Merge pull request #8981 from Security-Onion-Solutions/dev

2.3.181

HOTFIX

@@ -1 +0,0 @@
-

README.md

@@ -1,6 +1,6 @@
-## Security Onion 2.3.140
+## Security Onion 2.3.180
 
-Security Onion 2.3.140 is here!
+Security Onion 2.3.180 is here!
 
 ## Screenshots
 

VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.3.140-20220718 ISO image built on 2022/07/18
+### 2.3.181-20221021 ISO image built on 2022/10/21
 
 
 
 ### Download and Verify
 
-2.3.140-20220718 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso
+2.3.181-20221021 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.3.181-20221021.iso
 
-MD5: 9570065548DBFA6230F28FF623A8B61A  
-SHA1: D48B2CC81DF459C3EBBC0C54BD9AAFAB4327CB75  
-SHA256: 0E31E15EDFD3392B9569FCCAF1E4518432ECB0D7A174CCA745F2F22CDAC4A034 
+MD5: 9389B35233DCA42AC5061053D772E922  
+SHA1: 83A162756136198CF1FABE7D94BA1D99650379B2  
+SHA256: FED4D7B27C16889F9588FE9568B0B10E0DAD551C34619DFED7801F18B1739040 
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.181-20221021.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.181-20221021.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.3.181-20221021.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.3.140-20220718.iso.sig securityonion-2.3.140-20220718.iso
+gpg --verify securityonion-2.3.181-20221021.iso.sig securityonion-2.3.181-20221021.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Mon 18 Jul 2022 10:16:05 AM EDT using RSA key ID FE507013
+gpg: Signature made Fri 21 Oct 2022 02:11:18 PM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

VERSION

@@ -1 +1 @@
-2.3.140
+2.3.181

salt/common/tools/sbin/soup

@@ -203,7 +203,7 @@ check_airgap() {
 
 check_local_mods() {
   local salt_local=/opt/so/saltstack/local
-
+  local_ignore_arr=("/opt/so/saltstack/local/salt/zeek/policy/intel/intel.dat")
   local_mod_arr=()
 
   while IFS= read -r -d '' local_file; do
@@ -211,10 +211,12 @@ check_local_mods() {
     default_file="${DEFAULT_SALT_DIR}${stripped_path}"
     if [[ -f $default_file ]]; then
       file_diff=$(diff "$default_file" "$local_file" )
+      if [[ ! " ${local_ignore_arr[*]} " =~ " ${local_file} " ]]; then
         if [[ $(echo "$file_diff" | grep -c "^<") -gt 0 ]]; then
           local_mod_arr+=( "$local_file" )
         fi
       fi
+    fi
   done< <(find $salt_local -type f -print0)
 
   if [[ ${#local_mod_arr} -gt 0 ]]; then
@@ -223,11 +225,24 @@ check_local_mods() {
       echo "  $file_str"
     done
     echo ""
-    echo "To reference this list later, check $SOUP_LOG"
-    sleep 10
+    echo "To reference this list later, check $SOUP_LOG".
+    echo
+    if [[ -z $UNATTENDED ]] && ! [[ "${1}" == "skip-prompt" ]]; then
+      while true; do
+        read -p "Please review the local modifications shown above as they may cause problems during or after the update.
+
+Would you like to proceed with the update anyway?
+
+If so, type 'YES'. Otherwise, type anything else to exit SOUP. " yn
+
+        case $yn in
+          [yY][eE][sS] ) echo "Local modifications accepted.  Continuing..."; break;;
+          * ) exit 0;;
+        esac
+      done
+    fi
   fi
 }
-
 # {% endraw %}
 
 check_pillar_items() {
@@ -371,6 +386,81 @@ clone_to_tmp() {
   fi
 }
 
+elastalert_indices_check() {
+  echo "Checking Elastalert indices for compatibility..."
+  # Wait for ElasticSearch to initialize
+  echo -n "Waiting for ElasticSearch..."
+  COUNT=0
+  ELASTICSEARCH_CONNECTED="no"
+  while [[ "$COUNT" -le 240 ]]; do
+    so-elasticsearch-query / -k --output /dev/null
+      if [ $? -eq 0 ]; then
+        ELASTICSEARCH_CONNECTED="yes"
+        echo "connected!"
+          break
+      else
+        ((COUNT+=1))
+        sleep 1
+        echo -n "."
+      fi
+  done
+
+  # Unable to connect to Elasticsearch
+  if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
+    echo
+    echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
+    echo
+    exit 1
+  fi
+
+  MAJOR_ES_VERSION=$(so-elasticsearch-query / | jq -r .version.number | cut -d '.' -f1)
+  if [[ "$MAJOR_ES_VERSION" -lt "8" ]]; then
+
+    # Stop Elastalert to prevent Elastalert indices from being re-created
+    if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then
+      so-elastalert-stop || true
+    fi
+
+    # Check Elastalert indices
+    echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
+    CHECK_COUNT=0
+    while [[ "$CHECK_COUNT" -le 2 ]]; do
+      # Delete Elastalert indices
+      for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do
+        so-elasticsearch-query $i -XDELETE;
+         done
+
+      # Check to ensure Elastalert indices are deleted
+      COUNT=0
+      ELASTALERT_INDICES_DELETED="no"
+      while [[ "$COUNT" -le 240 ]]; do
+        RESPONSE=$(so-elasticsearch-query "elastalert*")
+        if [[ "$RESPONSE" == "{}" ]]; then
+          ELASTALERT_INDICES_DELETED="yes"
+          break
+        else
+          ((COUNT+=1))
+          sleep 1
+          echo -n "."
+        fi
+      done
+      ((CHECK_COUNT+=1))
+    done
+
+    # If we were unable to delete the Elastalert indices, exit the script
+    if [ "$ELASTALERT_INDICES_DELETED" == "yes" ]; then
+      echo "Elastalert indices successfully deleted."
+    else
+      echo
+      echo -e "Unable to connect to delete Elastalert indices. Exiting."
+      echo
+      exit 1
+    fi
+  else
+    echo "Major Elasticsearch version is 8 or greater...skipping Elastalert index maintenance."
+  fi
+}
+
 enable_highstate() {
     echo "Enabling highstate."
     salt-call state.enable highstate -l info --local
@@ -380,7 +470,7 @@ enable_highstate() {
 es_version_check() {
     CHECK_ES=$(echo $INSTALLEDVERSION | awk -F. '{print $3}')
   
-    if [ "$CHECK_ES" -lt "110" ]; then
+    if [[ "$CHECK_ES" -lt "110" ]]; then
       echo "You are currently running Security Onion $INSTALLEDVERSION. You will need to update to version 2.3.130 before updating to 2.3.140 or higher."
       echo ""
       echo "If your deployment has Internet access, you can use the following command to update to 2.3.130:"
@@ -454,6 +544,11 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.3.110 ]] && up_to_2.3.120
     [[ "$INSTALLEDVERSION" == 2.3.120 ]] && up_to_2.3.130
     [[ "$INSTALLEDVERSION" == 2.3.130 ]] && up_to_2.3.140
+    [[ "$INSTALLEDVERSION" == 2.3.140 ]] && up_to_2.3.150
+    [[ "$INSTALLEDVERSION" == 2.3.150 ]] && up_to_2.3.160
+    [[ "$INSTALLEDVERSION" == 2.3.160 ]] && up_to_2.3.170
+    [[ "$INSTALLEDVERSION" == 2.3.170 ]] && up_to_2.3.180
+    [[ "$INSTALLEDVERSION" == 2.3.180 ]] && up_to_2.3.181
     true
 }
 
@@ -470,7 +565,11 @@ postupgrade_changes() {
     [[ "$POSTVERSION" == 2.3.110 ]] && post_to_2.3.120
     [[ "$POSTVERSION" == 2.3.120 ]] && post_to_2.3.130
     [[ "$POSTVERSION" == 2.3.130 ]] && post_to_2.3.140
-    
+    [[ "$POSTVERSION" == 2.3.140 ]] && post_to_2.3.150
+    [[ "$POSTVERSION" == 2.3.150 ]] && post_to_2.3.160
+    [[ "$POSTVERSION" == 2.3.160 ]] && post_to_2.3.170
+    [[ "$POSTVERSION" == 2.3.170 ]] && post_to_2.3.180
+    [[ "$POSTVERSION" == 2.3.180 ]] && post_to_2.3.181
 
     true
 }
@@ -554,7 +653,25 @@ post_to_2.3.140() {
   POSTVERSION=2.3.140
 }
 
+post_to_2.3.150() {
+  echo "Nothing to do for .150"
+}
 
+post_to_2.3.160() {
+  echo "Nothing to do for .160"
+}
+
+post_to_2.3.170() {
+  echo "Nothing to do for .170"
+}
+
+post_to_2.3.180() {
+  echo "Nothing to do for .180"
+}
+
+post_to_2.3.181() {
+  echo "Nothing to do for .181"
+}
 
 stop_salt_master() {
     # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
@@ -825,44 +942,36 @@ up_to_2.3.130() {
 }
 
 up_to_2.3.140() {
-  ## Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ##
-  echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..."
-  # Wait for ElasticSearch to initialize
-  echo -n "Waiting for ElasticSearch..."
-  COUNT=0
-  ELASTICSEARCH_CONNECTED="no" 
-  while [[ "$COUNT" -le 240 ]]; do
-    so-elasticsearch-query / -k --output /dev/null
-      if [ $? -eq 0 ]; then
-        ELASTICSEARCH_CONNECTED="yes"
-        echo "connected!"
-          break
-      else
-        ((COUNT+=1))
-        sleep 1
-        echo -n "."
-      fi
-  done
-  if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
-    echo
-    echo -e "Connection attempt timed out.  Unable to connect to ElasticSearch.  \nPlease try: \n  -checking log(s) in /var/log/elasticsearch/\n  -running 'sudo docker ps' \n  -running 'sudo so-elastic-restart'"
-    echo
-    exit 1
-   fi
-   
-   # Delete Elastalert indices
-   for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done
-   # Check to ensure Elastalert indices have been deleted
-   RESPONSE=$(so-elasticsearch-query elastalert*)
-   if [[ "$RESPONSE" == "{}" ]]; then
-     echo "Elastalert indices have been deleted."
-   else
-     fail "Something went wrong. Could not delete the Elastalert indices. Exiting."
-   fi
+   elastalert_indices_check
    ##
    INSTALLEDVERSION=2.3.140
 }
 
+up_to_2.3.150() {
+  echo "Upgrading to 2.3.150"
+  INSTALLEDVERSION=2.3.150
+}
+
+up_to_2.3.160() {
+  echo "Upgrading to 2.3.160"
+  INSTALLEDVERSION=2.3.160
+}
+
+up_to_2.3.170() {
+  echo "Upgrading to 2.3.170"
+  INSTALLEDVERSION=2.3.170
+}
+
+up_to_2.3.180() {
+  echo "Upgrading to 2.3.180"
+  INSTALLEDVERSION=2.3.180
+}
+
+up_to_2.3.181() {
+  echo "Upgrading to 2.3.181"
+  INSTALLEDVERSION=2.3.181
+}
+
 verify_upgradespace() {
   CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
   if [ "$CURRENTSPACE" -lt "10" ]; then
@@ -1178,10 +1287,12 @@ main() {
   verify_latest_update_script
   es_version_check
   es_indices_check
+  elastalert_indices_check
   echo ""
   set_palette
   check_elastic_license
   echo ""
+  check_local_mods
   check_os_updates
 
   echo "Generating new repo archive"
@@ -1346,7 +1457,7 @@ main() {
     fi
 
     echo "Checking for local modifications."
-    check_local_mods
+    check_local_mods skip-prompt
 
     echo "Checking sudoers file."
     check_sudoers

salt/curator/files/bin/so-curator-closed-delete-delete

@@ -29,7 +29,7 @@ LOG="/opt/so/log/curator/so-curator-closed-delete.log"
 
 overlimit() {
 
-        [[ $(du -hs --block-size=1GB /nsm/elasticsearch/nodes | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]]
+        [[ $(du -hs --block-size=1GB /nsm/elasticsearch/indices | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]]
 }
 
 closedindices() {

salt/elasticsearch/defaults.yaml

@@ -55,6 +55,10 @@ elasticsearch:
     indices:
       id_field_data:
         enabled: false
+    ingest:
+      geoip:
+        downloader:
+          enabled: false
     logger:
       org:
         elasticsearch:

salt/elasticsearch/files/ingest/sysmon

@@ -25,6 +25,11 @@
     { "set":           { "if": "ctx.event?.code == '15'",   "field": "event.dataset", "value": "file_create_stream_hash", "override": true }  },
     { "set":           { "if": "ctx.event?.code == '16'",   "field": "event.dataset", "value": "config_change", "override": true }  },
     { "set":           { "if": "ctx.event?.code == '22'",   "field": "event.dataset", "value": "dns_query", "override": true }  },
+    { "kv":            {"field":  "winlog.event_data.Hashes",  "target_field": "file.hash",    "field_split": ",",     "value_split": "=",     "ignore_missing": true } },
+    { "kv":            {"field":  "winlog.event_data.Hash",  "target_field": "file.hash",    "field_split": ",",     "value_split": "=",     "ignore_missing": true } },
+    { "rename":      { "field": "file.hash.IMPHASH", "target_field": "hash.imphash",	"ignore_missing":true } },
+    { "rename":      { "field": "file.hash.MD5", "target_field": "hash.md5",    "ignore_missing":true } },
+    { "rename":      { "field": "file.hash.SHA256", "target_field": "hash.sha256",    "ignore_missing":true } },
     { "rename":      { "field": "winlog.event_data.SubjectUserName",	"target_field": "user.name",		"ignore_missing": true 	} },
     { "rename":      { "field": "winlog.event_data.DestinationHostname",	"target_field": "destination.hostname",	"ignore_missing": true 	} },
     { "rename":      { "field": "winlog.event_data.DestinationIp",	"target_field": "destination.ip",	"ignore_missing": true 	} },
@@ -64,6 +69,10 @@
     { "rename":      { "field": "winlog.event_data.SourcePort", 	"target_field": "source.port",		"ignore_missing": true 	} },   
     { "rename":      { "field": "winlog.event_data.targetFilename",	"target_field": "file.target",	"ignore_missing": true 	} },
     { "rename":      { "field": "winlog.event_data.TargetFilename",     "target_field": "file.target",    "ignore_missing": true  } },
+    { "rename":      { "field": "winlog.event_data.QueryResults",       "target_field": "dns.answers.name",    "ignore_missing": true  } },
+    { "rename":      { "field": "winlog.event_data.QueryName",          "target_field": "dns.query.name",    "ignore_missing": true  } },
+    { "remove":      { "field": "winlog.event_data.Hash",		"ignore_missing": true  } },
+    { "remove":      { "field": "winlog.event_data.Hashes",		"ignore_missing": true  } },
     { "community_id": {} }
   ]
 }

salt/elasticsearch/templates/component/so/so-scan-mappings.json

@@ -62,6 +62,13 @@
                   }
                 }
               }
+	    },
+           "elf": {
+              "properties": {
+                "sections": {
+                  "properties": {
+                    "entropy": {
+                      "type": "long"
                     }
                   }
                 }
@@ -69,3 +76,26 @@
 	    }
           }
         }
+      }
+    }
+  }
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

salt/grafana/defaults.yaml

@@ -3085,12 +3085,6 @@ grafana:
             y: 16
             h: 8
             w: 24
-        elasticsearch_pipeline_time_nontc_graph:
-          gridPos:
-            x: 0
-            y: 24
-            h: 8
-            w: 24
 
 
     pipeline_overview_tc:
@@ -3140,9 +3134,3 @@ grafana:
             y: 16
             h: 8
             w: 24
-        elasticsearch_pipeline_time_tc_graph:
-          gridPos:
-            x: 0
-            y: 24
-            h: 8
-            w: 24

salt/idstools/etc/rulecat.conf

@@ -31,7 +31,7 @@
   {%- elif RULESET == 'ETPRO' %}
 --etpro={{ OINKCODE }}
   {%- elif RULESET == 'TALOS' %}
---url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }}
+--url=https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode={{ OINKCODE }}
   {%- endif %}
 {%- endif %}
 {%- if URLS != None %}

salt/kibana/bin/so-kibana-config-load

@@ -59,7 +59,7 @@ update() {
 
     IFS=$'\r\n' GLOBIGNORE='*' command eval  'LINES=($(cat $1))'
     for i in "${LINES[@]}"; do
-      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
+      RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.4.3" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
       echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
     done
  

salt/kibana/files/config_saved_objects.ndjson

@@ -1 +1 @@
-{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.2","id": "8.3.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
+{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n  \"from\": \"now-24h\",\n  \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.3","id": "8.4.3","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}

salt/salt/minion.sls

@@ -81,11 +81,20 @@ set_log_levels:
       - "log_level: error"
       - "log_level_logfile: error"
 
-salt_minion_service_unit_file:
-  file.managed:
+delete_pre_150_start_delay:
+  file.line:
     - name: {{ SYSTEMD_UNIT_FILE }}
-    - source: salt://salt/service/salt-minion.service.jinja
+    - match: ^ExecStartPre=*
+    - mode: delete
+    - onchanges_in:
+      - module: systemd_reload
+
+salt_minion_service_start_delay:
+  file.managed:
+    - name: /etc/systemd/system/salt-minion.service.d/start-delay.conf
+    - source: salt://salt/service/start-delay.conf.jinja
     - template: jinja
+    - makedirs: True
     - defaults:
         service_start_delay: {{ service_start_delay }}
     - onchanges_in:
@@ -109,7 +118,7 @@ salt_minion_service:
       - file: mine_functions
 {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
       - file: set_log_levels
-      - file: salt_minion_service_unit_file
+      - file: salt_minion_service_start_delay
 {% endif %}
     - order: last
 

salt/salt/service/salt-minion.service.jinja

@@ -1,15 +0,0 @@
-[Unit]
-Description=The Salt Minion
-Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html
-After=network.target salt-master.service
-
-[Service]
-KillMode=process
-Type=notify
-NotifyAccess=all
-LimitNOFILE=8192
-ExecStart=/usr/bin/salt-minion
-ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }}
-
-[Install]
-WantedBy=multi-user.target

salt/salt/service/start-delay.conf.jinja

@@ -0,0 +1,2 @@
+[Service]
+ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }}

salt/soc/files/soc/dashboards.queries.json

@@ -5,7 +5,12 @@
             { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"},
             { "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category:network AND event.dataset:alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
             { "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"},
-            { "name": "Sysmon", "description": "Sysmon logs", "query": "event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line"},
+            { "name": "Sysmon Overview", "description": "Overview of all Sysmon data types", "query": "event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port"},
+            { "name": "Sysmon Registry", "description": "Registry changes captured by Sysmon", "query": "(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject"},
+            { "name": "Sysmon DNS", "description": "DNS queries captured by Sysmon", "query": "event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name"},
+            { "name": "Sysmon Process", "description": "Process activity captured by Sysmon", "query": "(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable"},
+            { "name": "Sysmon File", "description": "File activity captured by Sysmon", "query": "(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable"},
+            { "name": "Sysmon Network", "description": "Network activity captured by Sysmon", "query": "event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name"},
             { "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"},
             { "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"},
             { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"},

salt/soc/files/soc/hunt.eventfields.json

@@ -49,5 +49,13 @@
           "::syscollector": ["soc_timestamp", "host.name", "metadata.ip_address", "wazuh.data.type", "log.full", "event.dataset", "event.module" ],
           ":syslog:syslog": ["soc_timestamp", "host.name", "metadata.ip_address", "real_message", "syslog.priority", "syslog.application" ],
           ":aws:": ["soc_timestamp", "aws.cloudtrail.event_category", "aws.cloudtrail.event_type", "event.provider", "event.action", "event.outcome", "cloud.region", "user.name", "source.ip", "source.geo.region_iso_code" ],
-          ":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ]
+          ":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ],
+	  "::process_terminated": ["soc_timestamp", "process.executable", "process.pid", "winlog.computer_name"],
+	  "::file_create": ["soc_timestamp", "file.target", "process.executable", "process.pid", "winlog.computer_name"],
+          "::registry_value_set": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"],
+          "::process_creation": ["soc_timestamp","process.command_line", "process.pid", "process.parent.executable", "process.working_directory"],
+	  "::registry_create_delete": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"],
+          "::dns_query": ["soc_timestamp", "dns.query.name", "dns.answers.name", "process.executable", "winlog.computer_name"],
+          "::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"]
+
 }

salt/soc/files/soc/menu.actions.json

@@ -19,7 +19,7 @@
               "/joblookup?esid={:soc_id}&time={:@timestamp}", 
               "/joblookup?ncid={:network.community_id}&time={:@timestamp}"
             ],
-            "categories": ["hunt", "alerts"]},
+            "categories": ["hunt", "alerts", "dashboards"]},
   { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank", 
             "links": [
               "/cyberchef/#input={value|base64}"

salt/soc/files/soc/presets.tlp.json

@@ -1,8 +1,9 @@
 {
   "labels": [
-    "white",
+    "clear",
     "green",
     "amber",
+    "amber+strict",
     "red"
   ],
   "customEnabled": false

salt/strelka/defaults.yaml

@@ -1,9 +1,10 @@
 strelka:
   ignore:
+    - apt_flame2_orchestrator.yar
+    - apt_tetris.yar
+    - gen_susp_js_obfuscatorio.yar
+    - gen_webshells.yar
     - generic_anomalies.yar
     - general_cloaking.yar
     - thor_inverse_matches.yar
     - yara_mixed_ext_vars.yar
-    - gen_susp_js_obfuscatorio.yar
-    - apt_flame2_orchestrator.yar
-    - apt_tetris.yar

salt/top.sls

@@ -84,7 +84,9 @@ base:
     {%- if STRELKA %}
     - strelka
     {%- endif %}
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
     {%- if FLEETMANAGER or FLEETNODE %}
     - fleet.install_package
     {%- endif %}
@@ -433,7 +435,9 @@ base:
     - redis
     - fleet
     - fleet.install_package
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
     - schedule
     - docker_clean
 
@@ -507,7 +511,9 @@ base:
     {%- endif %}
     - schedule
     - docker_clean
+    {%- if FILEBEAT %}
     - filebeat
+    {%- endif %}
     - idh
 
   'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )':