+    so-logs-azure_x_springcloudlogs: *indexSettings
+    so-logs-cloudflare_x_audit: *indexSettings
+    so-logs-cloudflare_x_logpull: *indexSettings
+    so-logs-fim_x_event: *indexSettings
+    so-logs-github_x_audit: *indexSettings
+    so-logs-github_x_code_scanning: *indexSettings
+    so-logs-github_x_dependabot: *indexSettings
+    so-logs-github_x_issues: *indexSettings
+    so-logs-github_x_secret_scanning: *indexSettings
+    so-logs-google_workspace_x_access_transparency: *indexSettings
+    so-logs-google_workspace_x_admin: *indexSettings
+    so-logs-google_workspace_x_alert: *indexSettings
+    so-logs-google_workspace_x_context_aware_access: *indexSettings
+    so-logs-google_workspace_x_device: *indexSettings
+    so-logs-google_workspace_x_drive: *indexSettings
+    so-logs-google_workspace_x_gcp: *indexSettings
+    so-logs-google_workspace_x_group_enterprise: *indexSettings
+    so-logs-google_workspace_x_groups: *indexSettings
+    so-logs-google_workspace_x_login: *indexSettings
+    so-logs-google_workspace_x_rules: *indexSettings
+    so-logs-google_workspace_x_saml: *indexSettings
+    so-logs-google_workspace_x_token: *indexSettings
+    so-logs-google_workspace_x_user_accounts: *indexSettings
+    so-logs-1password_x_item_usages: *indexSettings
+    so-logs-1password_x_signin_attempts: *indexSettings
+    so-logs-osquery-manager-actions: *indexSettings
+    so-logs-osquery-manager-action_x_responses: *indexSettings
+    so-logs-elastic_agent_x_apm_server: *indexSettings
+    so-logs-elastic_agent_x_auditbeat: *indexSettings
+    so-logs-elastic_agent_x_cloudbeat: *indexSettings
+    so-logs-elastic_agent_x_endpoint_security: *indexSettings
+    so-logs-endpoint_x_alerts: *indexSettings
+    so-logs-endpoint_x_events_x_api: *indexSettings
+    so-logs-endpoint_x_events_x_file: *indexSettings
+    so-logs-endpoint_x_events_x_library: *indexSettings
+    so-logs-endpoint_x_events_x_network: *indexSettings
+    so-logs-endpoint_x_events_x_process: *indexSettings
+    so-logs-endpoint_x_events_x_registry: *indexSettings
+    so-logs-endpoint_x_events_x_security: *indexSettings
+    so-logs-elastic_agent_x_filebeat: *indexSettings
+    so-logs-elastic_agent_x_fleet_server: *indexSettings
+    so-logs-elastic_agent_x_heartbeat: *indexSettings
+    so-logs-elastic_agent: *indexSettings
+    so-logs-elastic_agent_x_metricbeat: *indexSettings
+    so-logs-elastic_agent_x_osquerybeat: *indexSettings
+    so-logs-elastic_agent_x_packetbeat: *indexSettings
+    so-case: *indexSettings
+    so-common: *indexSettings
     so-endgame: *indexSettings
-    so-firewall: *indexSettings
+    so-idh: *indexSettings
+    so-suricata: *indexSettings
     so-import: *indexSettings
-    so-kibana: *indexSettings
+    so-kratos: *indexSettings
     so-logstash: *indexSettings
-    so-osquery: *indexSettings
     so-redis: *indexSettings
     so-strelka: *indexSettings
     so-syslog: *indexSettings

salt/elasticsearch/template.map.jinja

@@ -1,9 +1,11 @@
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
-{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
-{% for index, settings in ES_INDEX_SETTINGS.items() %}
+{%- set ES_INDEX_SETTINGS_ORIG = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
+{% set ES_INDEX_SETTINGS = {} %}
+{% for index, settings in ES_INDEX_SETTINGS_ORIG.items() %}
   {% if settings.index_template is defined %}
     {% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
       {% do settings.index_template.template.settings.index.pop('sort') %}
     {% endif %}
   {% endif %}
+  {% do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_ORIG[index]}) %}
 {% endfor %}

salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load

@@ -6,8 +6,7 @@
 
 . /usr/sbin/so-common
 
-{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
-{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
+{%- from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS %}
 
 {%- for index, settings in ES_INDEX_SETTINGS.items() %}
 {%-   if settings.policy is defined %}

salt/firewall/defaults.yaml

@@ -20,13 +20,12 @@ firewall:
     managersearch: []
     receiver: []
     searchnode: []
-    securityonion_desktop: []
     self: []
     sensor: []
     standalone: []
     strelka_frontend: []
     syslog: []
-    workstation: []
+    desktop: []
     customhostgroup0: []
     customhostgroup1: []
     customhostgroup2: []
@@ -462,7 +461,7 @@ firewall:
             endgame:
               portgroups:
                 - endgame
-            workstation:
+            desktop:
               portgroups:
                 - yum
             customhostgroup0:
@@ -514,7 +513,7 @@ firewall:
             receiver:
               portgroups:
                 - salt_manager
-            workstation:
+            desktop:
               portgroups:
                 - salt_manager
             self:
@@ -650,7 +649,7 @@ firewall:
             endgame:
               portgroups:
                 - endgame
-            workstation:
+            desktop:
               portgroups:
                 - yum
             customhostgroup0:
@@ -702,7 +701,7 @@ firewall:
             receiver:
               portgroups:
                 - salt_manager
-            workstation:
+            desktop:
               portgroups:
                 - salt_manager
             self:
@@ -846,7 +845,7 @@ firewall:
             strelka_frontend:
               portgroups:
                 - strelka_frontend
-            workstation:
+            desktop:
               portgroups:
                 - yum
             customhostgroup0:
@@ -901,7 +900,7 @@ firewall:
             receiver:
               portgroups:
                 - salt_manager
-            workstation:
+            desktop:
               portgroups:
                 - salt_manager
             self:
@@ -1200,7 +1199,7 @@ firewall:
             analyst:
               portgroups:
                 - nginx
-            workstation:
+            desktop:
               portgroups:
                 - yum
             customhostgroup0:

salt/firewall/soc_firewall.yaml

@@ -39,13 +39,12 @@ firewall:
     managersearch: *hostgroupsettings
     receiver: *hostgroupsettings
     searchnode: *hostgroupsettings
-    securityonion_desktop: *hostgroupsettings
     self: *ROhostgroupsettingsadv
     sensor: *hostgroupsettings
     standalone: *hostgroupsettings
     strelka_frontend: *hostgroupsettings
     syslog: *hostgroupsettings
-    workstation: *hostgroupsettings
+    desktop: *hostgroupsettings
     customhostgroup0: &customhostgroupsettings
       description: List of IP or CIDR blocks to allow to this hostgroup.
       forcedType: "[]string"
@@ -216,7 +215,7 @@ firewall:
               portgroups: *portgroupsdocker
             analyst:
               portgroups: *portgroupsdocker
-            workstation:
+            desktop:
               portgroups: *portgroupsdocker
             customhostgroup0:
               portgroups: *portgroupsdocker
@@ -366,7 +365,7 @@ firewall:
               portgroups: *portgroupsdocker
             analyst:
               portgroups: *portgroupsdocker
-            workstation:
+            desktop:
               portgroups: *portgroupsdocker
             customhostgroup0:
               portgroups: *portgroupsdocker
@@ -404,7 +403,7 @@ firewall:
               portgroups: *portgroupshost
             heavynode:
               portgroups: *portgroupshost
-            workstation:
+            desktop:
               portgroups: *portgroupshost
             customhostgroup0:
               portgroups: *portgroupshost
@@ -457,7 +456,7 @@ firewall:
               portgroups: *portgroupsdocker
             analyst:
               portgroups: *portgroupsdocker
-            workstation:
+            desktop:
               portgroups: *portgroupsdocker
             customhostgroup0:
               portgroups: *portgroupsdocker
@@ -495,7 +494,7 @@ firewall:
               portgroups: *portgroupshost
             heavynode:
               portgroups: *portgroupshost
-            workstation:
+            desktop:
               portgroups: *portgroupshost
             customhostgroup0:
               portgroups: *portgroupshost
@@ -554,7 +553,7 @@ firewall:
               portgroups: *portgroupsdocker
             analyst:
               portgroups: *portgroupsdocker
-            workstation:
+            desktop:
               portgroups: *portgroupsdocker
             customhostgroup0:
               portgroups: *portgroupsdocker
@@ -596,7 +595,7 @@ firewall:
               portgroups: *portgroupshost
             heavynode:
               portgroups: *portgroupshost
-            workstation:
+            desktop:
               portgroups: *portgroupshost
             customhostgroup0:
               portgroups: *portgroupshost
@@ -822,7 +821,7 @@ firewall:
               portgroups: *portgroupsdocker
             analyst:
               portgroups: *portgroupsdocker
-            workstation:
+            desktop:
               portgroups: *portgroupsdocker
             customhostgroup0:
               portgroups: *portgroupsdocker

salt/idstools/enabled.sls

@@ -63,12 +63,22 @@ delete_so-idstools_so-status.disabled:
 
 so-rule-update:
   cron.present:
-    - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
+    - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download_cron.log 2>&1
     - identifier: so-rule-update
     - user: root
     - minute: '1'
     - hour: '7'
 
+# order this last to give so-idstools container time to be ready
+run_so-rule-update:
+  cmd.run:
+    - name: '/usr/sbin/so-rule-update > /opt/so/log/idstools/download_idstools_state.log 2>&1'
+    - require:
+      - docker_container: so-idstools
+    - onchanges:
+      - file: idstoolsetcsync
+    - order: last
+
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/idstools/sync_files.sls

@@ -26,6 +26,13 @@ rulesdir:
     - group: 939
     - makedirs: True
 
+SOrulesdir:
+  file.directory:
+    - name: /opt/so/rules/nids/sorules
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 # Don't show changes because all.rules can be large
 synclocalnidsrules:
   file.recurse:
@@ -35,3 +42,13 @@ synclocalnidsrules:
     - group: 939
     - show_changes: False
     - include_pat: 'E@.rules'
+
+# Don't show changes because all.rules can be large
+syncnidsSOrules:
+  file.recurse:
+    - name: /opt/so/rules/nids/sorules
+    - source: salt://idstools/sorules/
+    - user: 939
+    - group: 939
+    - show_changes: False
+    - include_pat: 'E@.rules'

salt/idstools/tools/sbin_jinja/so-rule-update

@@ -1,5 +1,9 @@
 #!/bin/bash
-. /usr/sbin/so-common
+
+# if this script isn't already running
+if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
+
+    . /usr/sbin/so-common
 
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
 {%- from 'idstools/map.jinja' import IDSTOOLSMERGED %}
@@ -9,28 +13,30 @@
 
 # Download the rules from the internet
 {%- if proxy %}
-export http_proxy={{ proxy }} 
-export https_proxy={{ proxy }} 
-export no_proxy="{{ noproxy }}" 
+    export http_proxy={{ proxy }}
+    export https_proxy={{ proxy }}
+    export no_proxy="{{ noproxy }}"
 {%- endif %}
 
-mkdir -p /nsm/rules/suricata
-chown -R socore:socore /nsm/rules/suricata
+    mkdir -p /nsm/rules/suricata
+    chown -R socore:socore /nsm/rules/suricata
 # Download the rules from the internet
 {%- if GLOBALS.airgap != 'True' %}
 {%-   if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %}
-docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force
+    docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force
 {%-   elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %}
-docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }}
+    docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }}
 {%-   elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %}
-docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }}
+    docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }}
 {%-   endif %}
 {%- endif %}
 
 
-argstr=""
-for arg in "$@"; do
+    argstr=""
+    for arg in "$@"; do
         argstr="${argstr} \"${arg}\""
-done
+    done
 
-docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force ${argstr}"
+    docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force ${argstr}"
+
+fi

salt/manager/tools/sbin/so-firewall-minion

@@ -79,7 +79,7 @@ fi
 		'RECEIVER')
 			so-firewall includehost receiver "$IP" --apply
 			;;
-		'WORKSTATION')
-			so-firewall includehost workstation "$IP" --apply
+		'DESKTOP')
+			so-firewall includehost desktop "$IP" --apply
 			;;
     esac

salt/manager/tools/sbin/soup

@@ -393,6 +393,7 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.2 ]] && up_to_2.4.3
     [[ "$INSTALLEDVERSION" == 2.4.3 ]] && up_to_2.4.4
     [[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5
+    [[ "$INSTALLEDVERSION" == 2.4.5 ]] && up_to_2.4.10
     true
 }
 
@@ -403,6 +404,7 @@ postupgrade_changes() {
     [[ "$POSTVERSION" == 2.4.2 ]] && post_to_2.4.3
     [[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4
     [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 
+    [[ "$POSTVERSION" == 2.4.5 ]] && post_to_2.4.10 
     true
 }
 
@@ -422,6 +424,12 @@ post_to_2.4.5() {
   POSTVERSION=2.4.5
 }
 
+post_to_2.4.10() {
+  echo "Updating Elastic Fleet ES URLs...."
+  /sbin/so-elastic-fleet-es-url-update --force
+  POSTVERSION=2.4.10
+}
+
 stop_salt_master() {
     # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
     set +e
@@ -482,6 +490,12 @@ up_to_2.4.5() {
   INSTALLEDVERSION=2.4.5
 }
 
+up_to_2.4.10() {
+  echo "Nothing to do for 2.4.10"
+  
+  INSTALLEDVERSION=2.4.10
+}
+
 determine_elastic_agent_upgrade() {
   if [[ $is_airgap -eq 0 ]]; then
     update_elastic_agent_airgap
@@ -492,6 +506,7 @@ determine_elastic_agent_upgrade() {
 
 update_elastic_agent_airgap() {
   rsync -av /tmp/soagupdate/fleet/* /nsm/elastic-fleet/artifacts/
+  tar -xf "$ELASTIC_AGENT_FILE" -C "$ELASTIC_AGENT_EXPANSION_DIR"
 }
 
 verify_upgradespace() {
@@ -547,13 +562,16 @@ update_version() {
   echo "Updating the Security Onion version file."
   echo $NEWVERSION > /etc/soversion
   echo $HOTFIXVERSION > /etc/sohotfix
-  sed -i "/  soversion:/c\  soversion: $NEWVERSION" /opt/so/saltstack/local/pillar/global/soc_global.sls
+  sed -i "s/soversion:.*/soversion: $NEWVERSION/" /opt/so/saltstack/local/pillar/global/soc_global.sls
 }
 
 upgrade_check() {
   # Let's make sure we actually need to update.
   NEWVERSION=$(cat $UPDATE_DIR/VERSION)
   HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX)
+  if [ ! -f /etc/sohotfix ]; then
+    touch /etc/sohotfix
+  fi
   [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix)
   if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
     echo "Checking to see if there are hotfixes needed"
@@ -645,15 +663,15 @@ verify_latest_update_script() {
 }
 
 # Keeping this block in case we need to do a hotfix that requires salt update
-#apply_hotfix() {
+apply_hotfix() {
 #  if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then
 #    fix_wazuh
 #  elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then
 #    2_3_10_hotfix_1
 #  else
-#    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
+   echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
 #  fi
-#}
+}
 
 
 #upgrade salt to 3004.1
@@ -775,7 +793,7 @@ main() {
     else
       update_registry
       set +e
-      update_docker_containers "soup"
+      update_docker_containers "soup" "" "" "$SOUP_LOG"
       set -e
     fi
 

salt/soc/defaults.yaml

@@ -69,7 +69,7 @@ soc:
         - log.id.uid
         - network.community_id
         - event.dataset
-      ':kratos:kratos.audit':
+      ':kratos:audit':
         - soc_timestamp
         - http_request.headers.x-real-ip
         - identity_id
@@ -570,14 +570,13 @@ soc:
         - destination.geo.country_iso_code
         - user.name
         - source.ip
-      ':windows.sysmon_operational:':
+      '::sysmon_operational':
         - soc_timestamp
         - event.action
-        - process.executable
+        - winlog.computer_name
         - user.name
-        - file.target
-        - dns.question.name
-        - winlog.event_data.TargetObject
+        - process.executable
+        - process.pid
       '::network_connection':
         - soc_timestamp
         - source.ip

salt/soc/files/soc/motd.md

@@ -8,6 +8,10 @@ If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to
 
 To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link.
 
+## Enterprise Appliances
+
+Want the best hardware for your enterprise deployment? Check out our [enterprise appliances](https://securityonionsolutions.com/hardware/)!
+
 ## Customize This Space
 
 Make this area your own by customizing the content in the [Config](/#/config?s=soc.files.soc.motd__md) interface.

salt/soc/soc_soc.yaml

@@ -45,9 +45,10 @@ soc:
     actions:
       description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action.
       global: True
+      forcedType: "[]{}"
     eventFields:
       default:
-        description: The list of fields to show as columns in the Hunt/Dashboards event table, when no other specific mapping applies. Mappings are defined by the format ":event.module:event.dataset".
+        description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. This 'default' entry is used for all events that do not match an existing mapping defined in the list to the left.
         global: True
         advanced: True
     server:
@@ -139,6 +140,7 @@ soc:
           description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL.
           global: True
           advanced: True
+          forcedType: "[]{}"
         hunt: &appSettings
           groupItemsPerPage:
             description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI.
@@ -164,6 +166,12 @@ soc:
           queries:
             description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key.
             global: True
+            forcedType: "[]{}"
+          queryToggleFilters:
+            description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query.
+            global: True
+            advanced: True
+            forcedType: "[]{}"
         alerts: *appSettings
         cases: *appSettings
         dashboards: *appSettings

salt/ssl/init.sls

@@ -153,8 +153,8 @@ etc_elasticfleet_crt:
     - ca_server: {{ ca_server }}
     - signing_policy: elasticfleet
     - private_key: /etc/pki/elasticfleet-server.key
-    - CN: {{ GLOBALS.url_base }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True
@@ -198,7 +198,7 @@ etc_elasticfleet_logstash_key:
     - new: True
     {% if salt['file.file_exists']('/etc/pki/elasticfleet-logstash.key') -%}
     - prereq:
-      - x509: etc_elasticfleet_crt
+      - x509: etc_elasticfleet_logstash_crt
     {%- endif %}
     - retry:
         attempts: 5
@@ -210,8 +210,8 @@ etc_elasticfleet_logstash_crt:
     - ca_server: {{ ca_server }}
     - signing_policy: elasticfleet
     - private_key: /etc/pki/elasticfleet-logstash.key
-    - CN: {{ GLOBALS.url_base }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
     - days_remaining: 0
     - days_valid: 820
     - backup: True
@@ -259,7 +259,7 @@ etc_elasticfleetlumberjack_key:
     - new: True
     {% if salt['file.file_exists']('/etc/pki/elasticfleet-lumberjack.key') -%}
     - prereq:
-      - x509: etc_elasticfleet_crt
+      - x509: etc_elasticfleetlumberjack_crt
     {%- endif %}
     - retry:
         attempts: 5
@@ -283,7 +283,7 @@ etc_elasticfleetlumberjack_crt:
   cmd.run:
     - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-lumberjack.key -topk8 -out /etc/pki/elasticfleet-lumberjack.p8 -nocrypt"
     - onchanges:
-      - x509: etc_elasticfleet_key
+      - x509: etc_elasticfleetlumberjack_key
 
 eflogstashlumberjackperms:
   file.managed:
@@ -327,7 +327,7 @@ etc_elasticfleet_agent_key:
     - new: True
     {% if salt['file.file_exists']('/etc/pki/elasticfleet-agent.key') -%}
     - prereq:
-      - x509: etc_elasticfleet_crt
+      - x509: etc_elasticfleet_agent_crt
     {%- endif %}
     - retry:
         attempts: 5
@@ -350,7 +350,7 @@ etc_elasticfleet_agent_crt:
   cmd.run:
     - name: "/usr/bin/openssl pkcs8 -in /etc/pki/elasticfleet-agent.key -topk8 -out /etc/pki/elasticfleet-agent.p8 -nocrypt"
     - onchanges:
-      - x509: etc_elasticfleet_key
+      - x509: etc_elasticfleet_agent_key
 
 efagentperms:
   file.managed:

salt/strelka/filestream/config.sls

@@ -6,6 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'strelka/map.jinja' import STRELKAMERGED %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'strelka/map.jinja' import filecheck_runas %}
 
 include:
@@ -78,6 +79,46 @@ filecheck_script:
     - group: 939
     - mode: 755
 
+filecheck.log:
+  file.managed:
+    - name: /opt/so/log/strelka/filecheck.log
+    - user: {{ filecheck_runas }}
+    - group: {{ filecheck_runas }}
+
+filecheck_stdout.log:
+  file.managed:
+    - name: /opt/so/log/strelka/filecheck_stdout.log
+    - user: {{ filecheck_runas }}
+    - group: {{ filecheck_runas }}
+
+{% if GLOBALS.md_engine == 'ZEEK' %}
+
+filecheck_run_socore:
+  cron.present:
+    - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
+    - identifier: filecheck_run_socore
+    - user: socore
+
+remove_filecheck_run_suricata:
+  cron.absent:
+    - identifier: filecheck_run_suricata
+    - user: suricata
+
+{% elif GLOBALS.md_engine == 'SURICATA'%}
+
+filecheck_run_suricata:
+  cron.present:
+    - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
+    - identifier: filecheck_run_suricata
+    - user: suricata
+
+remove_filecheck_run_socore:
+  cron.absent:
+    - identifier: filecheck_run_socore
+    - user: socore
+
+{% endif %}
+
 filecheck_restart:
   cmd.run:
     - name: pkill -f "python3 /opt/so/conf/strelka/filecheck"
@@ -85,12 +126,7 @@ filecheck_restart:
     - success_retcodes: [0,1]
     - onchanges:
       - file: filecheck_script
-
-filecheck_run:
-  cron.present:
-    - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
-    - identifier: filecheck_run
-    - user: {{ filecheck_runas }}
+      - file: filecheck_conf
 
 filcheck_history_clean:
   cron.present:

salt/suricata/config.sls

@@ -68,6 +68,14 @@ surilogdir:
     - user: 940
     - group: 939
 
+surinsmdir:
+  file.directory:
+    - name: /nsm/suricata
+    - user: 940
+    - group: 939
+    - mode: 755
+    - makedirs: True
+
 suridatadir:
   file.directory:
     - name: /nsm/suricata/extracted

salt/suricata/defaults.yaml

@@ -416,7 +416,6 @@ suricata:
         enabled: "yes"
         filename: keyword_perf.log
         append: "yes"
-    
       prefilter:
         enabled: "yes"
         filename: prefilter_perf.log

salt/suricata/map.jinja

@@ -11,7 +11,7 @@
 {# suricata.config.af-packet has to be rewritten here since we cant display '- interface' in the ui #}
 {# we are limited to only one iterface #}
 {% load_yaml as afpacket %}
-- interface: {{ SURICATAMERGED.config['af-packet'].interface }}
+- interface: {{ GLOBALS.sensor.interface }}
   cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
   cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
   defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}

salt/suricata/soc_suricata.yaml

@@ -14,7 +14,9 @@ suricata:
   config:
     af-packet:
       interface:
-        description: The network interface that Suricata will monitor.
+        description: The network interface that Suricata will monitor. This is set under sensor > interface.
+        advanced: True
+        readonly: True
         helpLink: suricata.html
       cluster-id:
         advanced: True

salt/telegraf/config.sls

@@ -32,17 +32,16 @@ tgrafetsdir:
     - name: /opt/so/conf/telegraf/scripts
     - makedirs: True
 
-tgrafsyncscripts:
-  file.recurse:
-    - name: /opt/so/conf/telegraf/scripts
+{% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
+tgraf_sync_script_{{script}}:
+  file.managed:
+    - name: /opt/so/conf/telegraf/scripts/{{script}}
     - user: root
     - group: 939
-    - file_mode: 770
+    - mode: 770
     - template: jinja
-    - source: salt://telegraf/scripts
-    {% if GLOBALS.md_engine == 'SURICATA' %}
-    - exclude_pat: zeekcaptureloss.sh
-    {% endif %}
+    - source: salt://telegraf/scripts/{{script}}
+{% endfor %}
 
 telegraf_sbin:
   file.recurse:

salt/telegraf/defaults.yaml

@@ -9,3 +9,82 @@ telegraf:
     flush_jitter: '0s'
     debug: 'false'
     quiet: 'false'
+  scripts:
+    eval:
+      - beatseps.sh
+      - checkfiles.sh
+      - influxdbsize.sh
+      - oldpcap.sh
+      - raid.sh
+      - redis.sh
+      - sostatus.sh
+      - stenoloss.sh
+      - suriloss.sh
+      - zeekcaptureloss.sh
+      - zeekloss.sh
+    standalone:
+      - beatseps.sh
+      - checkfiles.sh
+      - eps.sh
+      - influxdbsize.sh
+      - oldpcap.sh
+      - raid.sh
+      - redis.sh
+      - sostatus.sh
+      - stenoloss.sh
+      - suriloss.sh
+      - zeekcaptureloss.sh
+      - zeekloss.sh
+    manager:
+      - beatseps.sh
+      - influxdbsize.sh
+      - raid.sh
+      - redis.sh
+      - sostatus.sh
+    managersearch:
+      - beatseps.sh
+      - eps.sh
+      - influxdbsize.sh
+      - raid.sh
+      - redis.sh
+      - sostatus.sh
+    import:
+      - sostatus.sh
+    sensor:
+      - beatseps.sh
+      - checkfiles.sh
+      - oldpcap.sh
+      - raid.sh
+      - sostatus.sh
+      - stenoloss.sh
+      - suriloss.sh
+      - zeekcaptureloss.sh
+      - zeekloss.sh
+    heavynode:
+      - beatseps.sh
+      - checkfiles.sh
+      - eps.sh
+      - oldpcap.sh
+      - raid.sh
+      - redis.sh
+      - sostatus.sh
+      - stenoloss.sh
+      - suriloss.sh
+      - zeekcaptureloss.sh
+      - zeekloss.sh
+    idh:
+      - sostatus.sh
+    searchnode:
+      - beatseps.sh
+      - eps.sh
+      - raid.sh
+      - sostatus.sh
+    receiver:
+      - beatseps.sh
+      - eps.sh
+      - raid.sh
+      - redis.sh
+      - sostatus.sh
+    fleet:
+      - sostatus.sh
+    desktop: []

salt/telegraf/enabled.sls

@@ -7,6 +7,7 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}
 
 
 include:
@@ -67,8 +68,10 @@ so-telegraf:
     {% endif %}
     - watch:
       - file: tgrafconf
-      - file: tgrafsyncscripts
       - file: node_config
+    {% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
+      - file: tgraf_sync_script_{{script}}
+    {% endfor %}
     - require: 
       - file: tgrafconf
       - file: node_config

salt/telegraf/etc/telegraf.conf

@@ -193,7 +193,7 @@
   username = "{{ ES_USER }}"
   password = "{{ ES_PASS }}"
   insecure_skip_verify = true
-{%- elif grains['role'] in ['so-searchnode', 'so-hotnode', 'so-warmnode']  %}
+{%- elif grains['role'] in ['so-searchnode']  %}
 [[inputs.elasticsearch]]
   servers = ["https://{{ NODEIP }}:9200"]
   cluster_stats = false
@@ -244,6 +244,8 @@
 {%- endif %}
 
 # # Read metrics from one or more commands that can output to stdout
+{%- if 'sostatus.sh' in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
+{%-   do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('sostatus.sh') %}
 [[inputs.exec]]
    commands = [
       "/scripts/sostatus.sh"
@@ -251,122 +253,26 @@
    data_format = "influx"
    timeout = "15s"
    interval = "60s"
+{%- endif %}
 
-#   ## Commands array
-{% if grains['role'] in ['so-manager'] %}
+{%- if TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] | length > 0 %}
 [[inputs.exec]]
    commands = [
-      "/scripts/redis.sh",
-      "/scripts/influxdbsize.sh",
-      "/scripts/raid.sh",
-      "/scripts/beatseps.sh"
+{%-   for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
+      "/scripts/{{script}}"{% if not loop.last %},{% endif %}
+{%-   endfor %}
    ]
   data_format = "influx"
   ## Timeout for each command to complete.
   timeout = "15s"
-{% elif grains['role'] in ['so-managersearch'] %}
-[[inputs.exec]]
-   commands = [
-      "/scripts/redis.sh",
-      "/scripts/influxdbsize.sh",
-      "/scripts/eps.sh",
-      "/scripts/raid.sh",
-      "/scripts/beatseps.sh"
-   ]
-  data_format = "influx"
-  ## Timeout for each command to complete.
-  timeout = "15s"
-{% elif grains['role'] in ['so-searchnode', 'so-receiver'] %}
-[[inputs.exec]]
-   commands = [
-      "/scripts/eps.sh",
-      "/scripts/raid.sh",
-  {% if grains.role == 'so-receiver' %}
-      "/scripts/redis.sh",
-  {% endif %}
-      "/scripts/beatseps.sh"
-   ]
-  data_format = "influx"
-  ## Timeout for each command to complete.
-  timeout = "15s"
-{% elif grains['role'] == 'so-sensor' %}
-[[inputs.exec]]
-   commands = [
-      "/scripts/stenoloss.sh",
-      "/scripts/suriloss.sh",
-      "/scripts/checkfiles.sh",
-  {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
-      "/scripts/zeekloss.sh",
-      "/scripts/zeekcaptureloss.sh",
-  {%- endif %}
-      "/scripts/oldpcap.sh",
-      "/scripts/raid.sh",
-      "/scripts/beatseps.sh"
-   ]
-  data_format = "influx"
-  timeout = "15s"
-{% elif grains['role'] == 'so-heavynode' %}
-[[inputs.exec]]
-   commands = [
-      "/scripts/redis.sh",
-      "/scripts/stenoloss.sh",
-      "/scripts/suriloss.sh",
-      "/scripts/checkfiles.sh",
-  {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
-      "/scripts/zeekloss.sh",
-      "/scripts/zeekcaptureloss.sh",
-  {%- endif %}
-      "/scripts/oldpcap.sh",
-      "/scripts/eps.sh",
-      "/scripts/raid.sh",
-      "/scripts/beatseps.sh"
-   ]
-  data_format = "influx"
-  timeout = "15s"
-{% elif grains['role'] == 'so-standalone' %}
-[[inputs.exec]]
-   commands = [
-      "/scripts/redis.sh",
-      "/scripts/influxdbsize.sh",
-      "/scripts/stenoloss.sh",
-      "/scripts/suriloss.sh",
-      "/scripts/checkfiles.sh",
-  {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
-      "/scripts/zeekloss.sh",
-      "/scripts/zeekcaptureloss.sh",
-  {%- endif %}
-      "/scripts/oldpcap.sh",
-      "/scripts/eps.sh",
-      "/scripts/raid.sh",
-      "/scripts/beatseps.sh"
-   ]
-  data_format = "influx"
-  timeout = "15s"
-{% elif grains['role'] == 'so-eval' %}
-[[inputs.exec]]
-   commands = [
-      "/scripts/redis.sh",
-      "/scripts/stenoloss.sh",
-      "/scripts/suriloss.sh",
-      "/scripts/checkfiles.sh",
-  {%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
-      "/scripts/zeekloss.sh",
-      "/scripts/zeekcaptureloss.sh",
-  {%- endif %}
-      "/scripts/oldpcap.sh",
-      "/scripts/influxdbsize.sh",
-      "/scripts/raid.sh",
-      "/scripts/beatseps.sh"
-   ]
-  data_format = "influx"
-  timeout = "15s"
-{% endif %}
+{%- endif %}
 
 {%- if salt['pillar.get']('healthcheck:enabled', False) %}
 [[inputs.file]]
   files = ["/host/nsm/zeek/logs/zeek_restart.log"]
   data_format = "influx"
 {%- endif %}
+
 [[inputs.file]]
   files = ["/etc/telegraf/node_config.json"]
   name_override = "node_config"

salt/telegraf/map.jinja

@@ -3,5 +3,15 @@
    https://securityonion.net/license; you may not use this file except in compliance with the
    Elastic License 2.0. #}
 
+{% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'telegraf/defaults.yaml' as TELEGRAFDEFAULTS %}
 {% set TELEGRAFMERGED = salt['pillar.get']('telegraf', TELEGRAFDEFAULTS.telegraf, merge=True) %}
+
+{% if GLOBALS.role in ['so-eval', 'so-standalone', 'so-sensor', 'so-heavynode'] %}
+{%   from 'zeek/config.map.jinja' import ZEEKMERGED %}
+{#   if the md engine isn't zeek or zeek is disabled, dont run the zeek scripts for telegraf #}
+{%   if GLOBALS.md_engine != 'ZEEK' or not ZEEKMERGED.enabled %}
+{%     do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %}
+{%     do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %}
+{%   endif %}
+{% endif %}

salt/telegraf/scripts/zeekcaptureloss.sh

@@ -5,16 +5,18 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-
-
-
 # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp
 
 # if this script isn't already running
+{%- from 'zeek/config.map.jinja' import ZEEKMERGED %}
 if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
 
     if [ -d "/host/nsm/zeek/spool/logger" ]; then
-      WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }}
+{%- if ZEEKMERGED.config.node.pins %}
+      WORKERS={{ ZEEKMERGED.config.node.pins | length }}
+{%- else %}
+      WORKERS={{ ZEEKMERGED.config.node.lb_procs }}
+{%- endif %}
       ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log
     elif [ -d "/host/nsm/zeek/spool/zeeksa" ]; then
       WORKERS=1

salt/telegraf/soc_telegraf.yaml

@@ -42,4 +42,21 @@ telegraf:
       global: True
       advanced: True
       helpLink: telegraf.html
-    
+  scripts:
+    eval: &telegrafscripts
+      description: List of input.exec scripts to run for this node type. The script must be present in salt/telegraf/scripts.
+      forcedType: "[]string"
+      multiline: True
+      advanced: True
+      helpLink: telegraf.html
+    standalone: *telegrafscripts
+    manager: *telegrafscripts
+    managersearch: *telegrafscripts
+    import: *telegrafscripts
+    sensor: *telegrafscripts
+    heavynode: *telegrafscripts
+    idh: *telegrafscripts
+    searchnode: *telegrafscripts
+    receiver: *telegrafscripts
+    fleet: *telegrafscripts
+    desktop: *telegrafscripts

salt/top.sls

@@ -277,10 +277,10 @@ base:
     - schedule
     - docker_clean
 
-  'J@desktop:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )':
+  'J@desktop:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:OEL )':
     - match: compound
     - desktop
 
-  'J@desktop:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )':
+  'J@desktop:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:OEL )':
     - match: compound
     - desktop.remove_gui

setup/so-functions

@@ -117,7 +117,7 @@ desktop_pillar() {
 		"  mainint: '$MNIC'"\
 		"desktop:"\
 		"  gui:"\
-		"    enabled: true" >> "$pillar_file"\
+		"    enabled: true"\
 		"sensoroni:"\
 		"  config:"\
 		"    node_description: '${NODE_DESCRIPTION//\'/''}'" > $pillar_file
@@ -2302,6 +2302,15 @@ set_default_log_size() {
 	log_size_limit=$( echo "$disk_size_gb" "$percentage" | awk '{printf("%.0f", $1 * ($2/100))}')
 }
 
+set_desktop_background() {
+
+	logCmd "mkdir /usr/local/share/backgrounds"
+	logCmd "cp ../salt/desktop/files/so-wallpaper.jpg /usr/local/share/backgrounds/so-wallpaper.jpg"
+	logCmd "cp ../salt/desktop/files/00-background /etc/dconf/db/local.d/00-background"
+	logCmd "dconf update"
+
+}
+
 set_hostname() {
 
 	logCmd "hostnamectl set-hostname --static $HOSTNAME"

setup/so-setup

@@ -341,6 +341,8 @@ if [[ $is_desktop ]]; then
 			securityonion_repo
 			info "Enabling graphical interface and setting it to load at boot"
 			systemctl set-default graphical.target
+			info "Setting desktop background"
+			set_desktop_background
 			echo "Desktop Install Complete!"
 			echo ""
 			echo "Please reboot to start graphical interface."
@@ -575,6 +577,7 @@ if ! [[ -f $install_opt_file ]]; then
 
 	if [[ $waitforstate ]]; then
 		touch /root/accept_changes
+		touch /etc/sohotfix
 		make_some_dirs
 		percentage=0
 		es_heapsize