From b7e1aa366e1a8468c9524cd6394e37cb78d91ae2 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 18 Oct 2024 10:58:49 -0400 Subject: [PATCH 1/5] update Zeek to mention that extracted files are then processed by Strelka --- zeek.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/zeek.rst b/zeek.rst index 0d2d1dbb..678a20fd 100644 --- a/zeek.rst +++ b/zeek.rst @@ -124,6 +124,11 @@ We also include MITRE BZAR scripts and you can read more about them at https://g As you can see, Zeek log data can provide a wealth of information to the analyst, all easily accessible through :ref:`dashboards`, :ref:`hunt`, or :ref:`kibana`. +File Extraction +--------------- + +By default, Zeek will extract files from network traffic and :ref:`strelka` will then analyze those extracted files. + VLAN Tags --------- From 5cfa0d0f54f0527453bf13d703fb9af8ec2505da Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 18 Oct 2024 11:48:49 -0400 Subject: [PATCH 2/5] update elasticsearch --- elasticsearch.rst | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/elasticsearch.rst b/elasticsearch.rst index 8ceece1b..2a2b5ac2 100644 --- a/elasticsearch.rst +++ b/elasticsearch.rst @@ -259,6 +259,33 @@ Elasticsearch 8 no longer includes GeoIP databases by default. We include GeoIP Once the config is added, click the green check mark to save the configuration. +Health +------ + +To check Elasticsearch health, go to the :ref:`grid` interface and check the Elasticsearch Status field. If it shows anything other than OK, then run the following command from the CLI on the manager node to check for additional clues: + +:: + + sudo so-elasticsearch-query _cluster/health?pretty + +Status Pending +-------------- + +If the :ref:`grid` interface shows Elasticsearch Status as ``Pending``, check for unassigned shards by running the following command from the CLI on the manager node: + +:: + + sudo so-elasticsearch-query _cat/shards | grep UN + +The result of the query should display affected indices. Older metrics indices for Elastic Endpoint logs may have been assigned a replica, so if you are running a single-node Elastic cluster there will be nowhere for the replica to exist. +To resolve the issue, run the following command for each affected index (replacing ``$index`` with the actual index name): + +:: + + sudo so-elasticsearch-query $index/_settings -d '{"number_of_replicas":0}' -XPUT + +After running the command, the index should no longer use replicas and the status should change from "Pending" to "OK" once all indices have been successfully modified. + Diagnostic Logging ------------------ From f52ac61731d3dd1de495919c2acc5e2186484d95 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Oct 2024 12:12:23 -0400 Subject: [PATCH 3/5] Update release-notes.rst --- release-notes.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/release-notes.rst b/release-notes.rst index 03d3ca65..97d86a5b 100644 --- a/release-notes.rst +++ b/release-notes.rst @@ -12,6 +12,12 @@ Field conflicts can be identified by navigating to ``Kibana -> Management -> Dat For example, you may have a conflict for ``source.ip``, where it was previously correctly mapped as field type of ``ip``, but the index mappings were inadvertently changed and ``source.ip`` is now mapped as a field type of ``keyword`` in the ``logs-system.security`` and ``logs-system.syslog`` data streams. The mappings have been fixed, but the data streams need to be rolled over to pick up the correct mappings, and the affected index containing ``source.ip`` mapped as a field type of ``keyword`` needs to be deleted to resolve the conflict. +Conflicts for the following fields can be ignored for now, as they will be fixed in a future version: + +- metadata.input.beats.host ipkeyword, ip +- recordedfuture.evidence_details flattened, object +- version keyword, object + You can issue the following commands from the CLI to resolve the conflict. First, become root: From 708aa9b0693edc155a75d402c63e44447d1b5cbe Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Oct 2024 12:13:52 -0400 Subject: [PATCH 4/5] Update release-notes.rst --- release-notes.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/release-notes.rst b/release-notes.rst index 97d86a5b..4534fdc9 100644 --- a/release-notes.rst +++ b/release-notes.rst @@ -14,9 +14,9 @@ For example, you may have a conflict for ``source.ip``, where it was previously Conflicts for the following fields can be ignored for now, as they will be fixed in a future version: -- metadata.input.beats.host ipkeyword, ip -- recordedfuture.evidence_details flattened, object -- version keyword, object +- metadata.input.beats.host.ip +- recordedfuture.evidence_details +- version keyword You can issue the following commands from the CLI to resolve the conflict. From 30346bce82a9dcb72381731153a6fa293340c76d Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 18 Oct 2024 12:14:07 -0400 Subject: [PATCH 5/5] Update release-notes.rst --- release-notes.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release-notes.rst b/release-notes.rst index 4534fdc9..0b9d2e06 100644 --- a/release-notes.rst +++ b/release-notes.rst @@ -16,7 +16,7 @@ Conflicts for the following fields can be ignored for now, as they will be fixed - metadata.input.beats.host.ip - recordedfuture.evidence_details -- version keyword +- version You can issue the following commands from the CLI to resolve the conflict.