Security-Onion-Solutions/securityonion 2.4.70-20240529

on GitHub

Download the ISO

https://download.securityonion.net/file/securityonion/securityonion-2.4.70-20240529.iso

What's Changed

• Update VERSION by @TOoSmOotH in #12619
• reschedule close/lock jobs by @jertel in #12601
• FIX: Annotations for BPF and Suricata PCAP #12626 by @dougburks in #12627
• Change Detections defaults by @defensivedepth in #12611
• Remove temp YARA by @weslambert in #12632
• FEATURE: Add Events column layout for event.module system #12628 by @dougburks in #12634
• disregard benign telegraf error by @jertel in #12638
• FEATURE: Add event.dataset to all Events column layouts #12641 by @dougburks in #12642
• FIX: Specify that static IP address is recommended #12643 by @dougburks in #12644
• Update ElastAlert Config with Default Repos by @coreyogburn in #12640
• FIX: http.response.status_code by @weslambert in #12650
• Enable Detections by @defensivedepth in #12639
• Allow for additional af-packet tuning options for Suricata by @m0duspwnens in #12651
• FEATURE: pfSense Suricata logs by @weslambert in #12652
• Initial cut to remove Playbook and deps by @defensivedepth in #12658
• Remove Playbook ref by @defensivedepth in #12659
• FEATURE: Include additional groupby fields in Dashboards relating to sankey diagrams #12657 by @dougburks in #12663
• Initial cut to remove Playbook and deps by @defensivedepth in #12660
• Add bindings for sigma repos by @defensivedepth in #12656
• FEATURE: Add Events table columns for event.module elastic_agent #12666 by @dougburks in #12667
• Fix Input Validation to allow for IPv6 by @TOoSmOotH in #12674
• disregard errors in removed applications that occurred before th… by @jertel in #12683
• FEATURE: Add process.command_line to Process Info and Process Ancestry dashboards #12694 by @dougburks in #12695
• New Settings for Manual Sync in Detections by @coreyogburn in #12696
• FEATURE: Add Events table columns for zeek ssl and suricata ssl #12697 by @dougburks in #12698
• FEATURE: Add individual dashboards for Zeek SSL and Suricata SSL logs… by @dougburks in #12700
• Correct YAML by @coreyogburn in #12702
• Add default columns by @defensivedepth in #12720
• FEATURE: Add Events table columns for event.module strelka #12716 by @dougburks in #12722
• FEATURE: Add Events table columns for event.module playbook #12703 by @dougburks in #12723
• FEATURE: Add Events table columns for event.module strelka #12716 by @dougburks in #12724
• FEATURE: Add Events table columns for event.module strelka #12716 by @dougburks in #12725
• Feature - auto-enabled Sigma rules by @defensivedepth in #12732
• Add cef by @weslambert in #12735
• Add Elastic Agent Status Metrics by @TOoSmOotH in #12734
• FEATURE: Add dashboard for SOC Login Failures #12738 by @dougburks in #12739
• FEATURE: Add Events table columns for event.module kratos #12740 by @dougburks in #12742
• Change code to allow for non root by @TOoSmOotH in #12741
• SOC Telemetry by @jertel in #12731
• Update SOC Config with State File Paths by @coreyogburn in #12744
• do not prompt about telemetry on airgap installs by @jertel in #12747
• Exclude Elastalert EQL errors by @defensivedepth in #12748
• Clarify annotation description re: Airgap by @jertel in #12749
• FEATURE: Add Events table columns for event.module sigma #12743 by @dougburks in #12751
• Allow 2.3 to update by @TOoSmOotH in #12752
• FEATURE: Add dashboards specific to Elastic Agent #12746 by @dougburks in #12753
• skip telemetry summary in airgap mode by @jertel in #12754
• 2.4/soup playbook by @defensivedepth in #12682
• 2.4/detections defaults by @defensivedepth in #12755
• Use list not string by @defensivedepth in #12756
• Update so-log-check by @TOoSmOotH in #12759
• Detection Author as a Keyword instead of Text by @coreyogburn in #12760
• Ship Defender logs + more by @defensivedepth in #12766
• Enable Detections Adv by default by @defensivedepth in #12780
• Update analyst.json by @TOoSmOotH in #12769
• Fix fingerprint paths by @defensivedepth in #12791
• Add docs for ruleset change by @defensivedepth in #12793
• Update limited-analyst.json by @TOoSmOotH in #12810
• FEATURE: Add queue=True to so-checkin so that it will wait for any ru… by @dougburks in #12817
• FIX: Elastic retention setting not being honored when manager hostname is a subset of search node hostname #12819 by @dougburks in #12820
• Strelka fixes and more by @defensivedepth in #12805
• Kismet integration for WiFi devices by @reyesj2 in #12773
• Temp exclude yara runtime status log by @defensivedepth in #12841
• Fix warm description by @weslambert in #12844
• Fix description, regex, and type for cold, warm, and hot by @weslambert in #12848
• Remove hot max_age by @weslambert in #12852
• Issue/12637 by @m0duspwnens in #12859
• Add runtime status logs by @defensivedepth in #12861
• Change index sorting to account for older so-prefixed indices by @weslambert in #12858
• allow for enabled/disable of so-elasticsearch-indices-delete cronjob by @m0duspwnens in #12860
• Exclude suricata from disk space-based index deletion by @weslambert in #12864
• only apply ulimits to suricata container if user enable mmap-locked by @m0duspwnens in #12865
• check status before stopping service by @petiepooo in #12846
• restrict workflows to so by @jertel in #12875
• Sigma pivot fix and cleanup by @defensivedepth in #12876
• set Suricata as default pcap engine for eval by @m0duspwnens in #12880
• Update expected timestamp format in final pipeline for system events by @reyesj2 in #12881
• FIX: Elasticsearch min_age regex #12885 by @dougburks in #12886
• Mark Repos as Community by @coreyogburn in #12882
• FEATURE: Lower EVAL memory requirement to 8GB RAM #12896 by @dougburks in #12897
• update annotations for duplication by @jertel in #12893
• Cold min_age to 60d by @weslambert in #12900
• mark detections settings as read-only via the UI by @jertel in #12904
• Update config.sls by @TOoSmOotH in #12902
• Apply autoEnabledSigmaRules based on role if defined and default if not by @m0duspwnens in #12906
• Update mappings for detection fields by @weslambert in #12909
• FIX: Improve File dashboard #12914 by @dougburks in #12915
• run so-rule-update if ruleset or code changes for idstools by @m0duspwnens in #12918
• FIX: Update so-whiptail to make installation screen more consistent #12921 by @dougburks in #12922
• FEATURE: Add hyperlink to airgap screen in setup #12925 by @dougburks in #12926
• Orchit by @m0duspwnens in #12928
• Exclude new sigma rules by @defensivedepth in #12929
• FEATURE: Add Events table columns for tunnel logs #12937 by @dougburks in #12938
• FEATURE: Add Events table columns for stun logs #12940 by @dougburks in #12941
• FEATURE: Add event.dataset to all Events table layouts #12641 by @dougburks in #12942
• Initial airgap support for detections by @defensivedepth in #12939
• Restart Strelka backend when YARA rules change by @weslambert in #12948
• Fix YARA rules for distributed deployments by @weslambert in #12947
• Remove watch by @weslambert in #12951
• Add CEF by @weslambert in #12955
• test regexes for detections by @jertel in #12956
• Specify Error Retry Wait and Error Limit for All Detection Engines by @coreyogburn in #12957
• update suri regex for testing by @jertel in #12959
• Change so soc writes urls as a list by @TOoSmOotH in #12961
• remove old yara airgap code by @defensivedepth in #12964
• Make the url list read only by @TOoSmOotH in #12963
• searchnode installation improvements by @m0duspwnens in #12965
• FIX: Adjust so-import-pcap so that suricata works when it is pcapengine #12969 by @dougburks in #12970
• Account for 0 active rules and change watch by @weslambert in #12974
• Use state by @weslambert in #12975
• Update config.sls by @TOoSmOotH in #12973
• fix strelka errors by @m0duspwnens in #12983
• tests will retry on any rule import failure by @jertel in #12984
• Add quick action to find related alerts for a detection by @jertel in #12987
• FIX: so-index-list typo #12988 by @dougburks in #12989
• Fix IDH node by @m0duspwnens in #12992
• support upgrade tests by @jertel in #12994
• Update README.md to reference new screenshots for 2.4.70 by @dougburks in #12998
• FEATURE: Add more fields to the SOC Dashboards URL for so-import-pcap #12972 by @dougburks in #12999
• Backup Suricata for migration by @TOoSmOotH in #13000
• 2.4/socdefaults by @defensivedepth in #13001
• create local directories during soup if needed by @m0duspwnens in #13003
• FIX: Detections alerts indices by @weslambert in #13004
• Remove old Strelka configuration for YARA by @weslambert in #12986
• FEATURE: Add NetFlow dashboard #13009 by @dougburks in #13010
• FEATURE: Add NetFlow dashboard #13009 by @dougburks in #13011
• remove idh.services from idh node pillar files by @m0duspwnens in #13013
• so-yaml in soup_scripts by @m0duspwnens in #13016
• Update enabled.sls by @TOoSmOotH in #13017
• Update enabled.sls by @TOoSmOotH in #13019
• Issue/13012 by @m0duspwnens in #13020
• alphabetical order by @defensivedepth in #13023
• add a newline to final output of so-elastic-agent-gen-installers by @m0duspwnens in #13022
• Update soup by @TOoSmOotH in #13024
• exclude detect-parse errors by @jertel in #13025
• dont merge policy from global_overrides if not defined in default index_settings by @m0duspwnens in #13028
• Revert "dont merge policy from global_overrides if not defined in default index_settings" by @m0duspwnens in #13029
• Issue/13021 by @m0duspwnens in #13031
• add support for custom alerters by @jertel in #13035
• Create YARA compile report for SOC integrity check by @weslambert in #13036
• Change Compilation Report Path by @coreyogburn in #13037
• Add Default IntegrityCheck Frequency Values by @coreyogburn in #13039
• Create helper script for tpm enrollment by @reyesj2 in #13040
• Annotate integrityCheckFrequencySeconds per det engine by @coreyogburn in #13041
• Update README.md with new Detections screenshot number by @dougburks in #13044
• Jertel/eaconfig by @jertel in #13047
• Exclude detections from template name matching by @weslambert in #13049
• Add rule.uuid for YARA matches by @weslambert in #13052
• Add rule.uuid to default groupbys by @defensivedepth in #13053
• fix elastalert settings by @jertel in #13054
• Change tab casing to be consistent with other whiptail prompts by @weslambert in #13061
• Fix casing issue by @defensivedepth in #13063
• Update defaults.yaml to fix order of groupby tables and eliminate dup… by @dougburks in #13066
• Fix strelka rule.uuid by @defensivedepth in #13067
• Update defaults.yaml by @TOoSmOotH in #13069
• Telfinwip by @m0duspwnens in #13071
• provide default columns when viewing SOC logs by @jertel in #13076
• Detections backup script by @defensivedepth in #13062
• Add instructions for sigma and yara repos by @defensivedepth in #13078
• Add IDH mappings by @defensivedepth in #13079
• Dont bail - just wait for enter by @defensivedepth in #13081
• Backup .yml files too by @defensivedepth in #13083
• Fix fi by @defensivedepth in #13084
• Check to see if local exists by @defensivedepth in #13085
• fix rsync by @defensivedepth in #13089
• 2.4.70 by @TOoSmOotH in #13090
• 2.4.70 by @TOoSmOotH in #13091

Full Changelog: 2.4.60-20240320...2.4.70-20240529