Release Notes

Known Issues

If you notice an Elasticsearch status of Pending in the Grid interface, you can view affected indices by running the following command from the CLI on the manager node:

sudo so-elasticsearch-query _cat/shards | grep UN

The result of the query should display affected indices. Older metrics indices for Elastic Endpoint logs may have been assigned a replica, so if you are running a single-node Elastic cluster there will be nowhere for the replica to exist.

To resolve the issue, run the following command for each affected index (replacing $index with the actual index name):

sudo so-elasticsearch-query $index/_settings -d '{"number_of_replicas":0}' -XPUT

After running the command, the index should no longer use replicas and the status should change from “Pending” to “OK” once all indices have been successfully modified.

2.4.70 [20240529] Changes

  • FEATURE: Add confirmation dialog for “revert to default” button in Configuration

  • FEATURE: Add dashboard for NetFlow #13009

  • FEATURE: Add dashboard for SOC Login Failures #12738

  • FEATURE: Add dashboards specific to Elastic Agent #12746

  • FEATURE: Add event.dataset to all Events table layouts #12641

  • FEATURE: Add Events table columns for event.module elastic_agent #12666

  • FEATURE: Add Events table columns for event.module kratos #12740

  • FEATURE: Add Events table columns for event.module opencanary #12655

  • FEATURE: Add Events table columns for event.module playbook #12703

  • FEATURE: Add Events table columns for event.module sigma #12743

  • FEATURE: Add Events table columns for event.module strelka #12716

  • FEATURE: Add Events table columns for event.module system #12628

  • FEATURE: Add Events table columns for stun logs #12940

  • FEATURE: Add Events table columns for tunnel logs #12937

  • FEATURE: Add Events table columns for zeek ssl and suricata ssl #12697

  • FEATURE: Add groupby fields to Dashboards relating to sankey diagrams #12657

  • FEATURE: Add hyperlink to airgap screen in setup #12925

  • FEATURE: Add individual dashboards for Zeek SSL and Suricata SSL logs #12699

  • FEATURE: Additional Supported Integrations #6

  • FEATURE: Add more fields to the SOC Dashboards URL for so-import-pcap #12972

  • FEATURE: Add process.command_line to Process Info and Process Ancestry dashboards #12694

  • FEATURE: Add queue=True to so-checkin so that it will wait for any running states #12815

  • FEATURE: Add SOC Quick Link for Elasticsearch ILM Deletion #12854

  • FEATURE: Allow duplication of certain config settings

  • FEATURE: Allow users to disable Elasticsearch cleanup script #12856

  • FEATURE: Change default timeout period for Elastic Agent installation

  • FEATURE: Continuation of new Detections module rollout #12903

  • FEATURE: Delayed enrollment for Elastic Agents

  • FEATURE: Enable license checks for enterprise features #12839

  • FEATURE: Eval use Suricata for PCAP by default #12878

  • FEATURE: Hunting for SOC logs should show relevant columns

  • FEATURE: Introduce new readOnlyUi annotation

  • FEATURE: Kismet integration #12849

  • FEATURE: Lower EVAL memory requirement to 8GB RAM #12896

  • FEATURE: pfSense Suricata logs #12653

  • FEATURE: SOC Telemetry to provide feature usage feedback to dev team

  • FEATURE: SOS Sigma ruleset

  • FIX: Add annotations for BPF and Suricata PCAP #12626

  • FIX: Add missing options to Suricata af-packet config #12637

  • FIX: Add the write privilege to the analyst and limited-analyst roles to enable acking of alerts #12770

  • FIX: Adjust so-import-pcap so that suricata works when it is pcapengine #12969

  • FIX: Change Elasticsearch min_age setting for cold phase #12890

  • FIX: Configuration screen search filter causes long delays #12923

  • FIX: Detections alerts indices #13005

  • FIX: Detections alerts template not being loaded because load script is trying to match names #13048

  • FIX: Elastic retention setting not being honored when manager hostname is a subset of search node hostname #12819

  • FIX: Elasticsearch annotation file for ILM index settings #12726

  • FIX: Elasticsearch cleanup script should avoid Suricata alerts #12855

  • FIX: Elasticsearch min_age regex #12885

  • FIX: GitHub discussion/issue curator workflows fail on repo forks

  • FIX: IDH node installs, but won’t configure #12991

  • FIX: idh.services is displayed in SOC Grid Configuration as an advanced setting #13012

  • FIX: Improve File dashboard #12914

  • FIX: Input Validation for IPv6 addresses in Zeek and Suricata vars #12675

  • FIX: mapping conflict with field http.response.status_code #12543

  • FIX: Remove errant max_age setting from Elastic SOC config #12851

  • FIX: Rendering SLS ‘base:elasticsearch.enabled’ failed: Jinja error: Cannot update using non-dict types in dictupdate.update() #13030

  • FIX: Resetting a customized file to default should restore the default #13008

  • FIX: so-elasticsearch-ilm-policy-load trying to set policy for indices not managed by ILM #13021

  • FIX: so-index-list not working correctly #12988

  • FIX: Sorting for older and newer indices in Elasticsearch cleanup #12857

  • FIX: so-verify detects rare false error #12811

  • FIX: Specify that static IP address is recommended #12643

  • FIX: Update expected timestamp formats in ingest pipeline #12887

  • FIX: Update so-whiptail to make installation screen more consistent #12921

  • UPGRADE: CyberChef 10.17.0 #12798

  • UPGRADE: Suricata 7.0.5 #12843

  • UPGRADE: Zeek 6.0.4 #13027

2.4.60 [20240320] Changes

  • FEATURE: Add Suricata classification.config for editing #12391

  • FEATURE: Add Suricata support for full PCAP #12571

  • FEATURE: Add default columns for endpoint.events datasets #12425

  • FEATURE: Add new SOC action for Process Info #12421

  • FEATURE: Add new endpoint dashboards #12428

  • FEATURE: Additional Supported Integrations #5

  • FEATURE: Improve Grid page Reboot indicators #12546

  • FEATURE: Initial implementation of the new Detections system (currently disabled)

  • FIX: Accept Uppercase emails #12559

  • FIX: Change the default setting for steno diskfreepercentage on standalone installations to 21 #12541

  • FIX: Download only newest packages for network installs

  • FIX: EA packages are not downloadable once STIGs have been applied

  • FIX: Endpoint diagnostic template pattern #12433

  • FIX: Exclude templates from global overrides when necessary #12382

  • FIX: Improve the accuracy of the stenoloss script #12477

  • FIX: Receiver node Redis queue fills up using Managersearch without a Searchnode #12535

  • FIX: Support Oinkcode values containing leading 0’s #12506

  • FIX: Update SOC annotations for Stenographer PCAP #12539

  • FIX: Update correlate quick action with new icon #12387

  • FIX: Update ks.cfg for appliances

  • FIX: error.message mapping for system.syslog #12518

  • FIX: so-saltstack-update should use the proper repo in 2.4 #12570

  • UPGRADE: CyberChef 10.8.2 #12454

  • UPGRADE: Kratos to 1.1.0 #12479

  • UPGRADE: Suricata 7.0.4 #12609

2.4.50 [20240220] Changes

  • FEATURE: Add Suricata PCAP module to Sensoroni (currently disabled) #12255

  • FEATURE: Add new SOC action to show process ancestry #12345

  • FEATURE: Add new dashboards for community_id and firewall auth #12323

  • FEATURE: Additional Supported Integrations #4

  • FEATURE: Allow user to create custom elastic search pipelines without copying them over via ssh

  • FEATURE: Allow user to create custom logstash pipelines without copying them over via ssh

  • FEATURE: Dedicated Fleet node should have an nginx entry and cert that works for /artifacts #11346

  • FEATURE: Determine if Elastic is on its own mount point if so adjust size for watermark #12364

  • FEATURE: Improve Correlate and Hunt actions on SOC Actions menu #12315

  • FEATURE: RITA Logs #12226

  • FEATURE: Support PCAP pivots for ICMP packets in SOC

  • FIX: suricata.ike ingest pipeline does not exist #12174

  • FIX: Add stenographer logging #12282

  • FIX: Change field groupby button to new groupby #12228

  • FIX: Correct SOC error messages related to malformed queries #12269

  • FIX: Endpoint diagnostic collection index created with replicas #12256

  • FIX: Expose node Reboot status as its own state; other grid/feature improvements

  • FIX: Network Transport for suricata alerts should be lowercase #12217

  • FIX: Strelka scan.pe.flags mapping #12251

  • FIX: Sync the event.dataset values between the Windows Sysmon and ElasticAgent defend logs

  • FIX: Syntax error running elastic fleet scripts during highstate

  • FIX: User count logic providing inconsistent results #12258

  • UPGRADE: CyberChef 10.6.0 #12310

  • UPGRADE: Salt 3006.6 #12304

  • UPGRADE: Strelka 0.24.01.18 #12229

  • UPGRADE: Suricata 7.0.3 #12327

  • UPGRADE: Zeek 6.0.3 #12225

2.4.40 [20240116] Changes

  • FEATURE: Add geoip support to Suricata #11901

  • FEATURE: Additional Supported Integrations #2 #11958

  • FEATURE: Additional Supported Integrations #3 #12056

  • FEATURE: Add server reboot notification to SOC #11852

  • FEATURE: Allow an easy way to disable incoming events to a manager #12033

  • FEATURE: Carve out the cert_chain_fps value from SSL traffic #11806

  • FEATURE: Echotrail, Elasticsearch, MalwareBazaar, and ThreatFox Analyzers #12014

  • FEATURE: Grid page status/metric enhancements #11971

  • FEATURE: Manipulate event table columns #12145

  • FEATURE: Sublime Platform Analyzer #11883

  • FIX: Add force option to integrations #12017

  • FIX: Adding extra_hosts for SOC, Elasticsearch and Logstash Docker containers fails #12015

  • FIX: Begin kickstart consolidation

  • FIX: Corrupt job files should not cause SOC to exit during startup #12082

  • FIX: Disable Elastic Agent Downloads for Import and Eval mode

  • FIX: Docker service sometimes not started or enabled on remote nodes during setup #12101

  • FIX: Documentation links under SOC - Administration - Configuration need updating #11828

  • FIX: FIM Integration #11847

  • FIX: Ignore Zeek analyzer log #11892

  • FIX: Improve salt-relay reponse integrity

  • FIX: ISO image should default to 1GB /boot partition #12002

  • FIX: Logstash pipeline to point to self instead of manager #12038

  • FIX: Make sure optional integration pillar values are merged with defaults #12163

  • FIX: Playbook Navigator Layer #11380

  • FIX: Remove Curator

  • FIX: Remove sudo entry for so-setup after setup completes

  • FIX: Rerunning setup should uninstall local Elastic Agent #12030

  • FIX: Show more readable column names for default Case list screen #12162

  • FIX: SOC Hunt HTTP EXE query #11784

  • FIX: so-elastic-fleet-reset non-destructive #12142

  • FIX: so-playbook-reset #11790

  • FIX: Update clear scripts #11991

  • FIX: Update dashboard and hunt query for firewall logs #12021

  • FIX: Update NIDS rule.reference in common.nids pipeline #11846

  • UPGRADE: Salt 3006.5 #12143

  • UPGRADE: SOC dependencies to latest versions #12041

  • UPGRADE: Strelka 0.23.12.01 #11770

2.4.30 Hotfix [20231228] Changes

  • FIX: Appliance kickstart files are not copying Elastic Agent tarballs #12081

2.4.30 Hotfix [20231219] Changes

  • FIX: Update appliance kickstart scripts to fix issue with package copy #12044

2.4.30 Hotfix [20231204] Changes

  • FIX: Choosing Desktop or IDH from ISO GRUB menu results in failure #11865

  • FIX: Ensure airgap rule updates are being copied to the proper location #11932

  • FIX: outdated import-evtx-logs pipeline versions #11889

  • FIX: x509.pem_managed errors

2.4.30 Hotfix [20231121] Changes

  • FIX: Salt minion service disabled highstate in upgrade to 2.4.30 #11851

2.4.30 Hotfix [20231117] Changes

  • FIX: Elastic Defend Integration Policy Downgrade #11810

  • FIX: Update SSL cert to avoid Google Chrome error (2.4) #11824

2.4.30 [20231113] Changes

  • FEATURE: Additional Supported Integrations #11513

  • FEATURE: Allow for BPF comments in SOC #11738

  • FEATURE: OpenID Connect (OIDC) support

  • FEATURE: so-elastic-fleet-reset #11697

  • FEATURE: Sublime Platform Integration #11579

  • FIX: Add -watch to soctopus saltstate for file SOCtopus.conf. Makes container restart @ highstate if file is updated. #11700

  • FIX: Allow ICMP to allow a node to respond to ping #11495

  • FIX: Allow standalone install type to work with 16GB of ram #11699

  • FIX: Allow the setting up of data_warm to the nodes list in ES

  • FIX: Data not returned from mine for network.ip_addrs #11502

  • FIX: Delete all obsolete scripts and unused code (also check so-setup, so-functions)

  • FIX: Fail so-setup if Elastic Fleet Setup encounters an error #11696

  • FIX: Global BPF prevents new sensor from applying highstate #11610

  • FIX: Improve error handling of Elasticsearch pipeline and template load scripts #11728

  • FIX: Logs not parsed correctly when shipped from Fleet Node #11698

  • FIX: Only heavy nodes should be treated as remote Elastic clusters in SOC #11553

  • FIX: Reduce ISO size #11510

  • FIX: Set days for warm for all so-* indices

  • FIX: Show container download status during soup #11550

  • FIX: Sigma DNS mapping #11498

  • FIX: Suricata 7 pkt_src field needs to be parsed #11566

  • FIX: The values for specific nodes in zeek.config.local.load are being populated incorrectly #11472

  • UPGRADE: NetworkMiner 2.8.1 #11457

  • UPGRADE: Salt 3006.3 #11529

  • UPGRADE: SOC dependency Axios to 1.6.1 #11763

  • UPGRADE: Sophos Integration #11548

  • UPGRADE: Upgrade Elastic to 8.10.4

  • UPGRADE: Upgrade InfluxDB to 2.7.1 and Telegraf to 1.28.2

  • UPGRADE: Upgrade Suricata to 7.0.2

  • UPGRADE: Zeek 6.0.2

2.4.20 Hotfix [20231012] Changes

  • FIX: Elastic Defend Integration Policy Corrupted #11527

2.4.20 [20231006] Changes

  • FEATURE: Add ingest parser for pfSense OpenVPN logs #7656

  • FEATURE: Add new so-log-check tool to scan SO logging for anomalies

  • FEATURE: Enable Analyzers to be managed through SOC #11211

  • FEATURE: Grid screen improvements; support for desktop nodes

  • FEATURE: Provide global replica value for index templates #10998

  • FEATURE: SOC Grid Members should prompt for confirmation before actually deleting #11223

  • FIX: Adding custom action to SOC causes the Endgame action to be replicated #11210

  • FIX: Add Transform Role #11309

  • FIX: CentOS stream 9 installation #11168

  • FIX: Clean component template directory #11331

  • FIX: Desktop via network install fails #10975

  • FIX: Disable conn stats from being generated by default #11410

  • FIX: Docker custom_bind_mounts not working for some containers #11122

  • FIX: Duplicate cronjobs for filecheck #11400

  • FIX: Elastic Agent - Installation “Not Accessible” Message #11191

  • FIX: Elastic Fleet key and cert errors on heavynode #11026

  • FIX: Exclude Zeek console log ingestion #11082

  • FIX: Features pillar not showing all enabled features #11130

  • FIX: Fleet plugin logs ERROR during kibana restart #10955

  • FIX: Force nginx to run as user nobody #11402

  • FIX: Heavy nodes are missing ElasticFleet integration policies #11189

  • FIX: Heavy Nodes are not properly added to the soc.json #11192

  • FIX: Improve consistency in cert storage across OS families #11162

  • FIX: Improve default settings to avoid Elasticsearch hitting watermark #11305

  • FIX: Kibana Elastic Agent Dashboard 404 #11018

  • FIX: Maintain minion log in INFO level, add logrotate #10921

  • FIX: Make sure a data stream is created for syslog #11209

  • FIX: Make sure Elastic packages are loaded when changed #11428

  • FIX: Minimum system requirements checks during setup #11324

  • FIX: Minion log appears to show timezone bouncing #10922

  • FIX: osquery not working on macOS

  • FIX: Pre-load Integration Templates #11146

  • FIX: Prevent repeated creation of unused Docker volumes #9941

  • FIX: Remove default component templates to prevent conflicts #11260

  • FIX: Remove OSSEC and add Playbook mappings for the SOC Alerts Event Table #11015

  • FIX: Remove telegraf beats EPS script #11412

  • FIX: Rename some SOC log fields to more unique field names #11429

  • FIX: Reposync and yara rules shot not run in airgap #11427

  • FIX: SOC Config pcap doc links should point to steno docs #11302

  • FIX: SOC Config sensoroni doc links should point to correct docs #11362

  • FIX: SOC doesn’t return user to login page after session expires #11438

  • FIX: SOC fails to parse incomplete Elastic error response #11435

  • FIX: SOC Grid Import inconsistency with larger files #11143

  • FIX: Some packages are installed/removed and upgraded/downgraded every 15min #11458

  • FIX: so-import-evtx incorrect dates #11332

  • FIX: so-salt-minion-check not rendering as jinja #11390

  • FIX: Stop zeek from trying to email reports #11407

  • FIX: Strelka ingest pipeline should properly index entropy 0 values and float values in the same field

  • FIX: Suricata filter and extraction rules are not properly updated #11229

  • FIX: Update firewall docs for custom port and host groups #11053

  • FIX: Update IDH Opencanary Modules to indicate they only apply to IDH nodes #10170

  • UPGRADE: Kratos to v1.0.0

  • UPGRADE: Suricata 6.0.14 #11319

  • UPGRADE: Zeek 5.0.10 #11301

2.4.10 Hotfix [20230821] Changes

  • FIX: Component templates not updated when packages are updated #11065

  • FIX: Importing both PCAP and EVTX files fails #11030

  • FIX: Logstash container missing on distributed receiver #11099

  • FIX: pipeline with id logs-system.syslog-1.6.4 does not exist #11038

  • FIX: Suricata permissions on Heavy Nodes are incorrect #11031

2.4.10 [20230815] Changes

  • FEATURE: Auto-Upgrade Node Agents #10949

  • FEATURE: Customize desktop environment #10957

  • FIX: Custom actions, queries, tools can cause SOC restart to fail #11022

  • FIX: Elastic Agents won’t upgrade without Internet connection #10981

  • FIX: Elastic Integrations not upgrading during SOUP #10984

  • FIX: Elastic index settings annotations need synchronized with those specified in defaults #10999

  • FIX: File extraction not working after switching from Zeek metadata to Suricata metadata #10973

  • FIX: Fleet - url_base not working in cert CN #11003

  • FIX: Improve wording for Firewall entries under Grid Administration Quick Links #10990

  • FIX: Influx reporting No Results for Zeek Capture Loss #10956

  • FIX: Suricata should not assume the interface will always be bond0 #10954

  • FIX: Sysmon Events Table Field Rendering #10985

  • FIX: so-desktop-install needs to change from Rocky to Oracle #10962

  • FIX: soup may fail while trying to query Fleet server #10974

2.4.5 RC2 [20230807] Changes

  • FEATURE: Add NetworkMiner to Security Onion Desktop #10865

  • FEATURE: Add value from record in Hunt, etc as an observable to an existing or new case #7992

  • FEATURE: Enable CommunityID for Elastic Defend Logs #10811

  • FEATURE: Heavy Node Support #10671

  • FEATURE: so-import-evtx - timeshift #10743

  • FEATURE: soup should rotate its log file #10951

  • FIX: Dashboards with multiple groupby charts always filter by the first chart’s, first groupby field #10856

  • FIX: Disable offload on monitor NICs #10900

  • FIX: EQL Field Mappings #10783

  • FIX: Elastic Fleet Improvements #10846

  • FIX: Firewall state custom host group assignments for single portgroup entry #10917

  • FIX: IDH node #10882

  • FIX: IPTables Persistence #10884

  • FIX: Install Error: so-yara-download failed #10880

  • FIX: Install screen - Firewall #10945

  • FIX: List settings updated with blank values should be stored as empty lists #10936

  • FIX: Login page shows error banner briefly on initial page load #10911

  • FIX: RAID status on Grid page #10935

  • FIX: SOC Auth dashboard #10878

  • FIX: Security Onion Desktop state should default to Gnome Classic #10958

  • FIX: sensor MTU setting in SOC Config should be read only #10883

  • FIX: so-status taking several seconds to complete #10909

  • FIX: soup #10902

  • FIX: syslog not working #10896

  • FIX: verbiage and links in soc_sensor.yaml #10906

  • UPGRADE: Elastic 8.8.2 #10864

2.4.4 RC1 [20230728] Changes

  • FEATURE: Add DNS lookup action to SOC #8655

  • FEATURE: Add Oracle Linux Support #10844

  • FEATURE: Add pivots for relational operators on numbers #8024

  • FEATURE: Add relative Timeframe and Refresh Interval as URL Parameters to Hunt #3352

  • FEATURE: Cases - Add ability to enable dynamic observable extraction #7972

  • FEATURE: Oracle Linux ISO #10845

  • FEATURE: Security Onion Desktop #10862

  • FIX: Add retry to Elastic Agent installer #10488

  • FIX: Case status code 404 error #10759

  • FIX: Intermittent pcap retrieval #10750

  • FIX: Navigator Errors #10742

  • FIX: Remove .security subfield #10745

  • UPGRADE: CyberChef 10.5.2 #10781

  • UPGRADE: so-registry docker image #10727

2.4.3 Beta 4 [20230711] Changes

  • FEATURE: Add link to Downloads page for convenient access to firewall settings #10702

  • FEATURE: Add more SOC Config quick links #10563

  • FEATURE: Add time zone selection to Grid page #8629

  • FEATURE: Add webauthn support to SOC #10608

  • FEATURE: Allow import of PCAP and EVTX via SOC UI #10413

  • FEATURE: Elastic Fleet - Automatically Update Logstash Outputs #10746

  • FEATURE: Elastic Fleet Server URL - Custom Domain #10744

  • FEATURE: Supported Integrations #10590

  • FEATURE: so-import-evtx #10673

  • FIX: Strelka rule path #10715

  • FIX: 2.4 ISO image won’t install on Virtualbox #10534

  • FIX: Account for Suricata XFF function in parsing and ingestion #8643

  • FIX: Add more Zeek logs to excluded list #10569

  • FIX: Analyzer requests and whoisit updates #10524

  • FIX: Change Playbook index to data stream and update event.severity_label #10523

  • FIX: Cleanup log-rotate.conf #10545

  • FIX: Curator should ignore empty list #10512

  • FIX: Don’t override default integration ingest node pipelines #10542

  • FIX: Ensure operations on records with “Missing” fields use correct search #8025

  • FIX: Ensure packages aren’t installed from default Rocky repos #10630

  • FIX: Exclude System logs from Hunt/Dashboard Queries. #10122

  • FIX: Finish SSL cert integration into SOC config UI #10533

  • FIX: Improve SOC login error message for disabled users #8908

  • FIX: Increase net.core.wmem_default value #10602

  • FIX: InfluxDB NSM Disk Usage visualization #10520

  • FIX: Integration logs not parsed correctly #10672

  • FIX: Logstash soc.fields.query warning #10528

  • FIX: Node description config setting should only apply at the node level #10562

  • FIX: Remove default excluded rules from YARA repo #10718

  • FIX: Review Kibana Dashboards #10664

  • FIX: Rework dataset name and add tags based on suffix #10526

  • FIX: Rework field to account for missing classifiers #10420

  • FIX: SOC Config NTP quick link #10519

  • FIX: Scheduled jobs trying to run during setup #10468

  • FIX: Set Elastic Fleet certs to use url_base #10510

  • FIX: Setup re-runs when SSH’ing into a successfully installed minion node #10498

  • FIX: Strelka rule exclusions #10716

  • FIX: Suricata DHCP logs not ingesting #10565

  • FIX: Suricata dataset values for certain types of metadata #10551

  • FIX: Update README.md #10554

  • FIX: Update cheat sheet for 2.4 #10532

  • UPGRADE: CyberChef 10.4.0 #10581

  • UPGRADE: Suricata 6.0.13 #10594

2.4.2 Beta 3 [20230531] Changes

  • FEATURE: Add additional alerts for Influxdb #10388

  • FEATURE: Add link to SOC error messages that takes user to hunt and auto-searches for recent SOC-related errors. #10283

  • FEATURE: Add Protected checkbox on Attachment upload form #10203

  • FEATURE: Add support for Apple Silicon Elastic Agent Installer #10473

  • FEATURE: Add support for EQL to Playbook #10471

  • FEATURE: Allow for any docker container to have extra hosts and custom binds #10301

  • FEATURE: Allow users to switch between airgap and non airgap. #10470

  • FEATURE: Dedicated Elastic Fleet Node #10474

  • FEATURE: Enable Elastic Defend Integration on Endpoints Policy #10475

  • FEATURE: Integrate Elastic Artifact Repo #10053

  • FEATURE: Integrate Elastic Package Registry #10472

  • FEATURE: ISO image #10476

  • FEATURE: Link the Grid Interface with Docker container log files #10149

  • FEATURE: Prompt user to verify the manager nodes IP address if a DNS record if found during setup. #10334

  • FEATURE: Quicklinks to common configs #10395

  • FEATURE: SOC config UI should process each line individually with regex when multiline: True is set #10243

  • FEATURE: Support authentication rate limiting #10308

  • FIX: AWS Instances with forced IMDSv2 enabled fail to detect running in AWS #10205

  • FIX: Cluster delete script should use different disk space logic when /nsm is shared among services #10418

  • FIX: Correct SOC Annotations for idstools in Grid Configuration. #10208

  • FIX: Correct SOC Annotations of Zeek in Grid Configuration. #10211

  • FIX: Hunt Quick Drilldown #10377

  • FIX: If mdengine is changed to Suricata, Zeek is still shown in so-status #10232

  • FIX: Improve SOC configuration handling of lists #10219

  • FIX: Improve soup’s local file modification logic #8972

  • FIX: In distributed deployment, Dashboards/Kibana only show data from the first sensor added. #10231

  • FIX: Influxdb Elasticsearch cells showing duplicate data. #10336

  • FIX: Kibana: Ensure _id fields beginning with a hyphen work properly when pivoting to SOC from Kibana #10305

  • FIX: Logstash WARN logstash.outputs.elasticsearch on searchnode #10291

  • FIX: Prepare SOUP for 2.4 #10056

  • FIX: Prevent duplicate observables from being automatically created when attaching events to a case. #10123

  • FIX: Review 2.4 file permissions and other local security changes #9110

  • FIX: Setting CPU affinity or number of threads for Suricata not being applied. #10240

  • FIX: Simplify cloud detection #10261

  • FIX: Some SOC Config settings are only visible when Advanced is enabled #10429

  • FIX: Strelka YARA Compilation #10271

  • FIX: Suricata ignores the threads and always is set to 1 #10230

  • FIX: Unable to disable PCAP via web configuration #10229

  • FIX: Use pillar values to allow Zeek log ingestion selection from the UI #10322

  • FIX: Zeek local policies are not being updated when changed in Current Grid value. #10209

  • FIX: Zeek not ignoring lb_procs when Zeek pins configured #10215

  • UPGRADE: Elastic 8.7.1 #10269

  • UPGRADE: Kratos to 0.13.0 #10309

  • UPGRADE: SOC external dependencies #10268

  • UPGRADE: Suricata 6.0.12 #10311

  • UPGRADE: Zeek 5.0.9 #10374

2.4.1 Beta 2 [20230424] Changes

  • FIX: Add Dedicated Fleet Node #10054

  • FIX: Don’t create curl.config on Forward Nodes #10057

  • FIX: Force case attachments to be downloaded #10186

  • FIX: Improve Elasticsearch index deletion - so-elastic-clear #10109

  • FIX: Improve Elasticsearch index deletion - so-elastic-cluster-delete-delete #10110

  • FIX: Make sure Setup image downloads populate the screen and the log #10052

  • FIX: Overview Customization link #10173

  • FIX: Prevent Jinja syntax from being entered into config values via UI/API #10187

  • FIX: Prevent Zeek from using a large amount of memory #10190

  • FIX: Remove legacy Kibana dashboards #8555

  • FIX: Remove template load from search nodes in distrib #10060

  • FIX: SOC only displaying data for users assigned the superuser role #10068

  • FIX: Sort grid members lists #10185

  • FIX: Suricata DNS A and CNAME parsing #10117

  • FIX: Using SOC Configuration to change mdengine from ZEEK to SURICATA fails #10189

  • FIX: Zeek @local and @local-sigs need to strip the @ for config but replace in local.zeek #10050

  • FIX: Zeek is not honoring lbprocs #10062

  • UPGRADE: Elastic 8.7.0 #10059

  • UPGRADE: Suricata 6.0.11 #10067

  • UPGRADE: Zeek 5.0.8 #10107

2.4.0 Beta 1 [20230328] Changes

https://blog.securityonion.net/2023/03/security-onion-24-beta-release-now.html