securityonion
securityonion copied to clipboard
Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own interfaces for alerting, dashboards, hunting, PCAP, and case mana...
ISSUE: A long-running process just happened to start on a PID that was last run as the curator delete action. Due to the simple check at https://github.com/Security-Onion-Solutions/securityonion/blob/c949101d0f77cecee5949411ceb8c8bf52ef9306/salt/curator/files/bin/so-curator-delete#L24 the so-curator-delete script...
Currently there is no way to disable adding `root_pem` line into `launcher.flags` when osquery packages are generated. We use custom so-nginx SSL certificate that is trusted but as generating packages...
Current is `info`, need to find a way to set to `warning`
The osquery.template file that gets placed in `/opt/so/rules/elastalert/playbook` directory is missing at least the play_id key. This causes rules based on the osquery product type to fail to be submitted...
The function below is faulty: https://github.com/Security-Onion-Solutions/securityonion/blob/aa15f3ca4a00acd7f6d0af21c3627520f608f8d2/setup/so-functions#L1979-L1987 As discussion https://github.com/Security-Onion-Solutions/securityonion/discussions/2399#discussioncomment-266163 indicates, the function above appears to be the cause of many non-ISO server installs failing. As a best practice, app installers...
Under consideration: low/medium are classified as `events of interest` and are accessible via a new saved Hunt search high/critical are classified as `alerts` and are accessible via SOC Alerts
Previously the custom file would be updated to have no content, but the existence of the file does not allow the default to be restored. Deleting the file with this...
Many scripts run by cron, such as so-rule-update and so-elasticsearch-indices-delete, overwrite their logfile on each run, so a history of what the script has done is lost. Changing the redirect...
On nodes that do not store sensor data, the default elasticsearch.retention.retention_pct pillar remains at 50%, leaving much of the space unused unless explicitly updated after install. This used to be...