Release Notes
Warning
Security Onion 2.4.210 upgrades Salt to version 3006.19. This version of Salt has a configuration option minimum_auth_version for the Salt master. By default, this value is set to 3 and only minions on version 3006.12 or later support that version and are able to authenticate with the salt-master service. For this reason, during the soup to 2.4.210, we set the minimum_auth_version to 0. Since minions automatically update every 15 minutes, this allows older minion versions to authenticate, run a highstate, and upgrade to 3006.19.
After seven days, a background process will change the minimum_auth_version from 0 to 3 and restart the salt-master service. Once this is done, any minions in the environment that have not upgraded to a version greater than 3006.12 will be unable to authenticate with the salt-master. The likely cause of this would be a minion that is offline. Additionally, if a user attempts to install a new node, using a version less than 2.4.200 (salt-minion 3006.16), the install will fail since the salt-minion will not be able to authenticate with the salt-master.
If one of your nodes was unable to update by the time the minimum_auth_version was changed, then you may notice that the SOC Grid screen shows that you have a node running an older version of Security Onion that never updates. You can verify the issue by checking the following logs:
In /opt/so/log/salt/minion on the remote node:
2026-02-20 14:36:43,479 [salt.crypt :884 ][ERROR ][2215] Sign-in attempt failed: bad load
2026-02-20 14:36:43,480 [salt.minion :1155][ERROR ][2215] Error while bringing up minion for multi-master. Is master at soman1 responding? The error message was Unable to sign_in to master: Attempt to authenticate with the salt master failed
In /opt/so/log/salt/master on the Security Onion manager:
2026-02-20 14:37:13,515 [salt.channel.server:147 ][WARNING ][2313166] Rejected authentication attempt using protocol version 2 (minimum required: 3)
To force the node to update salt, you can connect to the remote node via ssh and then run the following:
sudo dnf versionlock delete salt-* ; sudo yum clean all ; sudo sh /usr/sbin/bootstrap-salt.sh -X -r stable 3006.19
Warning
Security Onion 2.4.200 changed the way Suricata detections are synchronized. Grids with custom Suricata rulesets will pause all Suricata detection syncing. For more information and required steps, see the Sync Block section.
Warning
Security Onion 2.4.150 included changes for the Elasticsearch deletion process. Elasticsearch indices are managed by both the so-elasticsearch-indices-delete utility and Index Lifecycle Management (ILM). The so-elasticsearch-indices-delete utility is primarily designed for single-node deployments like EVAL and STANDALONE configurations. Running it on a multi-node deployment with one or more search nodes has the possibility of getting into a corner case state where more data is deleted than intended.
If you have a multi-node deployment and haven’t already updated to 2.4.150, then so-elasticsearch-indices-delete will be disabled when you update. You will need to ensure that ILM is configured properly to delete indices before disk usage reaches the Elasticsearch watermark setting. Otherwise, Elasticsearch may stop ingesting new data. For more information, please see the Elasticsearch section.
Known Issues
For all known issues, please see https://github.com/Security-Onion-Solutions/securityonion/issues.
Release History
2.4.211 [20260312] Changes
2.4.210 [20260302] Changes
FEATURE: Add graphs/charts to AI Metrics page
FEATURE: Add support for default user roles #15471
FEATURE: Allow non-airgap soup to use ISO for all large files #15467
FEATURE: Gemini Adapter
FEATURE: Model Thoughts
FEATURE: multi-step ES upgrades smoother for airgap
FEATURE: Onion AI model metrics
FEATURE: OpenAI Chat Adapter
FEATURE: OpenAI Responses Adapter
FEATURE: Record user that acks and/or escalates events #15373
FEATURE: Show context used on each request/response pair
FEATURE: Use new suricata.capture_file to improve PCAP lookups #15398
FIX: Appliance kickstart
FIX: Change context indicator to m/k format
FIX: Cleanup remaining idstools code #15477
FIX: Collection-backed config fields don’t respect forcedType
FIX: Disable redis on heavynodes #15422
FIX: Expanding alert with long unbreaking message content causes extra wide table #15437
FIX: Give message field focus when user navigates to Onion AI page
FIX: Grid node elastic agent install state
FIX: Hide Grid/Client menu links when unavailable to non-superusers #15446
FIX: If you haven’t viewed cases in a while, then escalating from Onion AI to an existing case will fail
FIX: Improve alert icon severity colors #15450
FIX: Kratos field mappings include unnecessary templates #15354
FIX: managed soc annotations migration
FIX: Migrate off logs integration to filestream integration #15364
FIX: MoM subgrid showing Detection status pending #15305
FIX: Multiple lines of consecutive comments causes the BPF compile to error #14908
FIX: Pending status should not show crosshairs #15376
FIX: Rename to remaining “Forward” references to “Sensor” nodes #15403
FIX: Review Kratos field parsing #7567
FIX: Sensor and Heavynode Fail to install #15441
FIX: SOC Config - Apply Changes to the correct node #15395
FIX: SOC login form expiring without notifying user #15346
FIX: so-elastic-agent-grid-upgrade upgrade heavynode agents #15434
FIX: Soup fails if salt-relay.sh isn’t running #15518
FIX: Successful logins sometimes would show a 403 error banner #15527
FIX: Telegraf logstash metrics #15423
FIX: Update redis-logs integration file path #15425
FIX: url_base annotation description #15483
FIX: Zeek excluded_files #15439
UPGRADE: Analyzer dependencies #15512
UPGRADE: Docker to 29.2.1 #15495
UPGRADE: Elasticsearch to 9.0.8
UPGRADE: Go dependencies to latest versions #15474
UPGRADE: ISO base image to Oracle 9.7 #15352
UPGRADE: Pcapfix to 1.1.7 #15421
UPGRADE: Salt to 3006.19 #15490
UPGRADE: Zeek to 8.0.6 #15445
2.4.201 [20260114] Changes
2.4.200 [20251215] Changes
FEATURE: Elastic agent high performance tuning in SOC #14965
FEATURE: Add QWEN 235B as a lower cost option for an OnionAI model
FEATURE: Add info icon to the right of sync error states on detection header bar #15256
FEATURE: Additional ILM config via SOC ui
FEATURE: Make OnionAI more accurate and curious
FEATURE: Notify user of hypervisor environment setup failures #15245
FEATURE: Onion AI add tool for creating / updating / disabling / enabling detections
FEATURE: Onion AI auto compact context support
FEATURE: Onion AI escalate to existing case
FEATURE: Onion AI model metrics
FEATURE: OnionAI additional UI metrics
FEATURE: Refactor SOC Detections NIDS for idstools removal #15306
FEATURE: Remember Configuration screen Advanced toggle #15215
FEATURE: Stop retrying PCAP jobs after 5 failures (configurable) #15227
FEATURE: so-elasticsearch-retention-estimate #15178
FIX: “Context Starts Here” line sometimes disappears depending on screen width
FIX: Add guardrails for when users are allowed to click context compression button
FIX: Compaction throws server error
FIX: Creating VM with virtual disk fails with “Hypervisor NSM Disk Full” error #15179
FIX: Do not prompt to continue if memory capacity is too low for certain install types #15255
FIX: Docker registry may not be ready for connections when Salt pulls first container #15058
FIX: Failed setup a while ago #14945
FIX: Failure to download the OL9 qcow2 image can cause the setup_hypervisor runner to hang #15246
FIX: Ignore control characters in minion install.txt #15315
FIX: ISO swap partition on multi disk install #15158
FIX: Improved chat input field
FIX: List of users empty in SOC interface after a sort on a column #15249
FIX: OIDC Link and Unlink #15214
FIX: Onion AI improve error handling from API gateway
FIX: Reduce Sensoroni pcapMaxCount default setting #15208
FIX: Refactor Playbooks variable substitution
FIX: Remove newline that appears for “ ” tool responses
FIX: Rename Forward to Sensor #15172
FIX: Reserve group IDs to prevent collisions #15288
FIX: Show message when Onion AI is experiencing an outage
FIX: Stop collecting PCAP packets if filter covers multiple stream paths #15226
FIX: Tool Calls with OnionAI time out
FIX: UI needs to be notified if context compaction fails #15295
FIX: VM is created without virtual disk mounted #15250
FIX: get_playbooks tool doesn’t respect aggregate: true
FIX: longer timeout for esindexsize.sh telegraf script #15149
FIX: so-setup bond0 being recreated #15233
UPGRADE: Salt to 3006.16 #15173
UPGRADE: Strelka to 1.0.1
UPGRADE: Suricata to 8.0.2 #15203
UPGRADE: Zeek to 8.0.4 #15060
UPGRADE: golang.org/x/crypto from 0.42.0 to 0.45.0 #15258
2.4.190 [20251024] Changes
FEATURE: Add ability to force a fleet agent installer via the –force flag #15146
FEATURE: Allow customization of export CSV delimiter #15129
FEATURE: Allow user to map a virtual disk to /nsm when creating a VM #15121
FEATURE: BYOD hypervisor and managerhype #15102
FEATURE: New grain: nsm_total #15120
FEATURE: Provide notice with option to sync recently modified module #15119
FEATURE: Remember Auto-Refresh Interval for Hunt, Alerts, Dashboards, etc #15077
FEATURE: Security Onion AI Assistant
FEATURE: Show query name under query input #15128
FIX: Action links should replace all vars #15084
FIX: Add event.module to Elasticsearch logs #15074
FIX: Import node fleet output policy #15037
FIX: Logstash fleet output corrupt ssl config #15101
FIX: PCAP Upload validation issues #15143
FIX: Setup occasionally fails if the registry container takes more than a couple seconds to start. #15073
FIX: Subgrid count calculation #15078
FIX: so-hypervisor bridge not created during setup #15050
UPGRADE: SOC Dependencies #15059
UPGRADE: Attack Navigator to 5.1.1 #15097
UPGRADE: Docker base images to latest respective versions #15093
UPGRADE: ElastAlert 2 to 2.26.0 #15094
UPGRADE: Elastic to 8.18.8 #15117
UPGRADE: Golang to 1.25.1 #15079
UPGRADE: Nginx to 1.29.1 #15096
UPGRADE: Redis to 7.2.11 #15116
UPGRADE: Telegraf to 1.36.1 #15095
UPGRADE: Zeek to 7.0.11 #15135
2.4.180 [20250916] Changes
FEATURE: Add contextual help buttons to screen toolbars #15027
FEATURE: Alert on offline agent #14898
FEATURE: Allow alerts, dashboards, hunt query to be canceled by the submitter
FEATURE: Enable static hostname mapping without reverse DNS lookups #14900
FEATURE: Kafka output policy
FEATURE: Manager with hypervisor capabilities #14997
FEATURE: Preparation work for upcoming features
FEATURE: Reporting and Exporting
FIX: Autofocus OTP field #14984
FIX: Disable Elastic Telemetry by default #14924
FIX: Elastalert - verify that empty file has not been written #14822
FIX: Filter out salt INFO logs for ingest #14447
FIX: Hypervisor firewall rules don’t get applied to Managersearch or Standalone #14923
FIX: Receiver custom_fqdn #15023
FIX: Refactor IDH Dockerfile #14473
FIX: Review additional STIGs
FIX: Set NIC Channels combined to 1 for monitor interfaces #14951
FIX: Spacing issue on certain Configuration screens #14989
FIX: Subgrid PCAP downloads #15030
FIX: Suricata metadata index rollover #15021
FIX: Unable to remove passkey for passwordless logins #14926
FIX: Zeek DNS ingest error
UPGRADE: Analyzer dependencies
UPGRADE: Elasticsearch 8.18.6 #15014
UPGRADE: ISO base image to Oracle 9.6 #15007
UPGRADE: Kafka base image
UPGRADE: Suricata to 7.0.12 #15038
UPGRADE: Zeek to 7.0.10 #14967
2.4.170 [20250812] Changes
FEATURE: Add JA4 Support #14864
FEATURE: Add SOC dashboard for CEF logs #14837
FEATURE: Add SOC dashboard for iptables logs #14836
FEATURE: Add SOC dashboards for UniFi logs #14838
FEATURE: Allow Custom Playbook Repo Import #14780
FEATURE: Elasticsearch troubleshooting helper script #14523
FEATURE: Playbooks UI - AutoExpand & Styling #14851
FEATURE: Zeek JA4+ parsing #14465
FIX: Add reminder to API Client dialog about permissions #14847
FIX: Analyst permissions for Playbooks #14811
FIX: Config Backup should exclude agent installers #14351
FIX: Duplicate Detections when using local git repo #14829
FIX: IDH startup message not parsed correctly #11467
FIX: Incorrect file ownership for idstools/idh scripts
FIX: JS error during Playbook usage #14802
FIX: Remove atop from ISO build to address CVE-2025-31160 #14642
FIX: Review ISO Size
FIX: Sorting in the Alerts Interface Causing Duplicate Data to Appear #14786
FIX: Update common pipeline to rename geoip ASN data #14884
UPGRADE: Elastic to 8.18.4 #14799
UPGRADE: Suricata to 7.0.11 #14817
UPGRADE: Ubuntu 24.10 base images switch to LTS 24.04 #14798
UPGRADE: Zeek Ethercat plugin #14783
UPGRADE: Zeek to 7.0.9 #14861
2.4.160 [20250625] Changes
FEATURE: Keyboard Accessibility and Screen Reader Support #14715
FEATURE: Playbooks #14694
FEATURE: Splunk App
FEATURE: so-elasticsearch-indices-growth script #14699
FIX: Disallow upper case email addresses on new user form #14655
FIX: Improve annotation for Elasticsearch index deletion #14682
FIX: Improve subgrid error handling
FIX: License system improvements
FIX: Provide HSTS header on initial page redirect #14713
FIX: SOC PCAP jobs page doesn’t remember the Items per page setting #14630
FIX: Show OIDC users message if attempting to login with same email as a local user #14726
FIX: Sigma rule repos can’t have same name #14615
FIX:
global@custompipeline overwriting system integration timestamps #14693FIX: so-elasticsearch-ilm-start needs shebang #14688
FIX: so-suricata-testrule should disable pcap logging #14685
UPGRADE: Alpine base image to 3.21.3 #14710
UPGRADE: Base image for so-strelka-filestream #14678
UPGRADE: Base image for so-strelka-frontend #14679
UPGRADE: Base image for so-strelka-manager #14680
UPGRADE: Docker registry to 3.0.0 #14702
UPGRADE: ElastAlert2 to 2.24.0 #14671
UPGRADE: Hydra to 2.3.0 #14692
UPGRADE: IDS tool base image update to 3.13.3-slim #14707
UPGRADE: ISO base image to Oracle Linux 9.5 #14681
UPGRADE: InfluxDB to 2.7.12 #14670
UPGRADE: Nginx base image to 1.27.5 #14709
UPGRADE: PCAP Tools docker base image to 3.13.3-slim #14708
UPGRADE: Redis docker to 7.2.9 #14706
UPGRADE: SOC related dependencies #14672
UPGRADE: Telegraf to 1.34.4 #14705
UPGRADE: Zeek to 7.0.8 #14616
2.4.150 Hotfix [20250522] Changes
FIX: Remove python docker module from so-docker-prune #14647
2.4.150 [20250512] Changes
FEATURE: Additional grid management (MoM) #14552
FEATURE: Add refresh button to more SOC screens
FEATURE: Add setting direct hyperlink copy-to-clipboard button icon
FEATURE: Collect ES index metrics
FEATURE: Convert Kratos identity_id to user.name #14598
FEATURE: Disable auto-upgrading non-default integrations #14516
FEATURE: Enable external access to Kafka #13754
FEATURE: Support wrapping UI config entries at top/bottom of list
FIX: Add log.origin.file.line to base templates #14417
FIX: Allow configuration of background actions via config UI #14503
FIX: Correct joblookup route for Connect API #14515
FIX: Detection Overrides should not trigger “updated” state during sync #14361
FIX: Detections index refresh_interval #14572
FIX: Disable import pcap button on SOC UI for heavynodes #14430
FIX: Elastic Delete Cleanup Changes #14491
FIX: First highstate failure after reboot #14442
FIX: Influxdb not properly calculating root partition usage on STIG installations
FIX: Issue Reboot request as async when submitted via SOC UI #14553
FIX: Kafka server logs
FIX: Logstash log rollover #14065
FIX: null pointer exception in global custom pipeline #14602
FIX: PCAP filter is unable to collect IPV6 ICMP #14492
FIX: Remove unmaintained archiver dependency #14597
FIX: SOC PCAP Rows per page setting is not remembered #14487
FIX: so-import-pcap should not be installed on heavy nodes #14431
FIX: Strelka backend scanner yaml config syntax error #14406
FIX: Strelka containers restart when the config changes #14498
FIX: Suricata Regex not working as expected #14571
FIX: Configuration screen default toggle value hard to read when disabled
FIX: Web server cert should include the url_base in alternate subject #14573
FIX: x509_v2.py TypeError: list indices must be integers or slices, not str #14452
UPGRADE: Analyzer dependencies #14606
UPGRADE: Kafka 3.9.0 #14485
UPGRADE: SOC Go external libraries
2.4.141 [20250331] Changes
2.4.140 [20250324] Changes
FEATURE: Allow moving configuration entries up or down
FIX: Adding new user with non-analyst role will default to analyst role #14395
FIX: Allow single entry for Zeek file extracts
FIX: AQM menu option should only be visible to superusers when Pro license is applied #14393
FIX: Creating a PCAP job with the new popup calendar fails to retrieve PCAP #14387
FIX: Detection title under Alert Details panel overflows beyond border #14369
FIX: Grid Configuration Zoom Level #14366
FIX: limited-analyst and limited-auditor roles receive 403 error upon login #14392
FIX: Pro license message invisible in light mode #14382
FIX: Salt bootstrap #14435
FIX: Unable to add more than one Suricata tuning rule without navigating away #14374
FIX: Unable to extract PCAP from imported PCAPs when using Suricata for PCAP #14426
FIX: Unable to import PCAP on remote sensor nodes via SOC UI #14424
FIX: Unable to load YARA rules with multiline comments #14400
FIX: Update global.pipeline annotation
FIX: Zeek ldap_search missing observer.name #14370
UPGRADE: SOC golang.org/x/net to 0.36.0 #14399
UPGRADE: Suricata to 7.0.9 #14401
UPGRADE: Zeek to 7.0.6 #14421
2.4.130 [20250311] Changes
FEATURE: Add a pop-up calendar for the start and end time in the PCAP interface #14115
FEATURE: Add notes to SOC Config about Elasticsearch ILM rollover #14353
FEATURE: Add sankey chart to Elastic Agent API dashboard to show relationship between process.name and process.Ext.api.name #14339
FEATURE: Additional licensing enhancements
FEATURE: Allow query cancelation from Security Onion Console #4161
FEATURE: Allow users to switch Alerts to advanced interface permanently #14348
FEATURE: Enhance config UI Element capabilities
FEATURE: Improve management of ES index templates for integrations
FEATURE: Review ES field mapping conflicts
FEATURE: Use new annotations to improve configuration interface #14209
FEATURE: Zeek parsing
FIX: API unauthorized vs forbidden response #14304
FIX: Add TLSv1.3 to nginx config #14252
FIX: Alert Overview summary overflows beyond border #14365
FIX: Check for metrics indices with replicas configured causing ES to go YELLOW
FIX: Elastic Agent Security Events dashboard should reference user.effective.name #14325
FIX: No license file in repo #14266
FIX: Reduce so-setup and soup console output #14330
FIX: SOC Actions for process.entity_id value must be quoted #14311
FIX: SOC Alerts Column Sorting #14242
FIX: SOC Detections table showing incorrect numbers #14317
FIX: SOC Grid Members improve REVIEW button in light mode #14332
FIX: SOC Light Mode Icon Colors #14237
FIX: SOC PCAP Transcript Context Menu #14294
FIX: SOC PCAP column headers hidden from view #14234
FIX: SOC logging 404 requests with url field that should be a string #14293
FIX: Verify geoip database
FIX: pfSense Suricata integration
FIX: so-import-pcap not working on STIG installation
UPGRADE: Elastic Fleet to support Elastic Defend on macOS 15.x (Sequoia) #14010
UPGRADE: Elastic to 8.17.3 #14356
UPGRADE: SOC Golang to 1.24 #14230
2.4.120 [20250212] Changes
FEATURE: Additional supported integrations
FEATURE: Add template Sigma & YARA local custom repo
FEATURE: Allow users to prevent the kernel and other packages from being upgraded
FEATURE: API Clients #13928
FEATURE: ATT&CK Layer for Detections #13885
FEATURE: Custom Local IP to Hostname Mapping
FEATURE: Elastic Agent MSI #13744
FEATURE: Expose new rule summary to Alerts page #13770
FEATURE: Extract additional metadata - Created & Updated
FEATURE: Improve Operational Notes & Overrides
FEATURE: Make TRACK column visible
FEATURE: More configurable options to enable|disable Sigma rules on import
FEATURE: Override Note #13766
FEATURE: Show available Pro features on unprovisioned license screen #14072
FEATURE: Suppress the Context Menu when highlighting text #13184
FEATURE: Toggle Enabled|Disabled for Detection Engine syncs
FEATURE: Trend Micro Integration
FEATURE: When Clicking a Detection Engine Status, Run a Specific, Configurable Hunt Query #13865
FEATURE: Zeek HTTP2
FEATURE: Zeek IPSec #14006
FEATURE: Zeek LDAP
FEATURE: Zeek OpenVPN #14005
FEATURE: Zeek QUIC #6925
FIX: Better handling of Detections’ custom git repo errors
FIX: Cloud installs should use pre-installed docker registry data #14044
FIX: Configuration YAML validator fails on valid YAML #13965
FIX: Detections - Overrides list only displays 10 #13950
FIX: Ensure createrepo_c is installed on airgapped manager nodes #13857
FIX: Flickering Sankey chart #14215
FIX: Have soup ensure that top.sls is in normal mode even if there are no soup changes #13808
FIX: Invalidate a user’s sessions when an administrator changes the user’s password #14076
FIX: Non Oracle nodes failing soup / Salt upgrade #13926
FIX: null pointer exception in global@custom pipeline #14117
FIX: Okta index template missing okta-mappings component template #14106
FIX: Records being partially displayed in the Alerts interface when expanded #14108
FIX: Review ILM settings for Detection History index
FIX: rsync error during non-airgapped manager setup #13860
FIX: Salt Repo has moved #13898
FIX: Salt state warnings #13851
FIX: so-repo-sync errors on non Oracle OS #13919
FIX: Suricata Integrity Check fails when Suricata Metadata rules are enabled
FIX: Update crowdstrike integration support #13913
UPGRADE: ATT&CK Navigator to 5.1.0
UPGRADE: CyberChef to 10.19.4 #14131
UPGRADE: ElastAlert 2 to 2.22.0 #14082
UPGRADE: Go dependencies in SOC #14020
UPGRADE: InfluxDB to 2.7.10 #14084
UPGRADE: Kratos to 1.3.1 #14083
UPGRADE: NGINX to 1.26.2 #14086
UPGRADE: Vue.js front-end UI framework to v3 #13806
UPGRADE: Zeek 7
2.4.111 Patch [20241217] Changes
UPGRADE: Suricata 7.0.8 #14024
2.4.110 Hotfix [20241010] Changes
FIX: Use ID instead of name for getting integrations from agent policies #13795
2.4.110 [20241004] Changes
FEATURE: Activate generated detection summaries #13454
FEATURE: Add Elastic Integration for Barracuda CloudGen Firewall
FEATURE: Add Elastic Integration for Imperva Cloud WAF
FEATURE: Add new alerts for changes in SOC status #13654
FEATURE: AI-Generated Rule analysis / summary
FEATURE: Allow external access to suricata rules managed by Detections #13655
FEATURE: Allow for users to add custom skins for IDH http
FEATURE: Create ISO install options for SOS Appliances
FEATURE: Desktop ISO install STIG support
FEATURE: For improved upgrade experience, tag Elasticsearch image with Elastic version #13606
FEATURE: Handle Custom Integration Policy Upgrades #13560
FEATURE: SOS Process Filters for Elastic Agent
FEATURE: Standalone use Suricata for PCAP by default #13650
FIX: Add additional warning text in Configuration screen when trying to disable key components
FIX: Analysts should be able to modify and disable Suricata rules #13668
FIX: Elastic integration field mappings #13725
FIX: Intermittent soup errors causing soup to exit with failure message #13247
FIX: Minion overrides in Config screen show global override values #13689
FIX: Resolve missing CA certs in Kratos container #13722
FIX: Sensor age in grid screen sometimes shows incorrect age of node #13628
FIX: Since OIDC emails can have uppercase, force lowercase prior to server side dispatch #13730
FIX: Stenographer packet loss differs from influxdb #13626
FIX: Update Parsing of Suricata logs from pfSense and OPNsense
FIX: When NIDS rules update, ask Suricata to reload rules rather than restart
UPGRADE: CyberChef 10.19.2 #13637
UPGRADE: Docker 27.2.0 #13566
UPGRADE: ElastAlert 2 to 2.20.0 #13700
UPGRADE: Kratos to 1.3.0 #13758
UPGRADE: Suricata to 7.0.7 #13760
UPGRADE: Zeek 6.0.8 #13600
2.4.100 Hotfix [20240903] Changes
FIX: Missing mappings for WEL Templates
2.4.100 [20240829] Changes
FEATURE: Add breadcrumbs to Grid Configuration
FEATURE: Add SOC Config Quick Link to allow Security Onion Desktop installations through firewall #13412
FEATURE: Add warning to soup about ssh #13466
FEATURE: Elastic Integration for tenable.io
FEATURE: Optional setting to force users to setup OTP/MFA upon login #13388
FEATURE: Enhanced notifications (Pro) and related configuration updates
FIX: Admin resetting of a user’s password is not removing MFA #13468
FIX: Appliance kickstart updates
FIX: Detections: YARA Detection tuning pivot should take user to detection source instead of tuning
FIX: Duplicate variable causing Suricata failure #13461
FIX: Elastic Fleet disable TLS 1.1 by default
FIX: Exempt desktop nodes from license node count
FIX: Firewall annotations for Kafka
FIX: Reduce size of SOC image due to git
FIX: Reduce SOC Config Loading Time
FIX: Review and disable outdated ciphers for Fleet #11145
FIX: Salt packages not versionlocked #13438
FIX: SOC logs ILM policy doesn’t exist #13555
FIX: Suricata Alerts missing kafka.id field
FIX: Syntax Check before submitting New Rule #13385
FIX: Tuning details should be included as part of the history item #13225
FIX: Update Agent Builder Dependencies #13142
FIX: Update pipeline version for EVTX #13563
UPGRADE: Docker Registry 2.8.3 #13510
UPGRADE: ElastAlert 2.19.0 #13496
UPGRADE: Elastic 8.14.3 #13263
UPGRADE: Kratos 1.2.0 #13471
UPGRADE: Salt 3006.9 #13423
UPGRADE: SOC dependencies to latest versions #13488
UPGRADE: so-elastic-agent-builder base image #13505
UPGRADE: so-elastic-fleet-package-registry base image
UPGRADE: so-idh base image #13503
UPGRADE: so-idstools base image #13500
UPGRADE: so-influxdb base image and InfluxDB 2.7.9 #13494
UPGRADE: so-kafka base image and Kafka 3.8.0 #13497
UPGRADE: so-nginx base image #13491
UPGRADE: so-pcaptools base image #13495
UPGRADE: so-redis base image and Redis 7.2.5 #13501
UPGRADE: so-steno base image #13498
UPGRADE: so-strelka-backend base image
UPGRADE: so-strelka base images #13504
UPGRADE: so-suricata base image #13492
UPGRADE: so-tcpreplay base image #13499
UPGRADE: so-telegraf base image and Telegraf 1.31.3 #13502
UPGRADE: so-zeek base image #13493
2.4.90 [20240729] Changes
FEATURE: Add new action to SOC Actions list to allow users to more easily add their own actions #13346
FEATURE: Include new Security Onion appliance images for v2 refresh
FEATURE: Provide maximize button on configuration screen
FEATURE: Support suricata regex enable | disable
FEATURE: Visualize diff of history edits
FIX: Better Timeout Error message #12534
FIX: Custom defined template causes SLS rendering error in base:elasticsearch.enabled #13328
FIX: Detections - Bulk Performance Revisit
FIX: Disable logstash on heavynodes #13073
FIX: Exclude policy phases if not defined in defaults #13354
FIX: Heavynode architecture documentation
FIX: Improve displayed metrics for Kafka in influxdb #13235
FIX: Refactor Sync Process
FIX: Update MOTD #13317
FIX: Update SOC MOTD #13320
UPGRADE: Base image for so-steno container to oracle9:latest #13344
UPGRADE: Base image for so-tcpreplay container to oracle9:latest #13345
UPGRADE: CyberChef 10.19.0 #13267
UPGRADE: so-idh to newer base image #13265
UPGRADE: so-nginx to nginx:1.26.1-alpine #13264
UPGRADE: Suricata 7.0.6 #13283
2.4.80 [20240624] Changes
FEATURE: Add IP/VAR column to Suricata Overrides view
FEATURE: Add more links and descriptions to SOC MOTD #13216
FEATURE: Add new Process actions #13226
FEATURE: Add SOC Config Quick Links for Cold and Warm ILM Phases #13203
FEATURE: Bulk Delete Custom Detections #13151
FEATURE: Create Detection - Preload Rule Templates #13152
FEATURE: Guaranteed Message Delivery #13201
FEATURE: Show notice in SOC if license will expire within 45 days
FEATURE: Support Custom Suricata Rulesets via URL and local file #13195
FEATURE: Support Suricata VARs for Overrides #13194
FEATURE: Syntax Highlighting
FEATURE: Toggle full query visibility in hunt screens
FIX: Add duplicate check to Integrity Check
FIX: Add file transfer status to ISO output
FIX: Bulk Actions - No banner at start #13177
FIX: Can not use suricata address-book names in address-group definitions #13136
FIX: Custom Sigma Detection - Description field #13159
FIX: Detections - Suricata Integrity Check #13180
FIX: Elasticsearch index templates not loading #13161
FIX: .items and .lists indices are created with a replica #13111
FIX: Page limit for Fleet Agent Policies #13131
FIX: Proxy support in Detections #13153
FIX: Quoting when duplication Suricata Detection #13241
FIX: Receiver nodes should allow connections from Elastic Agents #13167
FIX: Refactor DetectionParameters
FIX: Separate Suricata indices into alerts and metadata #12868
FIX: so-test and so-tcpreplay fail when manager offline #13104
FIX: Unable to add additional Suricata Overrides without page refresh #13188
FIX: Visual Glitch - dupe operational notes when updating custom rule #13199
UPGRADE: CyberChef 10.18.6 #13174
UPGRADE: Docker #13181
2.4.70 [20240529] Changes
FEATURE: Add confirmation dialog for “revert to default” button in Configuration
FEATURE: Add dashboard for NetFlow #13009
FEATURE: Add dashboard for SOC Login Failures #12738
FEATURE: Add dashboards specific to Elastic Agent #12746
FEATURE: Add event.dataset to all Events table layouts #12641
FEATURE: Add Events table columns for event.module elastic_agent #12666
FEATURE: Add Events table columns for event.module kratos #12740
FEATURE: Add Events table columns for event.module opencanary #12655
FEATURE: Add Events table columns for event.module playbook #12703
FEATURE: Add Events table columns for event.module sigma #12743
FEATURE: Add Events table columns for event.module strelka #12716
FEATURE: Add Events table columns for event.module system #12628
FEATURE: Add Events table columns for stun logs #12940
FEATURE: Add Events table columns for tunnel logs #12937
FEATURE: Add Events table columns for zeek ssl and suricata ssl #12697
FEATURE: Add groupby fields to Dashboards relating to sankey diagrams #12657
FEATURE: Add hyperlink to airgap screen in setup #12925
FEATURE: Add individual dashboards for Zeek SSL and Suricata SSL logs #12699
FEATURE: Additional Supported Integrations #6
FEATURE: Add more fields to the SOC Dashboards URL for so-import-pcap #12972
FEATURE: Add process.command_line to Process Info and Process Ancestry dashboards #12694
FEATURE: Add queue=True to so-checkin so that it will wait for any running states #12815
FEATURE: Add SOC Quick Link for Elasticsearch ILM Deletion #12854
FEATURE: Allow duplication of certain config settings
FEATURE: Allow users to disable Elasticsearch cleanup script #12856
FEATURE: Change default timeout period for Elastic Agent installation
FEATURE: Continuation of new Detections module rollout #12903
FEATURE: Delayed enrollment for Elastic Agents
FEATURE: Enable license checks for enterprise features #12839
FEATURE: Eval use Suricata for PCAP by default #12878
FEATURE: Hunting for SOC logs should show relevant columns
FEATURE: Introduce new readOnlyUi annotation
FEATURE: Kismet integration #12849
FEATURE: Lower EVAL memory requirement to 8GB RAM #12896
FEATURE: pfSense Suricata logs #12653
FEATURE: SOC Telemetry to provide feature usage feedback to dev team
FEATURE: SOS Sigma ruleset
FIX: Add annotations for BPF and Suricata PCAP #12626
FIX: Add missing options to Suricata af-packet config #12637
FIX: Add the write privilege to the analyst and limited-analyst roles to enable acking of alerts #12770
FIX: Adjust so-import-pcap so that suricata works when it is pcapengine #12969
FIX: Change Elasticsearch min_age setting for cold phase #12890
FIX: Configuration screen search filter causes long delays #12923
FIX: Detections alerts indices #13005
FIX: Detections alerts template not being loaded because load script is trying to match names #13048
FIX: Elastic retention setting not being honored when manager hostname is a subset of search node hostname #12819
FIX: Elasticsearch annotation file for ILM index settings #12726
FIX: Elasticsearch cleanup script should avoid Suricata alerts #12855
FIX: Elasticsearch min_age regex #12885
FIX: GitHub discussion/issue curator workflows fail on repo forks
FIX: IDH node installs, but won’t configure #12991
FIX: idh.services is displayed in SOC Grid Configuration as an advanced setting #13012
FIX: Improve File dashboard #12914
FIX: Input Validation for IPv6 addresses in Zeek and Suricata vars #12675
FIX: mapping conflict with field http.response.status_code #12543
FIX: Remove errant max_age setting from Elastic SOC config #12851
FIX: Rendering SLS ‘base:elasticsearch.enabled’ failed: Jinja error: Cannot update using non-dict types in dictupdate.update() #13030
FIX: Resetting a customized file to default should restore the default #13008
FIX: so-elasticsearch-ilm-policy-load trying to set policy for indices not managed by ILM #13021
FIX: so-index-list not working correctly #12988
FIX: Sorting for older and newer indices in Elasticsearch cleanup #12857
FIX: so-verify detects rare false error #12811
FIX: Specify that static IP address is recommended #12643
FIX: Update expected timestamp formats in ingest pipeline #12887
FIX: Update so-whiptail to make installation screen more consistent #12921
UPGRADE: CyberChef 10.17.0 #12798
UPGRADE: Suricata 7.0.5 #12843
UPGRADE: Zeek 6.0.4 #13027
2.4.60 [20240320] Changes
FEATURE: Add Suricata classification.config for editing #12391
FEATURE: Add Suricata support for full PCAP #12571
FEATURE: Add default columns for endpoint.events datasets #12425
FEATURE: Add new SOC action for Process Info #12421
FEATURE: Add new endpoint dashboards #12428
FEATURE: Additional Supported Integrations #5
FEATURE: Improve Grid page Reboot indicators #12546
FEATURE: Initial implementation of the new Detections system (currently disabled)
FIX: Accept Uppercase emails #12559
FIX: Change the default setting for steno diskfreepercentage on standalone installations to 21 #12541
FIX: Download only newest packages for network installs
FIX: EA packages are not downloadable once STIGs have been applied
FIX: Endpoint diagnostic template pattern #12433
FIX: Exclude templates from global overrides when necessary #12382
FIX: Improve the accuracy of the stenoloss script #12477
FIX: Receiver node Redis queue fills up using Managersearch without a Searchnode #12535
FIX: Support Oinkcode values containing leading 0’s #12506
FIX: Update SOC annotations for Stenographer PCAP #12539
FIX: Update correlate quick action with new icon #12387
FIX: Update ks.cfg for appliances
FIX: error.message mapping for system.syslog #12518
FIX: so-saltstack-update should use the proper repo in 2.4 #12570
UPGRADE: CyberChef 10.8.2 #12454
UPGRADE: Kratos to 1.1.0 #12479
UPGRADE: Suricata 7.0.4 #12609
2.4.50 [20240220] Changes
FEATURE: Add Suricata PCAP module to Sensoroni (currently disabled) #12255
FEATURE: Add new SOC action to show process ancestry #12345
FEATURE: Add new dashboards for community_id and firewall auth #12323
FEATURE: Additional Supported Integrations #4
FEATURE: Allow user to create custom elastic search pipelines without copying them over via ssh
FEATURE: Allow user to create custom logstash pipelines without copying them over via ssh
FEATURE: Dedicated Fleet node should have an nginx entry and cert that works for /artifacts #11346
FEATURE: Determine if Elastic is on its own mount point if so adjust size for watermark #12364
FEATURE: Improve Correlate and Hunt actions on SOC Actions menu #12315
FEATURE: RITA Logs #12226
FEATURE: Support PCAP pivots for ICMP packets in SOC
FIX: suricata.ike ingest pipeline does not exist #12174
FIX: Add stenographer logging #12282
FIX: Change field groupby button to new groupby #12228
FIX: Correct SOC error messages related to malformed queries #12269
FIX: Endpoint diagnostic collection index created with replicas #12256
FIX: Expose node Reboot status as its own state; other grid/feature improvements
FIX: Network Transport for suricata alerts should be lowercase #12217
FIX: Strelka scan.pe.flags mapping #12251
FIX: Sync the event.dataset values between the Windows Sysmon and ElasticAgent defend logs
FIX: Syntax error running elastic fleet scripts during highstate
FIX: User count logic providing inconsistent results #12258
UPGRADE: CyberChef 10.6.0 #12310
UPGRADE: Salt 3006.6 #12304
UPGRADE: Strelka 0.24.01.18 #12229
UPGRADE: Suricata 7.0.3 #12327
UPGRADE: Zeek 6.0.3 #12225
2.4.40 [20240116] Changes
FEATURE: Add geoip support to Suricata #11901
FEATURE: Additional Supported Integrations #2 #11958
FEATURE: Additional Supported Integrations #3 #12056
FEATURE: Add server reboot notification to SOC #11852
FEATURE: Allow an easy way to disable incoming events to a manager #12033
FEATURE: Carve out the cert_chain_fps value from SSL traffic #11806
FEATURE: Echotrail, Elasticsearch, MalwareBazaar, and ThreatFox Analyzers #12014
FEATURE: Grid page status/metric enhancements #11971
FEATURE: Manipulate event table columns #12145
FEATURE: Sublime Platform Analyzer #11883
FIX: Add force option to integrations #12017
FIX: Adding extra_hosts for SOC, Elasticsearch and Logstash Docker containers fails #12015
FIX: Begin kickstart consolidation
FIX: Corrupt job files should not cause SOC to exit during startup #12082
FIX: Disable Elastic Agent Downloads for Import and Eval mode
FIX: Docker service sometimes not started or enabled on remote nodes during setup #12101
FIX: Documentation links under SOC - Administration - Configuration need updating #11828
FIX: FIM Integration #11847
FIX: Ignore Zeek analyzer log #11892
FIX: Improve salt-relay reponse integrity
FIX: ISO image should default to 1GB /boot partition #12002
FIX: Logstash pipeline to point to self instead of manager #12038
FIX: Make sure optional integration pillar values are merged with defaults #12163
FIX: Playbook Navigator Layer #11380
FIX: Remove Curator
FIX: Remove sudo entry for so-setup after setup completes
FIX: Rerunning setup should uninstall local Elastic Agent #12030
FIX: Show more readable column names for default Case list screen #12162
FIX: SOC Hunt HTTP EXE query #11784
FIX: so-elastic-fleet-reset non-destructive #12142
FIX: so-playbook-reset #11790
FIX: Update clear scripts #11991
FIX: Update dashboard and hunt query for firewall logs #12021
FIX: Update NIDS rule.reference in common.nids pipeline #11846
UPGRADE: Salt 3006.5 #12143
UPGRADE: SOC dependencies to latest versions #12041
UPGRADE: Strelka 0.23.12.01 #11770
2.4.30 Hotfix [20231228] Changes
FIX: Appliance kickstart files are not copying Elastic Agent tarballs #12081
2.4.30 Hotfix [20231219] Changes
FIX: Update appliance kickstart scripts to fix issue with package copy #12044
2.4.30 Hotfix [20231204] Changes
2.4.30 Hotfix [20231121] Changes
FIX: Salt minion service disabled highstate in upgrade to 2.4.30 #11851
2.4.30 Hotfix [20231117] Changes
2.4.30 [20231113] Changes
FEATURE: Additional Supported Integrations #11513
FEATURE: Allow for BPF comments in SOC #11738
FEATURE: OpenID Connect (OIDC) support
FEATURE: so-elastic-fleet-reset #11697
FEATURE: Sublime Platform Integration #11579
FIX: Add -watch to soctopus saltstate for file SOCtopus.conf. Makes container restart @ highstate if file is updated. #11700
FIX: Allow ICMP to allow a node to respond to ping #11495
FIX: Allow standalone install type to work with 16GB of ram #11699
FIX: Allow the setting up of data_warm to the nodes list in ES
FIX: Data not returned from mine for network.ip_addrs #11502
FIX: Delete all obsolete scripts and unused code (also check so-setup, so-functions)
FIX: Fail so-setup if Elastic Fleet Setup encounters an error #11696
FIX: Global BPF prevents new sensor from applying highstate #11610
FIX: Improve error handling of Elasticsearch pipeline and template load scripts #11728
FIX: Logs not parsed correctly when shipped from Fleet Node #11698
FIX: Only heavy nodes should be treated as remote Elastic clusters in SOC #11553
FIX: Reduce ISO size #11510
FIX: Set days for warm for all so-* indices
FIX: Show container download status during soup #11550
FIX: Sigma DNS mapping #11498
FIX: Suricata 7 pkt_src field needs to be parsed #11566
FIX: The values for specific nodes in zeek.config.local.load are being populated incorrectly #11472
UPGRADE: NetworkMiner 2.8.1 #11457
UPGRADE: Salt 3006.3 #11529
UPGRADE: SOC dependency Axios to 1.6.1 #11763
UPGRADE: Sophos Integration #11548
UPGRADE: Upgrade Elastic to 8.10.4
UPGRADE: Upgrade InfluxDB to 2.7.1 and Telegraf to 1.28.2
UPGRADE: Upgrade Suricata to 7.0.2
UPGRADE: Zeek 6.0.2
2.4.20 Hotfix [20231012] Changes
FIX: Elastic Defend Integration Policy Corrupted #11527
2.4.20 [20231006] Changes
FEATURE: Add ingest parser for pfSense OpenVPN logs #7656
FEATURE: Add new so-log-check tool to scan SO logging for anomalies
FEATURE: Enable Analyzers to be managed through SOC #11211
FEATURE: Grid screen improvements; support for desktop nodes
FEATURE: Provide global replica value for index templates #10998
FEATURE: SOC Grid Members should prompt for confirmation before actually deleting #11223
FIX: Adding custom action to SOC causes the Endgame action to be replicated #11210
FIX: Add Transform Role #11309
FIX: CentOS stream 9 installation #11168
FIX: Clean component template directory #11331
FIX: Desktop via network install fails #10975
FIX: Disable conn stats from being generated by default #11410
FIX: Docker custom_bind_mounts not working for some containers #11122
FIX: Duplicate cronjobs for filecheck #11400
FIX: Elastic Agent - Installation “Not Accessible” Message #11191
FIX: Elastic Fleet key and cert errors on heavynode #11026
FIX: Exclude Zeek console log ingestion #11082
FIX: Features pillar not showing all enabled features #11130
FIX: Fleet plugin logs ERROR during kibana restart #10955
FIX: Force nginx to run as user nobody #11402
FIX: Heavy nodes are missing ElasticFleet integration policies #11189
FIX: Heavy Nodes are not properly added to the soc.json #11192
FIX: Improve consistency in cert storage across OS families #11162
FIX: Improve default settings to avoid Elasticsearch hitting watermark #11305
FIX: Kibana Elastic Agent Dashboard 404 #11018
FIX: Maintain minion log in INFO level, add logrotate #10921
FIX: Make sure a data stream is created for syslog #11209
FIX: Make sure Elastic packages are loaded when changed #11428
FIX: Minimum system requirements checks during setup #11324
FIX: Minion log appears to show timezone bouncing #10922
FIX: osquery not working on macOS
FIX: Pre-load Integration Templates #11146
FIX: Prevent repeated creation of unused Docker volumes #9941
FIX: Remove default component templates to prevent conflicts #11260
FIX: Remove OSSEC and add Playbook mappings for the SOC Alerts Event Table #11015
FIX: Remove telegraf beats EPS script #11412
FIX: Rename some SOC log fields to more unique field names #11429
FIX: Reposync and yara rules shot not run in airgap #11427
FIX: SOC Config pcap doc links should point to steno docs #11302
FIX: SOC Config sensoroni doc links should point to correct docs #11362
FIX: SOC doesn’t return user to login page after session expires #11438
FIX: SOC fails to parse incomplete Elastic error response #11435
FIX: SOC Grid Import inconsistency with larger files #11143
FIX: Some packages are installed/removed and upgraded/downgraded every 15min #11458
FIX: so-import-evtx incorrect dates #11332
FIX: so-salt-minion-check not rendering as jinja #11390
FIX: Stop zeek from trying to email reports #11407
FIX: Strelka ingest pipeline should properly index entropy 0 values and float values in the same field
FIX: Suricata filter and extraction rules are not properly updated #11229
FIX: Update firewall docs for custom port and host groups #11053
FIX: Update IDH Opencanary Modules to indicate they only apply to IDH nodes #10170
UPGRADE: Kratos to v1.0.0
UPGRADE: Suricata 6.0.14 #11319
UPGRADE: Zeek 5.0.10 #11301
2.4.10 Hotfix [20230821] Changes
FIX: Component templates not updated when packages are updated #11065
FIX: Importing both PCAP and EVTX files fails #11030
FIX: Logstash container missing on distributed receiver #11099
FIX: pipeline with id logs-system.syslog-1.6.4 does not exist #11038
FIX: Suricata permissions on Heavy Nodes are incorrect #11031
2.4.10 [20230815] Changes
FEATURE: Auto-Upgrade Node Agents #10949
FEATURE: Customize desktop environment #10957
FIX: Custom actions, queries, tools can cause SOC restart to fail #11022
FIX: Elastic Agents won’t upgrade without Internet connection #10981
FIX: Elastic Integrations not upgrading during SOUP #10984
FIX: Elastic index settings annotations need synchronized with those specified in defaults #10999
FIX: File extraction not working after switching from Zeek metadata to Suricata metadata #10973
FIX: Fleet - url_base not working in cert CN #11003
FIX: Improve wording for Firewall entries under Grid Administration Quick Links #10990
FIX: Influx reporting No Results for Zeek Capture Loss #10956
FIX: Suricata should not assume the interface will always be bond0 #10954
FIX: Sysmon Events Table Field Rendering #10985
FIX: so-desktop-install needs to change from Rocky to Oracle #10962
FIX: soup may fail while trying to query Fleet server #10974
2.4.5 RC2 [20230807] Changes
FEATURE: Add NetworkMiner to Security Onion Desktop #10865
FEATURE: Add value from record in Hunt, etc as an observable to an existing or new case #7992
FEATURE: Enable CommunityID for Elastic Defend Logs #10811
FEATURE: Heavy Node Support #10671
FEATURE: so-import-evtx - timeshift #10743
FEATURE: soup should rotate its log file #10951
FIX: Dashboards with multiple groupby charts always filter by the first chart’s, first groupby field #10856
FIX: Disable offload on monitor NICs #10900
FIX: EQL Field Mappings #10783
FIX: Elastic Fleet Improvements #10846
FIX: Firewall state custom host group assignments for single portgroup entry #10917
FIX: IDH node #10882
FIX: IPTables Persistence #10884
FIX: Install Error: so-yara-download failed #10880
FIX: Install screen - Firewall #10945
FIX: List settings updated with blank values should be stored as empty lists #10936
FIX: Login page shows error banner briefly on initial page load #10911
FIX: RAID status on Grid page #10935
FIX: SOC Auth dashboard #10878
FIX: Security Onion Desktop state should default to Gnome Classic #10958
FIX: sensor MTU setting in SOC Config should be read only #10883
FIX: so-status taking several seconds to complete #10909
FIX: soup #10902
FIX: syslog not working #10896
FIX: verbiage and links in soc_sensor.yaml #10906
UPGRADE: Elastic 8.8.2 #10864
2.4.4 RC1 [20230728] Changes
FEATURE: Add DNS lookup action to SOC #8655
FEATURE: Add Oracle Linux Support #10844
FEATURE: Add pivots for relational operators on numbers #8024
FEATURE: Add relative Timeframe and Refresh Interval as URL Parameters to Hunt #3352
FEATURE: Cases - Add ability to enable dynamic observable extraction #7972
FEATURE: Oracle Linux ISO #10845
FEATURE: Security Onion Desktop #10862
FIX: Add retry to Elastic Agent installer #10488
FIX: Case status code 404 error #10759
FIX: Intermittent pcap retrieval #10750
FIX: Navigator Errors #10742
FIX: Remove .security subfield #10745
UPGRADE: CyberChef 10.5.2 #10781
UPGRADE: so-registry docker image #10727
2.4.3 Beta 4 [20230711] Changes
FEATURE: Add link to Downloads page for convenient access to firewall settings #10702
FEATURE: Add more SOC Config quick links #10563
FEATURE: Add time zone selection to Grid page #8629
FEATURE: Add webauthn support to SOC #10608
FEATURE: Allow import of PCAP and EVTX via SOC UI #10413
FEATURE: Elastic Fleet - Automatically Update Logstash Outputs #10746
FEATURE: Elastic Fleet Server URL - Custom Domain #10744
FEATURE: Supported Integrations #10590
FEATURE: so-import-evtx #10673
FIX: Strelka rule path #10715
FIX: 2.4 ISO image won’t install on Virtualbox #10534
FIX: Account for Suricata XFF function in parsing and ingestion #8643
FIX: Add more Zeek logs to excluded list #10569
FIX: Analyzer requests and whoisit updates #10524
FIX: Change Playbook index to data stream and update event.severity_label #10523
FIX: Cleanup log-rotate.conf #10545
FIX: Curator should ignore empty list #10512
FIX: Don’t override default integration ingest node pipelines #10542
FIX: Ensure operations on records with “Missing” fields use correct search #8025
FIX: Ensure packages aren’t installed from default Rocky repos #10630
FIX: Exclude System logs from Hunt/Dashboard Queries. #10122
FIX: Finish SSL cert integration into SOC config UI #10533
FIX: Improve SOC login error message for disabled users #8908
FIX: Increase net.core.wmem_default value #10602
FIX: InfluxDB NSM Disk Usage visualization #10520
FIX: Integration logs not parsed correctly #10672
FIX: Logstash soc.fields.query warning #10528
FIX: Node description config setting should only apply at the node level #10562
FIX: Remove default excluded rules from YARA repo #10718
FIX: Review Kibana Dashboards #10664
FIX: Rework dataset name and add tags based on suffix #10526
FIX: Rework field to account for missing classifiers #10420
FIX: SOC Config NTP quick link #10519
FIX: Scheduled jobs trying to run during setup #10468
FIX: Set Elastic Fleet certs to use url_base #10510
FIX: Setup re-runs when SSH’ing into a successfully installed minion node #10498
FIX: Strelka rule exclusions #10716
FIX: Suricata DHCP logs not ingesting #10565
FIX: Suricata dataset values for certain types of metadata #10551
FIX: Update README.md #10554
FIX: Update cheat sheet for 2.4 #10532
UPGRADE: CyberChef 10.4.0 #10581
UPGRADE: Suricata 6.0.13 #10594
2.4.2 Beta 3 [20230531] Changes
FEATURE: Add additional alerts for Influxdb #10388
FEATURE: Add link to SOC error messages that takes user to hunt and auto-searches for recent SOC-related errors. #10283
FEATURE: Add Protected checkbox on Attachment upload form #10203
FEATURE: Add support for Apple Silicon Elastic Agent Installer #10473
FEATURE: Add support for EQL to Playbook #10471
FEATURE: Allow for any docker container to have extra hosts and custom binds #10301
FEATURE: Allow users to switch between airgap and non airgap. #10470
FEATURE: Dedicated Elastic Fleet Node #10474
FEATURE: Enable Elastic Defend Integration on Endpoints Policy #10475
FEATURE: Integrate Elastic Artifact Repo #10053
FEATURE: Integrate Elastic Package Registry #10472
FEATURE: ISO image #10476
FEATURE: Link the Grid Interface with Docker container log files #10149
FEATURE: Prompt user to verify the manager nodes IP address if a DNS record if found during setup. #10334
FEATURE: Quicklinks to common configs #10395
FEATURE: SOC config UI should process each line individually with regex when multiline: True is set #10243
FEATURE: Support authentication rate limiting #10308
FIX: AWS Instances with forced IMDSv2 enabled fail to detect running in AWS #10205
FIX: Cluster delete script should use different disk space logic when /nsm is shared among services #10418
FIX: Correct SOC Annotations for idstools in Grid Configuration. #10208
FIX: Correct SOC Annotations of Zeek in Grid Configuration. #10211
FIX: Hunt Quick Drilldown #10377
FIX: If mdengine is changed to Suricata, Zeek is still shown in so-status #10232
FIX: Improve SOC configuration handling of lists #10219
FIX: Improve soup’s local file modification logic #8972
FIX: In distributed deployment, Dashboards/Kibana only show data from the first sensor added. #10231
FIX: Influxdb Elasticsearch cells showing duplicate data. #10336
FIX: Kibana: Ensure _id fields beginning with a hyphen work properly when pivoting to SOC from Kibana #10305
FIX: Logstash WARN logstash.outputs.elasticsearch on searchnode #10291
FIX: Prepare SOUP for 2.4 #10056
FIX: Prevent duplicate observables from being automatically created when attaching events to a case. #10123
FIX: Review 2.4 file permissions and other local security changes #9110
FIX: Setting CPU affinity or number of threads for Suricata not being applied. #10240
FIX: Simplify cloud detection #10261
FIX: Some SOC Config settings are only visible when Advanced is enabled #10429
FIX: Strelka YARA Compilation #10271
FIX: Suricata ignores the threads and always is set to 1 #10230
FIX: Unable to disable PCAP via web configuration #10229
FIX: Use pillar values to allow Zeek log ingestion selection from the UI #10322
FIX: Zeek local policies are not being updated when changed in Current Grid value. #10209
FIX: Zeek not ignoring lb_procs when Zeek pins configured #10215
UPGRADE: Elastic 8.7.1 #10269
UPGRADE: Kratos to 0.13.0 #10309
UPGRADE: SOC external dependencies #10268
UPGRADE: Suricata 6.0.12 #10311
UPGRADE: Zeek 5.0.9 #10374
2.4.1 Beta 2 [20230424] Changes
FIX: Add Dedicated Fleet Node #10054
FIX: Don’t create curl.config on Forward Nodes #10057
FIX: Force case attachments to be downloaded #10186
FIX: Improve Elasticsearch index deletion - so-elastic-clear #10109
FIX: Improve Elasticsearch index deletion - so-elastic-cluster-delete-delete #10110
FIX: Make sure Setup image downloads populate the screen and the log #10052
FIX: Overview Customization link #10173
FIX: Prevent Jinja syntax from being entered into config values via UI/API #10187
FIX: Prevent Zeek from using a large amount of memory #10190
FIX: Remove legacy Kibana dashboards #8555
FIX: Remove template load from search nodes in distrib #10060
FIX: SOC only displaying data for users assigned the superuser role #10068
FIX: Sort grid members lists #10185
FIX: Suricata DNS A and CNAME parsing #10117
FIX: Using SOC Configuration to change mdengine from ZEEK to SURICATA fails #10189
FIX: Zeek @local and @local-sigs need to strip the @ for config but replace in local.zeek #10050
FIX: Zeek is not honoring lbprocs #10062
UPGRADE: Elastic 8.7.0 #10059
UPGRADE: Suricata 6.0.11 #10067
UPGRADE: Zeek 5.0.8 #10107
2.4.0 Beta 1 [20230328] Changes
https://blog.securityonion.net/2023/03/security-onion-24-beta-release-now.html