Release Notes

2.4.30 Hotfix [20231204] Changes

  • FIX: Choosing Desktop or IDH from ISO GRUB menu results in failure #11865
  • FIX: Ensure airgap rule updates are being copied to the proper location #11932
  • FIX: outdated import-evtx-logs pipeline versions #11889
  • FIX: x509.pem_managed errors

2.4.30 Hotfix [20231121] Changes

  • FIX: Salt minion service disabled highstate in upgrade to 2.4.30 #11851

2.4.30 Hotfix [20231117] Changes

  • FIX: Elastic Defend Integration Policy Downgrade #11810
  • FIX: Update SSL cert to avoid Google Chrome error (2.4) #11824

2.4.30 [20231113] Changes

  • FEATURE: Additional Supported Integrations #11513
  • FEATURE: Allow for BPF comments in SOC #11738
  • FEATURE: OpenID Connect (OIDC) support
  • FEATURE: so-elastic-fleet-reset #11697
  • FEATURE: Sublime Platform Integration #11579
  • FIX: Add -watch to soctopus saltstate for file SOCtopus.conf. Makes container restart @ highstate if file is updated. #11700
  • FIX: Allow ICMP to allow a node to respond to ping #11495
  • FIX: Allow standalone install type to work with 16GB of ram #11699
  • FIX: Allow the setting up of data_warm to the nodes list in ES
  • FIX: Data not returned from mine for network.ip_addrs #11502
  • FIX: Delete all obsolete scripts and unused code (also check so-setup, so-functions)
  • FIX: Fail so-setup if Elastic Fleet Setup encounters an error #11696
  • FIX: Global BPF prevents new sensor from applying highstate #11610
  • FIX: Improve error handling of Elasticsearch pipeline and template load scripts #11728
  • FIX: Logs not parsed correctly when shipped from Fleet Node #11698
  • FIX: Only heavy nodes should be treated as remote Elastic clusters in SOC #11553
  • FIX: Reduce ISO size #11510
  • FIX: Set days for warm for all so-* indices
  • FIX: Show container download status during soup #11550
  • FIX: Sigma DNS mapping #11498
  • FIX: Suricata 7 pkt_src field needs to be parsed #11566
  • FIX: The values for specific nodes in zeek.config.local.load are being populated incorrectly #11472
  • UPGRADE: NetworkMiner 2.8.1 #11457
  • UPGRADE: Salt 3006.3 #11529
  • UPGRADE: SOC dependency Axios to 1.6.1 #11763
  • UPGRADE: Sophos Integration #11548
  • UPGRADE: Upgrade Elastic to 8.10.4
  • UPGRADE: Upgrade InfluxDB to 2.7.1 and Telegraf to 1.28.2
  • UPGRADE: Upgrade Suricata to 7.0.2
  • UPGRADE: Zeek 6.0.2

2.4.20 Hotfix [20231012] Changes

  • FIX: Elastic Defend Integration Policy Corrupted #11527

2.4.20 [20231006] Changes

  • FEATURE: Add ingest parser for pfSense OpenVPN logs #7656
  • FEATURE: Add new so-log-check tool to scan SO logging for anomalies
  • FEATURE: Enable Analyzers to be managed through SOC #11211
  • FEATURE: Grid screen improvements; support for desktop nodes
  • FEATURE: Provide global replica value for index templates #10998
  • FEATURE: SOC Grid Members should prompt for confirmation before actually deleting #11223
  • FIX: Adding custom action to SOC causes the Endgame action to be replicated #11210
  • FIX: Add Transform Role #11309
  • FIX: CentOS stream 9 installation #11168
  • FIX: Clean component template directory #11331
  • FIX: Desktop via network install fails #10975
  • FIX: Disable conn stats from being generated by default #11410
  • FIX: Docker custom_bind_mounts not working for some containers #11122
  • FIX: Duplicate cronjobs for filecheck #11400
  • FIX: Elastic Agent - Installation “Not Accessible” Message #11191
  • FIX: Elastic Fleet key and cert errors on heavynode #11026
  • FIX: Exclude Zeek console log ingestion #11082
  • FIX: Features pillar not showing all enabled features #11130
  • FIX: Fleet plugin logs ERROR during kibana restart #10955
  • FIX: Force nginx to run as user nobody #11402
  • FIX: Heavy nodes are missing ElasticFleet integration policies #11189
  • FIX: Heavy Nodes are not properly added to the soc.json #11192
  • FIX: Improve consistency in cert storage across OS families #11162
  • FIX: Improve default settings to avoid Elasticsearch hitting watermark #11305
  • FIX: Kibana Elastic Agent Dashboard 404 #11018
  • FIX: Maintain minion log in INFO level, add logrotate #10921
  • FIX: Make sure a data stream is created for syslog #11209
  • FIX: Make sure Elastic packages are loaded when changed #11428
  • FIX: Minimum system requirements checks during setup #11324
  • FIX: Minion log appears to show timezone bouncing #10922
  • FIX: osquery not working on macOS
  • FIX: Pre-load Integration Templates #11146
  • FIX: Prevent repeated creation of unused Docker volumes #9941
  • FIX: Remove default component templates to prevent conflicts #11260
  • FIX: Remove OSSEC and add Playbook mappings for the SOC Alerts Event Table #11015
  • FIX: Remove telegraf beats EPS script #11412
  • FIX: Rename some SOC log fields to more unique field names #11429
  • FIX: Reposync and yara rules shot not run in airgap #11427
  • FIX: SOC Config pcap doc links should point to steno docs #11302
  • FIX: SOC Config sensoroni doc links should point to correct docs #11362
  • FIX: SOC doesn’t return user to login page after session expires #11438
  • FIX: SOC fails to parse incomplete Elastic error response #11435
  • FIX: SOC Grid Import inconsistency with larger files #11143
  • FIX: Some packages are installed/removed and upgraded/downgraded every 15min #11458
  • FIX: so-import-evtx incorrect dates #11332
  • FIX: so-salt-minion-check not rendering as jinja #11390
  • FIX: Stop zeek from trying to email reports #11407
  • FIX: Strelka ingest pipeline should properly index entropy 0 values and float values in the same field
  • FIX: Suricata filter and extraction rules are not properly updated #11229
  • FIX: Update firewall docs for custom port and host groups #11053
  • FIX: Update IDH Opencanary Modules to indicate they only apply to IDH nodes #10170
  • UPGRADE: Kratos to v1.0.0
  • UPGRADE: Suricata 6.0.14 #11319
  • UPGRADE: Zeek 5.0.10 #11301

2.4.10 Hotfix [20230821] Changes

  • FIX: Component templates not updated when packages are updated #11065
  • FIX: Importing both PCAP and EVTX files fails #11030
  • FIX: Logstash container missing on distributed receiver #11099
  • FIX: pipeline with id logs-system.syslog-1.6.4 does not exist #11038
  • FIX: Suricata permissions on Heavy Nodes are incorrect #11031

2.4.10 [20230815] Changes

  • FEATURE: Auto-Upgrade Node Agents #10949
  • FEATURE: Customize desktop environment #10957
  • FIX: Custom actions, queries, tools can cause SOC restart to fail #11022
  • FIX: Elastic Agents won’t upgrade without Internet connection #10981
  • FIX: Elastic Integrations not upgrading during SOUP #10984
  • FIX: Elastic index settings annotations need synchronized with those specified in defaults #10999
  • FIX: File extraction not working after switching from Zeek metadata to Suricata metadata #10973
  • FIX: Fleet - url_base not working in cert CN #11003
  • FIX: Improve wording for Firewall entries under Grid Administration Quick Links #10990
  • FIX: Influx reporting No Results for Zeek Capture Loss #10956
  • FIX: Suricata should not assume the interface will always be bond0 #10954
  • FIX: Sysmon Events Table Field Rendering #10985
  • FIX: so-desktop-install needs to change from Rocky to Oracle #10962
  • FIX: soup may fail while trying to query Fleet server #10974

2.4.5 RC2 [20230807] Changes

  • FEATURE: Add NetworkMiner to Security Onion Desktop #10865
  • FEATURE: Add value from record in Hunt, etc as an observable to an existing or new case #7992
  • FEATURE: Enable CommunityID for Elastic Defend Logs #10811
  • FEATURE: Heavy Node Support #10671
  • FEATURE: so-import-evtx - timeshift #10743
  • FEATURE: soup should rotate its log file #10951
  • FIX: Dashboards with multiple groupby charts always filter by the first chart’s, first groupby field #10856
  • FIX: Disable offload on monitor NICs #10900
  • FIX: EQL Field Mappings #10783
  • FIX: Elastic Fleet Improvements #10846
  • FIX: Firewall state custom host group assignments for single portgroup entry #10917
  • FIX: IDH node #10882
  • FIX: IPTables Persistence #10884
  • FIX: Install Error: so-yara-download failed #10880
  • FIX: Install screen - Firewall #10945
  • FIX: List settings updated with blank values should be stored as empty lists #10936
  • FIX: Login page shows error banner briefly on initial page load #10911
  • FIX: RAID status on Grid page #10935
  • FIX: SOC Auth dashboard #10878
  • FIX: Security Onion Desktop state should default to Gnome Classic #10958
  • FIX: sensor MTU setting in SOC Config should be read only #10883
  • FIX: so-status taking several seconds to complete #10909
  • FIX: soup #10902
  • FIX: syslog not working #10896
  • FIX: verbiage and links in soc_sensor.yaml #10906
  • UPGRADE: Elastic 8.8.2 #10864

2.4.4 RC1 [20230728] Changes

  • FEATURE: Add DNS lookup action to SOC #8655
  • FEATURE: Add Oracle Linux Support #10844
  • FEATURE: Add pivots for relational operators on numbers #8024
  • FEATURE: Add relative Timeframe and Refresh Interval as URL Parameters to Hunt #3352
  • FEATURE: Cases - Add ability to enable dynamic observable extraction #7972
  • FEATURE: Oracle Linux ISO #10845
  • FEATURE: Security Onion Desktop #10862
  • FIX: Add retry to Elastic Agent installer #10488
  • FIX: Case status code 404 error #10759
  • FIX: Intermittent pcap retrieval #10750
  • FIX: Navigator Errors #10742
  • FIX: Remove .security subfield #10745
  • UPGRADE: CyberChef 10.5.2 #10781
  • UPGRADE: so-registry docker image #10727

2.4.3 Beta 4 [20230711] Changes

  • FEATURE: Add link to Downloads page for convenient access to firewall settings #10702
  • FEATURE: Add more SOC Config quick links #10563
  • FEATURE: Add time zone selection to Grid page #8629
  • FEATURE: Add webauthn support to SOC #10608
  • FEATURE: Allow import of PCAP and EVTX via SOC UI #10413
  • FEATURE: Elastic Fleet - Automatically Update Logstash Outputs #10746
  • FEATURE: Elastic Fleet Server URL - Custom Domain #10744
  • FEATURE: Supported Integrations #10590
  • FEATURE: so-import-evtx #10673
  • FIX: Strelka rule path #10715
  • FIX: 2.4 ISO image won’t install on Virtualbox #10534
  • FIX: Account for Suricata XFF function in parsing and ingestion #8643
  • FIX: Add more Zeek logs to excluded list #10569
  • FIX: Analyzer requests and whoisit updates #10524
  • FIX: Change Playbook index to data stream and update event.severity_label #10523
  • FIX: Cleanup log-rotate.conf #10545
  • FIX: Curator should ignore empty list #10512
  • FIX: Don’t override default integration ingest node pipelines #10542
  • FIX: Ensure operations on records with “Missing” fields use correct search #8025
  • FIX: Ensure packages aren’t installed from default Rocky repos #10630
  • FIX: Exclude System logs from Hunt/Dashboard Queries. #10122
  • FIX: Finish SSL cert integration into SOC config UI #10533
  • FIX: Improve SOC login error message for disabled users #8908
  • FIX: Increase net.core.wmem_default value #10602
  • FIX: InfluxDB NSM Disk Usage visualization #10520
  • FIX: Integration logs not parsed correctly #10672
  • FIX: Logstash soc.fields.query warning #10528
  • FIX: Node description config setting should only apply at the node level #10562
  • FIX: Remove default excluded rules from YARA repo #10718
  • FIX: Review Kibana Dashboards #10664
  • FIX: Rework dataset name and add tags based on suffix #10526
  • FIX: Rework field to account for missing classifiers #10420
  • FIX: SOC Config NTP quick link #10519
  • FIX: Scheduled jobs trying to run during setup #10468
  • FIX: Set Elastic Fleet certs to use url_base #10510
  • FIX: Setup re-runs when SSH’ing into a successfully installed minion node #10498
  • FIX: Strelka rule exclusions #10716
  • FIX: Suricata DHCP logs not ingesting #10565
  • FIX: Suricata dataset values for certain types of metadata #10551
  • FIX: Update README.md #10554
  • FIX: Update cheat sheet for 2.4 #10532
  • UPGRADE: CyberChef 10.4.0 #10581
  • UPGRADE: Suricata 6.0.13 #10594

2.4.2 Beta 3 [20230531] Changes

  • FEATURE: Add additional alerts for Influxdb #10388
  • FEATURE: Add link to SOC error messages that takes user to hunt and auto-searches for recent SOC-related errors. #10283
  • FEATURE: Add Protected checkbox on Attachment upload form #10203
  • FEATURE: Add support for Apple Silicon Elastic Agent Installer #10473
  • FEATURE: Add support for EQL to Playbook #10471
  • FEATURE: Allow for any docker container to have extra hosts and custom binds #10301
  • FEATURE: Allow users to switch between airgap and non airgap. #10470
  • FEATURE: Dedicated Elastic Fleet Node #10474
  • FEATURE: Enable Elastic Defend Integration on Endpoints Policy #10475
  • FEATURE: Integrate Elastic Artifact Repo #10053
  • FEATURE: Integrate Elastic Package Registry #10472
  • FEATURE: ISO image #10476
  • FEATURE: Link the Grid Interface with Docker container log files #10149
  • FEATURE: Prompt user to verify the manager nodes IP address if a DNS record if found during setup. #10334
  • FEATURE: Quicklinks to common configs #10395
  • FEATURE: SOC config UI should process each line individually with regex when multiline: True is set #10243
  • FEATURE: Support authentication rate limiting #10308
  • FIX: AWS Instances with forced IMDSv2 enabled fail to detect running in AWS #10205
  • FIX: Cluster delete script should use different disk space logic when /nsm is shared among services #10418
  • FIX: Correct SOC Annotations for idstools in Grid Configuration. #10208
  • FIX: Correct SOC Annotations of Zeek in Grid Configuration. #10211
  • FIX: Hunt Quick Drilldown #10377
  • FIX: If mdengine is changed to Suricata, Zeek is still shown in so-status #10232
  • FIX: Improve SOC configuration handling of lists #10219
  • FIX: Improve soup’s local file modification logic #8972
  • FIX: In distributed deployment, Dashboards/Kibana only show data from the first sensor added. #10231
  • FIX: Influxdb Elasticsearch cells showing duplicate data. #10336
  • FIX: Kibana: Ensure _id fields beginning with a hyphen work properly when pivoting to SOC from Kibana #10305
  • FIX: Logstash WARN logstash.outputs.elasticsearch on searchnode #10291
  • FIX: Prepare SOUP for 2.4 #10056
  • FIX: Prevent duplicate observables from being automatically created when attaching events to a case. #10123
  • FIX: Review 2.4 file permissions and other local security changes #9110
  • FIX: Setting CPU affinity or number of threads for Suricata not being applied. #10240
  • FIX: Simplify cloud detection #10261
  • FIX: Some SOC Config settings are only visible when Advanced is enabled #10429
  • FIX: Strelka YARA Compilation #10271
  • FIX: Suricata ignores the threads and always is set to 1 #10230
  • FIX: Unable to disable PCAP via web configuration #10229
  • FIX: Use pillar values to allow Zeek log ingestion selection from the UI #10322
  • FIX: Zeek local policies are not being updated when changed in Current Grid value. #10209
  • FIX: Zeek not ignoring lb_procs when Zeek pins configured #10215
  • UPGRADE: Elastic 8.7.1 #10269
  • UPGRADE: Kratos to 0.13.0 #10309
  • UPGRADE: SOC external dependencies #10268
  • UPGRADE: Suricata 6.0.12 #10311
  • UPGRADE: Zeek 5.0.9 #10374

2.4.1 Beta 2 [20230424] Changes

  • FIX: Add Dedicated Fleet Node #10054
  • FIX: Don’t create curl.config on Forward Nodes #10057
  • FIX: Force case attachments to be downloaded #10186
  • FIX: Improve Elasticsearch index deletion - so-elastic-clear #10109
  • FIX: Improve Elasticsearch index deletion - so-elastic-cluster-delete-delete #10110
  • FIX: Make sure Setup image downloads populate the screen and the log #10052
  • FIX: Overview Customization link #10173
  • FIX: Prevent Jinja syntax from being entered into config values via UI/API #10187
  • FIX: Prevent Zeek from using a large amount of memory #10190
  • FIX: Remove legacy Kibana dashboards #8555
  • FIX: Remove template load from search nodes in distrib #10060
  • FIX: SOC only displaying data for users assigned the superuser role #10068
  • FIX: Sort grid members lists #10185
  • FIX: Suricata DNS A and CNAME parsing #10117
  • FIX: Using SOC Configuration to change mdengine from ZEEK to SURICATA fails #10189
  • FIX: Zeek @local and @local-sigs need to strip the @ for config but replace in local.zeek #10050
  • FIX: Zeek is not honoring lbprocs #10062
  • UPGRADE: Elastic 8.7.0 #10059
  • UPGRADE: Suricata 6.0.11 #10067
  • UPGRADE: Zeek 5.0.8 #10107