Compare commits

..

3 Commits

Author SHA1 Message Date
Corey Ogburn 83cf1f0793 New Client Params for Tool Retries 2026-07-02 10:11:52 -06:00
Corey Ogburn 8675296393 More Agentic Fields
The big agentic switch, a specific maxDelegationDepth, and the agentMapping dict
2026-07-01 15:04:42 -06:00
Matthew Wright 23f04e2866 maxSubSessionTokens and maxDelegationDepth config settings 2026-07-01 15:02:21 -06:00
12 changed files with 69 additions and 198 deletions
-24
View File
@@ -134,30 +134,6 @@ socsigmasopipeline:
- group: 939
- mode: 600
socsigmaplaybookpipeline:
file.managed:
- name: /opt/so/conf/soc/sigma_playbook_pipeline.yaml
- source: salt://soc/files/soc/sigma_playbook_pipeline.yaml
- user: 939
- group: 939
- mode: 600
socplaybookplaceholdermap:
file.managed:
- name: /opt/so/conf/soc/playbook_placeholder_map.yaml
- source: salt://soc/files/soc/playbook_placeholder_map.yaml
- user: 939
- group: 939
- mode: 600
socplaybookplaceholdermapcustom:
file.managed:
- name: /opt/so/conf/soc/playbook_placeholder_map_custom.yaml
- source: salt://soc/files/soc/playbook_placeholder_map_custom.yaml
- user: 939
- group: 939
- mode: 600
socbanner:
file.managed:
- name: /opt/so/conf/soc/banner.md
+12 -7
View File
@@ -1502,9 +1502,6 @@ soc:
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
branch: main
folder: securityonion-normalized
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
branch: published
folder: sigma
airgap:
- repo: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks
branch: main
@@ -1512,6 +1509,8 @@ soc:
assistant:
systemPromptAddendum: ""
systemPromptAddendumMaxLength: 50000
maxSubSessionTokens: 0
maxDelegationDepth: 5
adapters:
- name: SOAI
protocol: securityonion_ai_cloud
@@ -1523,6 +1522,10 @@ soc:
serviceAccountJSON: ""
serviceAccountLocation: ""
healthTimeoutSeconds: 5
agentic: false
agentMapping:
Orchestrator: sonnet
Hunter: sonnet
onionconfig:
saltstackDir: /opt/so/saltstack
bypassEnabled: false
@@ -1774,13 +1777,13 @@ soc:
enabled: true
queries:
- name: Default Query
description: Show all events grouped by module and dataset
query: '* | groupby event.module* event.dataset'
showSubtitle: true
- name: Observer
description: Show all events grouped by the observer host
query: '* | groupby observer.name'
showSubtitle: true
- name: Log Type
description: Show all events grouped by module and dataset
query: '* | groupby event.module* event.dataset'
showSubtitle: true
- name: SOC - Auth
description: Users authenticated to SOC grouped by IP address and identity
query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip user.name'
@@ -2692,6 +2695,8 @@ soc:
thresholdColorRatioLow: 0.5
thresholdColorRatioMed: 0.75
thresholdColorRatioMax: 1
toolBusyMaxRetries: 30
toolBusyRetryDelayMs: 1000
availableModels:
- id: sonnet
displayName: Claude Sonnet
+1 -6
View File
@@ -45,10 +45,7 @@ so-soc:
- /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro
- /opt/so/conf/soc/banner.md:/opt/sensoroni/html/login/banner.md:ro
- /opt/so/conf/soc/sigma_so_pipeline.yaml:/opt/sensoroni/sigma_so_pipeline.yaml:ro
- /opt/so/conf/soc/sigma_playbook_pipeline.yaml:/opt/sensoroni/sigma_playbook_pipeline.yaml:ro
- /opt/so/conf/soc/sigma_final_pipeline.yaml:/opt/sensoroni/sigma_final_pipeline.yaml:ro
- /opt/so/conf/soc/playbook_placeholder_map.yaml:/opt/sensoroni/playbook_placeholder_map.yaml:ro
- /opt/so/conf/soc/playbook_placeholder_map_custom.yaml:/opt/sensoroni/playbook_placeholder_map_custom.yaml:ro
- /opt/so/conf/soc/sigma_final_pipeline.yaml:/opt/sensoroni/sigma_final_pipeline.yaml:rw
- /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
- /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
- /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
@@ -102,8 +99,6 @@ so-soc:
- file: soccustomroles
- file: socusersroles
- file: socclientsroles
- file: socplaybookplaceholdermap
- file: socplaybookplaceholdermapcustom
delete_so-soc_so-status.disabled:
file.uncomment:
@@ -1,49 +0,0 @@
# Global Playbook placeholder map: %token% -> event field path.
#
# Loaded by the SOC Playbook module and used to resolve `field|expand:%placeholder%` values
# from an alert when converting playbook questions to OQL.
# Left: the %token% used in a question
# Right: the event field its value is read from (event_data.-nested or bare; the module
# tries both).
#
# Example: with `src_ip: source.ip` (below), a question that writes
# `source.ip|expand: '%src_ip%'` resolves %src_ip% to the alert's source.ip at convert time.
#
# This is the global base layer. To add or override tokens edit playbook_placeholder_map_custom.yaml.
# those entries overlay this map and win on conflict.
CommandLine: process.command_line
CurrentDirectory: process.working_directory
Image: process.executable
ImageLoaded: dll.name
ParentImage: process.parent.executable
ParentName: process.parent.name
ParentProcessGuid: process.parent.entity_id
ProcessGuid: process.entity_id
TargetFilename: file.name
TargetObject: registry.path
TargetUserName: user.target.name
User: user.name
community_id: network.community_id
dns_resolved_ip: dns.resolved_ip
document_id: soc_id
dst_ip: destination.ip
dst_port: destination.port
event_data_source_ip: source.ip
file_path: file.path
file_dirs: process.file_dirs
file_name: process.name
file_paths: process.file_paths
hostname: host.name
private_ip: network.private_ip
public_ip: network.public_ip
related_hosts: related.hosts
related_ip: related.ip
src_ip: source.ip
dns_query_name: dns.query_name
flow_id: log.id.uid
payload: network.data.decoded
rule_category: rule.category
rule_name: rule.name
rule_uuid: rule.uuid
src_port: source.port
@@ -1,14 +0,0 @@
# Custom Playbook placeholder map: %token% -> event field path.
#
#
# Left: the %token% used in a playbook question.
# Right: the event field its value is read from (event_data.-nested or bare; the module tries
# both). Note: a token that is simply named after a flat event field resolves automatically
# without an entry here - only add a mapping when the token name differs from the field name.
#
# Example:
#
# account_id: cloudflare.account_id
#
# A question that writes
# `account_id|expand: '%account_id%'` resolves %account_id% from the alert at convert time.
@@ -1,12 +0,0 @@
name: Security Onion - Playbook Pipeline
priority: 97
transformations:
# Route string fields to their lowercase-normalized .caseless subfield so wildcard
# matches are case-insensitive.
- id: case_insensitive_string_fields
type: field_name_mapping
mapping:
process.executable: process.executable.caseless
process.parent.executable: process.parent.executable.caseless
process.command_line: process.command_line.caseless
process.parent.command_line: process.parent.command_line.caseless
-51
View File
@@ -63,14 +63,6 @@ transformations:
rule_conditions:
- type: logsource
category: antivirus
# OS-agnostic process_creation scoping for product-less (NIDS/host-pivot) rules.
- id: process_creation_os_agnostic
type: add_condition
conditions:
event.category: process
rule_conditions:
- type: logsource
category: process_creation
# Transforms the `Hashes` field to ECS fields
# ECS fields are used by the hash fields emitted by Elastic Defend
# If shipped with Elastic Agent, sysmon logs will also have hashes mapped to ECS fields
@@ -116,40 +108,6 @@ transformations:
- type: logsource
product: windows
category: driver_load
- id: ecs_fix_process_creation
type: field_name_mapping
mapping:
# bare `Hashes` (the combined-string case is broken out above)
winlog.event_data.Hashes: process.hash.sha256
winlog.event_data.IntegrityLevel: process.Ext.token.integrity_level_name
winlog.event_data.ParentName: process.parent.name
rule_conditions:
- type: logsource
product: windows
category: process_creation
- id: ecs_fix_registry_set
type: field_name_mapping
mapping:
winlog.event_data.Details: registry.data.strings
# field rename only; EventType values (SetValue/CreateKey) still differ from
# event.action values (modification/creation)
winlog.event_data.EventType: event.action
rule_conditions:
- type: logsource
product: windows
category: registry_set
- id: ecs_fix_image_load
type: field_name_mapping
mapping:
file.path: dll.path
file.code_signature.signed: dll.code_signature.exists
winlog.event_data.Signature: dll.code_signature.subject_name
file.code_signature.status: dll.code_signature.status
winlog.event_data.Hashes: dll.hash.sha256
rule_conditions:
- type: logsource
product: windows
category: image_load
- id: linux_security_add-fields
type: add_condition
conditions:
@@ -323,15 +281,6 @@ transformations:
rule_conditions:
- type: logsource
category: file_event
# Scope image_load rules to Elastic Endpoint library events (event.category:library, dll.*
# populated).
- id: endpoint_image_load_add-fields
type: add_condition
conditions:
event.category: 'library'
rule_conditions:
- type: logsource
category: image_load
# Maps network rules to all network logs
# This targets all network logs, all services, generated from endpoints and network
- id: network_add-fields
+28 -9
View File
@@ -46,15 +46,7 @@ soc:
syntax: yaml
file: True
global: True
advanced: False
helpLink: security-onion-console-customization
playbook_placeholder_map_custom__yaml:
title: Playbook Placeholder Map
description: Custom mappings of Playbook %placeholder% tokens to event fields.
syntax: yaml
file: True
global: True
advanced: False
advanced: True
helpLink: security-onion-console-customization
config:
licenseKey:
@@ -727,6 +719,16 @@ soc:
description: Maximum length of the system prompt addendum. Longer prompts will be truncated.
global: True
advanced: True
maxSubSessionTokens:
description: Maximum number of output tokens a delegated sub-session may generate across all of its turns. When the budget is reached, the sub-agent is halted and its result is returned to the parent agent. Set to 0 to disable the limit.
global: True
advanced: True
forcedType: int
maxDelegationDepth:
description: Maximum delegation nesting depth for sub-agents. For example, a value of 2 lets the main agent delegate to a sub-agent that may itself delegate one level deeper. Any deeper delegation is refused and the requesting agent continues without it. Set to 0 to disable the limit.
global: True
advanced: True
forcedType: int
adapters:
description: Configuration for AI adapters used by the Onion AI assistant. Please see documentation for help on which fields are required for which protocols.
global: True
@@ -765,12 +767,29 @@ soc:
label: Health Timeout Seconds
required: False
forcedType: int
agentic:
description: Indicates if the Assistant Module should operate in agentic mode or not. If true, agents can work together to solve tasks.
global: True
forcedType: bool
agentMapping:
Orchestrator:
description: The initial agent in most agentic conversations. This agent will delegate requests to specialized agents.
global: True
Hunter:
description: This agent is specialized in querying events.
global: True
client:
assistant:
enabled:
description: Set to true to enable the Onion AI assistant in SOC.
global: True
forcedType: bool
toolBusyMaxRetries:
description: How many times to retry auto approving a tool while a tool is already running.
global: True
toolBusyRetryDelayMs:
description: How long in milliseconds to wait between each retry when auto approving a tool.
global: True
investigationPrompt:
description: Prompt given to Onion AI when beginning an investigation.
global: True
-1
View File
@@ -244,7 +244,6 @@
username = "{{ ES_USER }}"
password = "{{ ES_PASS }}"
insecure_skip_verify = true
cluster_health = true
{%- elif grains['role'] in ['so-searchnode'] %}
[[inputs.elasticsearch]]
servers = ["https://{{ NODEIP }}:9200"]
+16 -17
View File
@@ -29,12 +29,8 @@ title() {
}
fail_setup() {
local err_msg=$1
if [[ -n "$err_msg" ]]; then
error "$err_msg"
fi
error "Setup encountered an unrecoverable failure, exiting"
echo "setup incomplete: $err_msg" > /root/failure
touch /root/failure
exit 1
}
@@ -701,7 +697,7 @@ compare_main_nic_ip() {
EOM
[[ -n $TESTING ]] || whiptail --title "$whiptail_title" --msgbox "$message" 11 75
kill -SIGINT "$(ps --pid $$ -oppid=)"; fail_setup "Main IP mismatch"
kill -SIGINT "$(ps --pid $$ -oppid=)"; fail_setup
fi
else
# Setup uses MAINIP, but since we ignore the equality condition when using a VPN
@@ -759,7 +755,8 @@ configure_management_bond() {
info "Setting up $bond_name management interface with mode $bond_mode"
if [[ ${#MBNICS[@]} -eq 0 ]]; then
fail_setup "No management bond NICs selected"
error "[ERROR] No management bond NICs were selected."
fail_setup
fi
nmcli -t -f NAME con show | grep -Fxq "$bond_name"
@@ -917,7 +914,8 @@ detect_os() {
is_rpm=true
is_supported=true
else
fail_setup "This OS is not supported. Security Onion requires Oracle Linux 9."
info "This OS is not supported. Security Onion requires Oracle Linux 9."
fail_setup
fi
info "Found OS: $OS $OSVER"
@@ -925,7 +923,7 @@ detect_os() {
download_elastic_agent_artifacts() {
if ! update_elastic_agent 2>&1 | tee -a "$setup_log"; then
fail_setup "Failed to update Elastic Agent"
fail_setup
fi
}
@@ -1569,7 +1567,7 @@ proxy_validate() {
error "Received error: $proxy_test_err"
if [[ -n $TESTING ]]; then
error "Exiting setup"
kill -SIGINT "$(ps --pid $$ -oppid=)"; fail_setup "Proxy validation failed"
kill -SIGINT "$(ps --pid $$ -oppid=)"; fail_setup
fi
fi
return $ret
@@ -1776,7 +1774,8 @@ ensure_pyyaml() {
local result=$?
set +o pipefail
if [[ $result -ne 0 ]] || ! rpm -q python3-pyyaml >/dev/null 2>&1; then
fail_setup "Failed to install python3-pyyaml (exit=$result)"
error "Failed to install python3-pyyaml (exit=$result)"
fail_setup
fi
info "python3-pyyaml installed successfully"
}
@@ -1911,8 +1910,8 @@ repo_sync_local() {
if [[ ! $is_airgap ]]; then
curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup "Failed to sync repos"
retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionkernel --download-metadata -p /nsm/kernelrepo/" >> "$setup_log" 2>&1 || fail_setup "Failed to sync kernel repos"
retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup
retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionkernel --download-metadata -p /nsm/kernelrepo/" >> "$setup_log" 2>&1 || fail_setup
# After the download is complete run createrepo
create_repo
fi
@@ -1925,10 +1924,10 @@ saltify() {
if [[ $waitforstate ]]; then
# install all for a manager
retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup "Failed to install salt master"
retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
else
# just a minion
retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup "Failed to install salt minion"
retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
fi
salt_install_module_deps
@@ -2000,7 +1999,7 @@ set_main_ip() {
info "MAINIP=$MAINIP"
info "MNIC_IP=$MNIC_IP"
whiptail_error_message "The management IP could not be determined. Please check the log at /root/sosetup.log and verify the network configuration. Select OK to exit."
fail_setup "Could not determine MAINIP or MNIC_IP"
fail_setup
fi
sleep 1
done
@@ -2204,7 +2203,7 @@ set_initial_firewall_access() {
set_management_interface() {
title "Setting up the main interface"
if [[ $MNIC == "bond1" ]]; then
configure_management_bond || fail_setup "Failed to configure management bond"
configure_management_bond || fail_setup
fi
if [ "$address_type" = 'DHCP' ]; then
+9 -5
View File
@@ -90,7 +90,8 @@ if [[ "$setup_type" == 'iso' ]]; then
if [[ $is_rpm ]]; then
is_iso=true
else
fail_setup "Only use 'so-setup iso' for an ISO install on Security Onion ISO images. Please run 'so-setup network' instead."
echo "Only use 'so-setup iso' for an ISO install on Security Onion ISO images. Please run 'so-setup network' instead."
fail_setup
fi
fi
@@ -129,7 +130,7 @@ catch() {
info "Fatal error occurred at $1 in so-setup, failing setup."
grep --color=never "ERROR" "$setup_log" > "$error_log"
whiptail_setup_failed
fail_setup "Fatal error occurred at $1 in so-setup"
fail_setup
}
# Add the progress function for manager node type installs
@@ -237,7 +238,8 @@ case "$setup_type" in
info "Beginning Security Onion $setup_type install"
;;
*)
fail_setup "Invalid install type, must be 'iso', 'network' or 'desktop'."
error "Invalid install type, must be 'iso', 'network' or 'desktop'."
fail_setup
;;
esac
@@ -771,7 +773,8 @@ if ! [[ -f $install_opt_file ]]; then
logCmd "salt-call state.apply -l info registry"
title "Seeding the docker registry"
if ! docker_seed_registry; then
fail_setup "Failed to seed the docker registry"
error "Failed to seed the docker registry"
fail_setup
fi
title "Applying the manager state"
logCmd "salt-call state.apply -l info manager"
@@ -794,7 +797,8 @@ if ! [[ -f $install_opt_file ]]; then
title "Setting up Elastic Fleet"
logCmd "salt-call state.apply elasticfleet.config"
if ! logCmd so-elastic-fleet-setup; then
fail_setup "Failed to run so-elastic-fleet-setup"
error "Failed to run so-elastic-fleet-setup"
fail_setup
fi
mark_setup_complete
set_initial_firewall_access
+3 -3
View File
@@ -143,15 +143,15 @@ main() {
cat $error_log
echo "--------------------------"
exit_code=1
echo "Found setup errors. Check $error_log for details" > /root/failure
touch /root/failure
elif using_iso && cron_error_in_mail_spool; then
echo "WARNING: Unexpected cron job output in mail spool"
exit_code=1
echo "Unexpected cron job output found in /var/spool/mail/" > /root/failure
touch /root/failure
elif is_manager_node && status_failed; then
echo "WARNING: Containers are not in a healthy state"
exit_code=1
echo "Containers are not in a healthy state. Check so-status for details" > /root/failure
touch /root/failure
else
echo "Successfully completed setup!"
touch /root/success