weslambert
While we can't always know the best way for folks to be able to determine to what host a MAC address or IP belongs, we can make it a bit...
https://documentation.wazuh.com/current/release-notes/release_4_1_4.html
Consider adding information about the pipelines through which an event has been processed for troubleshooting and informational purposes. This could be done through the addition of tags, or through the...
https://www.elastic.co/guide/en/elasticsearch/reference/current/runtime.html https://www.elastic.co/guide/en/elasticsearch/reference/master/runtime-mapping-fields.html
https://github.com/Security-Onion-Solutions/securityonion/blob/master/salt/elasticsearch/files/ingest/zeek.files#L29
We should consider allowing users to save custom queries from the Alerts/Hunt UI.
Similar to how we are doing this for Logstash, we should allow for custom Docker binds for Filebeat. Ex: In pillar: ``` filebeat: docker_options: filesystem_bindings: - /myfile1onhost:/myfile1incontainer:ro - /myfile2onhost:/myfile2incontainer:ro ```...
Consider adding webhook(s) or similar functionality for Alerts/SOC so events of interest (alerts/audit/etc) can be natively fed to an external source.
Allow for setting the Filebeat logging level in the pillar. This should make it easier to change for troubleshooting and not having to worry about modifying files in `/opt/so/saltstack/default/`, copying...
Create ingest node pipeline/FB module for Windows DNS debug logs.