Compare commits

..
Author SHA1 Message Date
Jason Ertel 811b799b0b ignore file already closed 2026-07-17 10:57:30 -04:00
Jason Ertel 63d4061500 prevent login redirect to any API url 2026-07-14 13:52:32 -04:00
Jason Ertel 6fc0fd954c clarify output annotation 2026-07-10 10:35:37 -04:00
Jason Ertel 566f90a0c0 toggle pg metrics 2026-07-10 10:32:25 -04:00
Jason Ertel 1f44e98681 restart soc after re-initing db 2026-07-08 14:34:27 -04:00
Jason ErtelandGitHub dffe0d3780 Merge pull request #16046 from Security-Onion-Solutions/jertel/wip
recollate databases
2026-07-08 07:05:37 -04:00
Jason Ertel d131d167de provide explanation text 2026-07-08 07:00:38 -04:00
Jason Ertel 8a8f2c4a33 change order to recollate first 2026-07-07 22:22:00 -04:00
Jason Ertel 7f6014096b recollate db 2026-07-07 22:01:27 -04:00
Jason Ertel ef83450107 recollate 2026-07-07 16:54:06 -04:00
coreyogburnandGitHub 032d792331 Merge pull request #16030 from Security-Onion-Solutions/feature/agentic
Feature/agentic
2026-07-07 14:37:52 -06:00
Josh BrowerandGitHub 0cac761edc Merge pull request #16041 from Security-Onion-Solutions/playbook-reponames
Add repo names
2026-07-07 13:53:16 +02:00
Josh Brower db91ce981d Add repo names 2026-07-07 07:49:11 -04:00
Mike ReevesandGitHub bd8e5a63db Merge pull request #16039 from Security-Onion-Solutions/TOoSmOotH-patch-1
Add cluster_health option to telegraf.conf
2026-07-06 17:29:04 -04:00
Corey Ogburn 83cf1f0793 New Client Params for Tool Retries 2026-07-02 10:11:52 -06:00
Corey Ogburn 8675296393 More Agentic Fields
The big agentic switch, a specific maxDelegationDepth, and the agentMapping dict
2026-07-01 15:04:42 -06:00
Matthew WrightandCorey Ogburn 23f04e2866 maxSubSessionTokens and maxDelegationDepth config settings 2026-07-01 15:02:21 -06:00
8 changed files with 97 additions and 12 deletions
+1
View File
@@ -132,6 +132,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found" # Salt loops until Kratos returns 200, during startup Kratos may not be ready EXCLUDED_ERRORS="$EXCLUDED_ERRORS|HTTP 404: Not Found" # Salt loops until Kratos returns 200, during startup Kratos may not be ready
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Cancelling deferred write event maybeFenceReplicas because the event queue is now closed" # Kafka controller log during shutdown/restart
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Redis may have been restarted" # Redis likely restarted by salt EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Redis may have been restarted" # Redis likely restarted by salt
EXCLUDED_ERRORS="$EXCLUDED_ERRORS|file already closed" # Go logging race condition during container restart
fi fi
if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then
+20 -3
View File
@@ -784,12 +784,23 @@ post_to_3.1.0() {
### 3.2.0 Scripts ### ### 3.2.0 Scripts ###
recollate_postgres() {
echo ""
echo "Recollating PostgreSQL databases. The following output may contain warnings about a version mismatch, followed by a note indicating that the collation version has been changed."
for db in postgres securityonion so_telegraf; do
docker exec so-postgres psql -U postgres $db -c "reindex database $db"
docker exec so-postgres psql -U postgres $db -c "alter database $db refresh collation version"
done
echo "Recollating PostgreSQL databases complete."
echo ""
}
bootstrap_so_soc_database() { bootstrap_so_soc_database() {
# init-db.sh is mounted into so-postgres at /docker-entrypoint-initdb.d/init-db.sh # init-db.sh is mounted into so-postgres at /docker-entrypoint-initdb.d/init-db.sh
# and runs automatically only on a fresh data directory. Hosts upgrading from # and runs automatically only on a fresh data directory. Hosts upgrading from
# 3.1.0 already have /nsm/postgres populated, so the so_soc bootstrap block # 3.1.0 already have /nsm/postgres populated, so the so_soc bootstrap block
# added in 3.2 never fires. Re-run the script explicitly; it's idempotent. # added in 3.2 never fires. Re-run the script explicitly; it's idempotent.
echo "Bootstrapping so_soc database via init-db.sh." echo "Bootstrapping database via init-db.sh."
# The postgres image has no USER directive, so `docker exec` defaults to # The postgres image has no USER directive, so `docker exec` defaults to
# root, and the container env intentionally omits POSTGRES_USER (the upstream # root, and the container env intentionally omits POSTGRES_USER (the upstream
# entrypoint defaults it transiently during first-init only). Recreate both # entrypoint defaults it transiently during first-init only). Recreate both
@@ -800,10 +811,13 @@ bootstrap_so_soc_database() {
return 0 return 0
fi fi
if ! $exec_cmd; then if ! $exec_cmd; then
FINAL_MESSAGE_QUEUE+=("WARNING: init-db.sh failed inside so-postgres during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd") FINAL_MESSAGE_QUEUE+=("WARNING: init-db.sh failed inside so-postgres during the 3.2.0 upgrade; the database may not have been bootstrapped. Re-run manually: $exec_cmd")
return 0 return 0
fi fi
echo "so_soc bootstrap complete." echo "Database bootstrap complete."
echo "Restarting so-soc container to pick up database changes"
docker restart so-soc
} }
# Existing grids should keep ILM unless an admin explicitly opts in to DLM. # Existing grids should keep ILM unless an admin explicitly opts in to DLM.
@@ -882,6 +896,9 @@ up_to_3.2.0() {
} }
post_to_3.2.0() { post_to_3.2.0() {
# Recollate due to image OS rebase
recollate_postgres
bootstrap_so_soc_database bootstrap_so_soc_database
# Including agent regen script here since it was missed in post_to_3.1.0 # Including agent regen script here since it was missed in post_to_3.1.0
+1 -1
View File
@@ -399,7 +399,7 @@ http {
error_page 429 = @error429; error_page 429 = @error429;
location @error401 { location @error401 {
if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) { if ($request_uri ~* (^.*/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) {
return 401; return 401;
} }
+17 -7
View File
@@ -8,6 +8,7 @@
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%} {% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %} {% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %} {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
{% for module, application_url in GLOBALS.application_urls.items() %} {% for module, application_url in GLOBALS.application_urls.items() %}
{% do SOCDEFAULTS.soc.config.server.modules[module].update({'hostUrl': application_url}) %} {% do SOCDEFAULTS.soc.config.server.modules[module].update({'hostUrl': application_url}) %}
@@ -24,13 +25,22 @@
{% do SOCDEFAULTS.soc.config.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %} {% do SOCDEFAULTS.soc.config.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}
{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %} {% if TELEGRAFMERGED.output == 'POSTGRES' %}
{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %} {% for tool in SOCDEFAULTS.soc.config.server.client.tools %}
{% for tool in SOCDEFAULTS.soc.config.server.client.tools %} {% if tool.name == "toolInfluxDb" %}
{% if tool.name == "toolInfluxDb" and METRICS_LINK | length > 0 %} {% do SOCDEFAULTS.soc.config.server.client.tools.remove(tool) %}
{% do tool.update({'link': METRICS_LINK}) %} {% endif %}
{% endif %} {% endfor %}
{% endfor %}
{% else %}
{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
{% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %}
{% for tool in SOCDEFAULTS.soc.config.server.client.tools %}
{% if tool.name == "toolInfluxDb" and METRICS_LINK | length > 0 %}
{% do tool.update({'link': METRICS_LINK}) %}
{% endif %}
{% endfor %}
{% endif %}
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %} {% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
+11
View File
@@ -1500,18 +1500,23 @@ soc:
playbookRepos: playbookRepos:
default: default:
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks - repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
rulesetName: sos-playbook-resources
branch: main branch: main
folder: securityonion-normalized folder: securityonion-normalized
- repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks - repo: https://github.com/Security-Onion-Solutions/securityonion-resources-playbooks
rulesetName: sos-published
branch: published branch: published
folder: sigma folder: sigma
airgap: airgap:
- repo: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks - repo: file:///nsm/airgap-resources/playbooks/securityonion-resources-playbooks
rulesetName: sos-resources-ag
branch: main branch: main
folder: securityonion-normalized folder: securityonion-normalized
assistant: assistant:
systemPromptAddendum: "" systemPromptAddendum: ""
systemPromptAddendumMaxLength: 50000 systemPromptAddendumMaxLength: 50000
maxSubSessionTokens: 0
maxDelegationDepth: 5
adapters: adapters:
- name: SOAI - name: SOAI
protocol: securityonion_ai_cloud protocol: securityonion_ai_cloud
@@ -1523,6 +1528,10 @@ soc:
serviceAccountJSON: "" serviceAccountJSON: ""
serviceAccountLocation: "" serviceAccountLocation: ""
healthTimeoutSeconds: 5 healthTimeoutSeconds: 5
agentic: false
agentMapping:
Orchestrator: sonnet
Hunter: sonnet
onionconfig: onionconfig:
saltstackDir: /opt/so/saltstack saltstackDir: /opt/so/saltstack
bypassEnabled: false bypassEnabled: false
@@ -2692,6 +2701,8 @@ soc:
thresholdColorRatioLow: 0.5 thresholdColorRatioLow: 0.5
thresholdColorRatioMed: 0.75 thresholdColorRatioMed: 0.75
thresholdColorRatioMax: 1 thresholdColorRatioMax: 1
toolBusyMaxRetries: 30
toolBusyRetryDelayMs: 1000
availableModels: availableModels:
- id: sonnet - id: sonnet
displayName: Claude Sonnet displayName: Claude Sonnet
+19
View File
@@ -7,6 +7,11 @@
{% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %} {% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %}
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
{% from 'manager/map.jinja' import MANAGERMERGED %} {% from 'manager/map.jinja' import MANAGERMERGED %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
{%- set PG_ENTRY = salt['pillar.get']('telegraf:postgres_creds:' ~ grains.id, {}) %}
{%- set PG_USER = PG_ENTRY.get('user', '') %}
{%- set PG_PASS = PG_ENTRY.get('pass', '') %}
{% set DOCKER_EXTRA_HOSTS = ELASTICSEARCH_NODES %} {% set DOCKER_EXTRA_HOSTS = ELASTICSEARCH_NODES %}
{% do DOCKER_EXTRA_HOSTS.append({GLOBALS.influxdb_host:pillar.node_data[GLOBALS.influxdb_host].ip}) %} {% do DOCKER_EXTRA_HOSTS.append({GLOBALS.influxdb_host:pillar.node_data[GLOBALS.influxdb_host].ip}) %}
@@ -75,6 +80,20 @@
{% do SOCMERGED.config.server.update({'airgapEnabled': false}) %} {% do SOCMERGED.config.server.update({'airgapEnabled': false}) %}
{% endif %} {% endif %}
{# Define the postgresmetrics module if telegraf is setup to only use Postgres #}
{% if TELEGRAFMERGED.output != 'INFLUXDB' and PG_USER and PG_PASS %}
{% do SOCMERGED.config.server.modules.update({
'postgresmetrics': {
'database': 'so_telegraf',
'host': GLOBALS.manager_ip,
'password': PG_PASS,
'port': 5432,
'sslMode': 'allow',
'user': PG_USER,
}
}) %}
{% do SOCMERGED.config.server.modules.pop('influxdb') %}
{% endif %}
{# Define the Detections custom ruleset that should always be present #} {# Define the Detections custom ruleset that should always be present #}
{% set CUSTOM_RULESET = { {% set CUSTOM_RULESET = {
+27
View File
@@ -727,6 +727,16 @@ soc:
description: Maximum length of the system prompt addendum. Longer prompts will be truncated. description: Maximum length of the system prompt addendum. Longer prompts will be truncated.
global: True global: True
advanced: True advanced: True
maxSubSessionTokens:
description: Maximum number of output tokens a delegated sub-session may generate across all of its turns. When the budget is reached, the sub-agent is halted and its result is returned to the parent agent. Set to 0 to disable the limit.
global: True
advanced: True
forcedType: int
maxDelegationDepth:
description: Maximum delegation nesting depth for sub-agents. For example, a value of 2 lets the main agent delegate to a sub-agent that may itself delegate one level deeper. Any deeper delegation is refused and the requesting agent continues without it. Set to 0 to disable the limit.
global: True
advanced: True
forcedType: int
adapters: adapters:
description: Configuration for AI adapters used by the Onion AI assistant. Please see documentation for help on which fields are required for which protocols. description: Configuration for AI adapters used by the Onion AI assistant. Please see documentation for help on which fields are required for which protocols.
global: True global: True
@@ -765,12 +775,29 @@ soc:
label: Health Timeout Seconds label: Health Timeout Seconds
required: False required: False
forcedType: int forcedType: int
agentic:
description: Indicates if the Assistant Module should operate in agentic mode or not. If true, agents can work together to solve tasks.
global: True
forcedType: bool
agentMapping:
Orchestrator:
description: The initial agent in most agentic conversations. This agent will delegate requests to specialized agents.
global: True
Hunter:
description: This agent is specialized in querying events.
global: True
client: client:
assistant: assistant:
enabled: enabled:
description: Set to true to enable the Onion AI assistant in SOC. description: Set to true to enable the Onion AI assistant in SOC.
global: True global: True
forcedType: bool forcedType: bool
toolBusyMaxRetries:
description: How many times to retry auto approving a tool while a tool is already running.
global: True
toolBusyRetryDelayMs:
description: How long in milliseconds to wait between each retry when auto approving a tool.
global: True
investigationPrompt: investigationPrompt:
description: Prompt given to Onion AI when beginning an investigation. description: Prompt given to Onion AI when beginning an investigation.
global: True global: True
+1 -1
View File
@@ -5,7 +5,7 @@ telegraf:
advanced: True advanced: True
helpLink: influxdb helpLink: influxdb
output: output:
description: Selects the backend(s) Telegraf writes metrics to. INFLUXDB keeps the current behavior; POSTGRES writes to the grid's Postgres instance; BOTH dual-writes for migration validation. description: Selects the backend(s) Telegraf writes metrics to. INFLUXDB keeps the current behavior; POSTGRES writes to the grid's Postgres instance; BOTH dual-writes for migration validation. When set to BOTH, the grid screen's metrics are pulled from Postgres, and the InfluxDB tool link remains visible. When set to POSTGRES, the InfluxDB tool link is removed.
options: options:
- INFLUXDB - INFLUXDB
- POSTGRES - POSTGRES