Release Notes
Known Issues
If you notice an Elasticsearch status of Pending
in the Grid interface, you can view affected indices by running the following command from the CLI on the manager node:
sudo so-elasticsearch-query _cat/shards | grep UN
The result of the query should display affected indices. Older metrics indices for Elastic Endpoint logs may have been assigned a replica, so if you are running a single-node Elastic cluster there will be nowhere for the replica to exist.
To resolve the issue, run the following command for each affected index (replacing $index
with the actual index name):
sudo so-elasticsearch-query $index/_settings -d '{"number_of_replicas":0}' -XPUT
After running the command, the index should no longer use replicas and the status should change from “Pending” to “OK” once all indices have been successfully modified.
2.4.60 [20240320] Changes
FEATURE: Add Suricata classification.config for editing #12391
FEATURE: Add Suricata support for full PCAP #12571
FEATURE: Add default columns for endpoint.events datasets #12425
FEATURE: Add new SOC action for Process Info #12421
FEATURE: Add new endpoint dashboards #12428
FEATURE: Additional Supported Integrations #5
FEATURE: Improve Grid page Reboot indicators #12546
FEATURE: Initial implementation of the new Detections system (currently disabled)
FIX: Accept Uppercase emails #12559
FIX: Change the default setting for steno diskfreepercentage on standalone installations to 21 #12541
FIX: Download only newest packages for network installs
FIX: EA packages are not downloadable once STIGs have been applied
FIX: Endpoint diagnostic template pattern #12433
FIX: Exclude templates from global overrides when necessary #12382
FIX: Improve the accuracy of the stenoloss script #12477
FIX: Receiver node Redis queue fills up using Managersearch without a Searchnode #12535
FIX: Support Oinkcode values containing leading 0’s #12506
FIX: Update SOC annotations for Stenographer PCAP #12539
FIX: Update correlate quick action with new icon #12387
FIX: Update ks.cfg for appliances
FIX: error.message mapping for system.syslog #12518
FIX: so-saltstack-update should use the proper repo in 2.4 #12570
UPGRADE: CyberChef 10.8.2 #12454
UPGRADE: Kratos to 1.1.0 #12479
UPGRADE: Suricata 7.0.4 #12609
2.4.50 [20240220] Changes
FEATURE: Add Suricata PCAP module to Sensoroni (currently disabled) #12255
FEATURE: Add new SOC action to show process ancestry #12345
FEATURE: Add new dashboards for community_id and firewall auth #12323
FEATURE: Additional Supported Integrations #4
FEATURE: Allow user to create custom elastic search pipelines without copying them over via ssh
FEATURE: Allow user to create custom logstash pipelines without copying them over via ssh
FEATURE: Dedicated Fleet node should have an nginx entry and cert that works for /artifacts #11346
FEATURE: Determine if Elastic is on its own mount point if so adjust size for watermark #12364
FEATURE: Improve Correlate and Hunt actions on SOC Actions menu #12315
FEATURE: RITA Logs #12226
FEATURE: Support PCAP pivots for ICMP packets in SOC
FIX: suricata.ike ingest pipeline does not exist #12174
FIX: Add stenographer logging #12282
FIX: Change field groupby button to new groupby #12228
FIX: Correct SOC error messages related to malformed queries #12269
FIX: Endpoint diagnostic collection index created with replicas #12256
FIX: Expose node Reboot status as its own state; other grid/feature improvements
FIX: Network Transport for suricata alerts should be lowercase #12217
FIX: Strelka scan.pe.flags mapping #12251
FIX: Sync the event.dataset values between the Windows Sysmon and ElasticAgent defend logs
FIX: Syntax error running elastic fleet scripts during highstate
FIX: User count logic providing inconsistent results #12258
UPGRADE: CyberChef 10.6.0 #12310
UPGRADE: Salt 3006.6 #12304
UPGRADE: Strelka 0.24.01.18 #12229
UPGRADE: Suricata 7.0.3 #12327
UPGRADE: Zeek 6.0.3 #12225
2.4.40 [20240116] Changes
FEATURE: Add geoip support to Suricata #11901
FEATURE: Additional Supported Integrations #2 #11958
FEATURE: Additional Supported Integrations #3 #12056
FEATURE: Add server reboot notification to SOC #11852
FEATURE: Allow an easy way to disable incoming events to a manager #12033
FEATURE: Carve out the cert_chain_fps value from SSL traffic #11806
FEATURE: Echotrail, Elasticsearch, MalwareBazaar, and ThreatFox Analyzers #12014
FEATURE: Grid page status/metric enhancements #11971
FEATURE: Manipulate event table columns #12145
FEATURE: Sublime Platform Analyzer #11883
FIX: Add force option to integrations #12017
FIX: Adding extra_hosts for SOC, Elasticsearch and Logstash Docker containers fails #12015
FIX: Begin kickstart consolidation
FIX: Corrupt job files should not cause SOC to exit during startup #12082
FIX: Disable Elastic Agent Downloads for Import and Eval mode
FIX: Docker service sometimes not started or enabled on remote nodes during setup #12101
FIX: Documentation links under SOC - Administration - Configuration need updating #11828
FIX: FIM Integration #11847
FIX: Ignore Zeek analyzer log #11892
FIX: Improve salt-relay reponse integrity
FIX: ISO image should default to 1GB /boot partition #12002
FIX: Logstash pipeline to point to self instead of manager #12038
FIX: Make sure optional integration pillar values are merged with defaults #12163
FIX: Playbook Navigator Layer #11380
FIX: Remove Curator
FIX: Remove sudo entry for so-setup after setup completes
FIX: Rerunning setup should uninstall local Elastic Agent #12030
FIX: Show more readable column names for default Case list screen #12162
FIX: SOC Hunt HTTP EXE query #11784
FIX: so-elastic-fleet-reset non-destructive #12142
FIX: so-playbook-reset #11790
FIX: Update clear scripts #11991
FIX: Update dashboard and hunt query for firewall logs #12021
FIX: Update NIDS rule.reference in common.nids pipeline #11846
UPGRADE: Salt 3006.5 #12143
UPGRADE: SOC dependencies to latest versions #12041
UPGRADE: Strelka 0.23.12.01 #11770
2.4.30 Hotfix [20231228] Changes
FIX: Appliance kickstart files are not copying Elastic Agent tarballs #12081
2.4.30 Hotfix [20231219] Changes
FIX: Update appliance kickstart scripts to fix issue with package copy #12044
2.4.30 Hotfix [20231204] Changes
2.4.30 Hotfix [20231121] Changes
FIX: Salt minion service disabled highstate in upgrade to 2.4.30 #11851
2.4.30 Hotfix [20231117] Changes
2.4.30 [20231113] Changes
FEATURE: Additional Supported Integrations #11513
FEATURE: Allow for BPF comments in SOC #11738
FEATURE: OpenID Connect (OIDC) support
FEATURE: so-elastic-fleet-reset #11697
FEATURE: Sublime Platform Integration #11579
FIX: Add -watch to soctopus saltstate for file SOCtopus.conf. Makes container restart @ highstate if file is updated. #11700
FIX: Allow ICMP to allow a node to respond to ping #11495
FIX: Allow standalone install type to work with 16GB of ram #11699
FIX: Allow the setting up of data_warm to the nodes list in ES
FIX: Data not returned from mine for network.ip_addrs #11502
FIX: Delete all obsolete scripts and unused code (also check so-setup, so-functions)
FIX: Fail so-setup if Elastic Fleet Setup encounters an error #11696
FIX: Global BPF prevents new sensor from applying highstate #11610
FIX: Improve error handling of Elasticsearch pipeline and template load scripts #11728
FIX: Logs not parsed correctly when shipped from Fleet Node #11698
FIX: Only heavy nodes should be treated as remote Elastic clusters in SOC #11553
FIX: Reduce ISO size #11510
FIX: Set days for warm for all so-* indices
FIX: Show container download status during soup #11550
FIX: Sigma DNS mapping #11498
FIX: Suricata 7 pkt_src field needs to be parsed #11566
FIX: The values for specific nodes in zeek.config.local.load are being populated incorrectly #11472
UPGRADE: NetworkMiner 2.8.1 #11457
UPGRADE: Salt 3006.3 #11529
UPGRADE: SOC dependency Axios to 1.6.1 #11763
UPGRADE: Sophos Integration #11548
UPGRADE: Upgrade Elastic to 8.10.4
UPGRADE: Upgrade InfluxDB to 2.7.1 and Telegraf to 1.28.2
UPGRADE: Upgrade Suricata to 7.0.2
UPGRADE: Zeek 6.0.2
2.4.20 Hotfix [20231012] Changes
FIX: Elastic Defend Integration Policy Corrupted #11527
2.4.20 [20231006] Changes
FEATURE: Add ingest parser for pfSense OpenVPN logs #7656
FEATURE: Add new so-log-check tool to scan SO logging for anomalies
FEATURE: Enable Analyzers to be managed through SOC #11211
FEATURE: Grid screen improvements; support for desktop nodes
FEATURE: Provide global replica value for index templates #10998
FEATURE: SOC Grid Members should prompt for confirmation before actually deleting #11223
FIX: Adding custom action to SOC causes the Endgame action to be replicated #11210
FIX: Add Transform Role #11309
FIX: CentOS stream 9 installation #11168
FIX: Clean component template directory #11331
FIX: Desktop via network install fails #10975
FIX: Disable conn stats from being generated by default #11410
FIX: Docker custom_bind_mounts not working for some containers #11122
FIX: Duplicate cronjobs for filecheck #11400
FIX: Elastic Agent - Installation “Not Accessible” Message #11191
FIX: Elastic Fleet key and cert errors on heavynode #11026
FIX: Exclude Zeek console log ingestion #11082
FIX: Features pillar not showing all enabled features #11130
FIX: Fleet plugin logs ERROR during kibana restart #10955
FIX: Force nginx to run as user nobody #11402
FIX: Heavy nodes are missing ElasticFleet integration policies #11189
FIX: Heavy Nodes are not properly added to the soc.json #11192
FIX: Improve consistency in cert storage across OS families #11162
FIX: Improve default settings to avoid Elasticsearch hitting watermark #11305
FIX: Kibana Elastic Agent Dashboard 404 #11018
FIX: Maintain minion log in INFO level, add logrotate #10921
FIX: Make sure a data stream is created for syslog #11209
FIX: Make sure Elastic packages are loaded when changed #11428
FIX: Minimum system requirements checks during setup #11324
FIX: Minion log appears to show timezone bouncing #10922
FIX: osquery not working on macOS
FIX: Pre-load Integration Templates #11146
FIX: Prevent repeated creation of unused Docker volumes #9941
FIX: Remove default component templates to prevent conflicts #11260
FIX: Remove OSSEC and add Playbook mappings for the SOC Alerts Event Table #11015
FIX: Remove telegraf beats EPS script #11412
FIX: Rename some SOC log fields to more unique field names #11429
FIX: Reposync and yara rules shot not run in airgap #11427
FIX: SOC Config pcap doc links should point to steno docs #11302
FIX: SOC Config sensoroni doc links should point to correct docs #11362
FIX: SOC doesn’t return user to login page after session expires #11438
FIX: SOC fails to parse incomplete Elastic error response #11435
FIX: SOC Grid Import inconsistency with larger files #11143
FIX: Some packages are installed/removed and upgraded/downgraded every 15min #11458
FIX: so-import-evtx incorrect dates #11332
FIX: so-salt-minion-check not rendering as jinja #11390
FIX: Stop zeek from trying to email reports #11407
FIX: Strelka ingest pipeline should properly index entropy 0 values and float values in the same field
FIX: Suricata filter and extraction rules are not properly updated #11229
FIX: Update firewall docs for custom port and host groups #11053
FIX: Update IDH Opencanary Modules to indicate they only apply to IDH nodes #10170
UPGRADE: Kratos to v1.0.0
UPGRADE: Suricata 6.0.14 #11319
UPGRADE: Zeek 5.0.10 #11301
2.4.10 Hotfix [20230821] Changes
FIX: Component templates not updated when packages are updated #11065
FIX: Importing both PCAP and EVTX files fails #11030
FIX: Logstash container missing on distributed receiver #11099
FIX: pipeline with id logs-system.syslog-1.6.4 does not exist #11038
FIX: Suricata permissions on Heavy Nodes are incorrect #11031
2.4.10 [20230815] Changes
FEATURE: Auto-Upgrade Node Agents #10949
FEATURE: Customize desktop environment #10957
FIX: Custom actions, queries, tools can cause SOC restart to fail #11022
FIX: Elastic Agents won’t upgrade without Internet connection #10981
FIX: Elastic Integrations not upgrading during SOUP #10984
FIX: Elastic index settings annotations need synchronized with those specified in defaults #10999
FIX: File extraction not working after switching from Zeek metadata to Suricata metadata #10973
FIX: Fleet - url_base not working in cert CN #11003
FIX: Improve wording for Firewall entries under Grid Administration Quick Links #10990
FIX: Influx reporting No Results for Zeek Capture Loss #10956
FIX: Suricata should not assume the interface will always be bond0 #10954
FIX: Sysmon Events Table Field Rendering #10985
FIX: so-desktop-install needs to change from Rocky to Oracle #10962
FIX: soup may fail while trying to query Fleet server #10974
2.4.5 RC2 [20230807] Changes
FEATURE: Add NetworkMiner to Security Onion Desktop #10865
FEATURE: Add value from record in Hunt, etc as an observable to an existing or new case #7992
FEATURE: Enable CommunityID for Elastic Defend Logs #10811
FEATURE: Heavy Node Support #10671
FEATURE: so-import-evtx - timeshift #10743
FEATURE: soup should rotate its log file #10951
FIX: Dashboards with multiple groupby charts always filter by the first chart’s, first groupby field #10856
FIX: Disable offload on monitor NICs #10900
FIX: EQL Field Mappings #10783
FIX: Elastic Fleet Improvements #10846
FIX: Firewall state custom host group assignments for single portgroup entry #10917
FIX: IDH node #10882
FIX: IPTables Persistence #10884
FIX: Install Error: so-yara-download failed #10880
FIX: Install screen - Firewall #10945
FIX: List settings updated with blank values should be stored as empty lists #10936
FIX: Login page shows error banner briefly on initial page load #10911
FIX: RAID status on Grid page #10935
FIX: SOC Auth dashboard #10878
FIX: Security Onion Desktop state should default to Gnome Classic #10958
FIX: sensor MTU setting in SOC Config should be read only #10883
FIX: so-status taking several seconds to complete #10909
FIX: soup #10902
FIX: syslog not working #10896
FIX: verbiage and links in soc_sensor.yaml #10906
UPGRADE: Elastic 8.8.2 #10864
2.4.4 RC1 [20230728] Changes
FEATURE: Add DNS lookup action to SOC #8655
FEATURE: Add Oracle Linux Support #10844
FEATURE: Add pivots for relational operators on numbers #8024
FEATURE: Add relative Timeframe and Refresh Interval as URL Parameters to Hunt #3352
FEATURE: Cases - Add ability to enable dynamic observable extraction #7972
FEATURE: Oracle Linux ISO #10845
FEATURE: Security Onion Desktop #10862
FIX: Add retry to Elastic Agent installer #10488
FIX: Case status code 404 error #10759
FIX: Intermittent pcap retrieval #10750
FIX: Navigator Errors #10742
FIX: Remove .security subfield #10745
UPGRADE: CyberChef 10.5.2 #10781
UPGRADE: so-registry docker image #10727
2.4.3 Beta 4 [20230711] Changes
FEATURE: Add link to Downloads page for convenient access to firewall settings #10702
FEATURE: Add more SOC Config quick links #10563
FEATURE: Add time zone selection to Grid page #8629
FEATURE: Add webauthn support to SOC #10608
FEATURE: Allow import of PCAP and EVTX via SOC UI #10413
FEATURE: Elastic Fleet - Automatically Update Logstash Outputs #10746
FEATURE: Elastic Fleet Server URL - Custom Domain #10744
FEATURE: Supported Integrations #10590
FEATURE: so-import-evtx #10673
FIX: Strelka rule path #10715
FIX: 2.4 ISO image won’t install on Virtualbox #10534
FIX: Account for Suricata XFF function in parsing and ingestion #8643
FIX: Add more Zeek logs to excluded list #10569
FIX: Analyzer requests and whoisit updates #10524
FIX: Change Playbook index to data stream and update event.severity_label #10523
FIX: Cleanup log-rotate.conf #10545
FIX: Curator should ignore empty list #10512
FIX: Don’t override default integration ingest node pipelines #10542
FIX: Ensure operations on records with “Missing” fields use correct search #8025
FIX: Ensure packages aren’t installed from default Rocky repos #10630
FIX: Exclude System logs from Hunt/Dashboard Queries. #10122
FIX: Finish SSL cert integration into SOC config UI #10533
FIX: Improve SOC login error message for disabled users #8908
FIX: Increase net.core.wmem_default value #10602
FIX: InfluxDB NSM Disk Usage visualization #10520
FIX: Integration logs not parsed correctly #10672
FIX: Logstash soc.fields.query warning #10528
FIX: Node description config setting should only apply at the node level #10562
FIX: Remove default excluded rules from YARA repo #10718
FIX: Review Kibana Dashboards #10664
FIX: Rework dataset name and add tags based on suffix #10526
FIX: Rework field to account for missing classifiers #10420
FIX: SOC Config NTP quick link #10519
FIX: Scheduled jobs trying to run during setup #10468
FIX: Set Elastic Fleet certs to use url_base #10510
FIX: Setup re-runs when SSH’ing into a successfully installed minion node #10498
FIX: Strelka rule exclusions #10716
FIX: Suricata DHCP logs not ingesting #10565
FIX: Suricata dataset values for certain types of metadata #10551
FIX: Update README.md #10554
FIX: Update cheat sheet for 2.4 #10532
UPGRADE: CyberChef 10.4.0 #10581
UPGRADE: Suricata 6.0.13 #10594
2.4.2 Beta 3 [20230531] Changes
FEATURE: Add additional alerts for Influxdb #10388
FEATURE: Add link to SOC error messages that takes user to hunt and auto-searches for recent SOC-related errors. #10283
FEATURE: Add Protected checkbox on Attachment upload form #10203
FEATURE: Add support for Apple Silicon Elastic Agent Installer #10473
FEATURE: Add support for EQL to Playbook #10471
FEATURE: Allow for any docker container to have extra hosts and custom binds #10301
FEATURE: Allow users to switch between airgap and non airgap. #10470
FEATURE: Dedicated Elastic Fleet Node #10474
FEATURE: Enable Elastic Defend Integration on Endpoints Policy #10475
FEATURE: Integrate Elastic Artifact Repo #10053
FEATURE: Integrate Elastic Package Registry #10472
FEATURE: ISO image #10476
FEATURE: Link the Grid Interface with Docker container log files #10149
FEATURE: Prompt user to verify the manager nodes IP address if a DNS record if found during setup. #10334
FEATURE: Quicklinks to common configs #10395
FEATURE: SOC config UI should process each line individually with regex when multiline: True is set #10243
FEATURE: Support authentication rate limiting #10308
FIX: AWS Instances with forced IMDSv2 enabled fail to detect running in AWS #10205
FIX: Cluster delete script should use different disk space logic when /nsm is shared among services #10418
FIX: Correct SOC Annotations for idstools in Grid Configuration. #10208
FIX: Correct SOC Annotations of Zeek in Grid Configuration. #10211
FIX: Hunt Quick Drilldown #10377
FIX: If mdengine is changed to Suricata, Zeek is still shown in so-status #10232
FIX: Improve SOC configuration handling of lists #10219
FIX: Improve soup’s local file modification logic #8972
FIX: In distributed deployment, Dashboards/Kibana only show data from the first sensor added. #10231
FIX: Influxdb Elasticsearch cells showing duplicate data. #10336
FIX: Kibana: Ensure _id fields beginning with a hyphen work properly when pivoting to SOC from Kibana #10305
FIX: Logstash WARN logstash.outputs.elasticsearch on searchnode #10291
FIX: Prepare SOUP for 2.4 #10056
FIX: Prevent duplicate observables from being automatically created when attaching events to a case. #10123
FIX: Review 2.4 file permissions and other local security changes #9110
FIX: Setting CPU affinity or number of threads for Suricata not being applied. #10240
FIX: Simplify cloud detection #10261
FIX: Some SOC Config settings are only visible when Advanced is enabled #10429
FIX: Strelka YARA Compilation #10271
FIX: Suricata ignores the threads and always is set to 1 #10230
FIX: Unable to disable PCAP via web configuration #10229
FIX: Use pillar values to allow Zeek log ingestion selection from the UI #10322
FIX: Zeek local policies are not being updated when changed in Current Grid value. #10209
FIX: Zeek not ignoring lb_procs when Zeek pins configured #10215
UPGRADE: Elastic 8.7.1 #10269
UPGRADE: Kratos to 0.13.0 #10309
UPGRADE: SOC external dependencies #10268
UPGRADE: Suricata 6.0.12 #10311
UPGRADE: Zeek 5.0.9 #10374
2.4.1 Beta 2 [20230424] Changes
FIX: Add Dedicated Fleet Node #10054
FIX: Don’t create curl.config on Forward Nodes #10057
FIX: Force case attachments to be downloaded #10186
FIX: Improve Elasticsearch index deletion - so-elastic-clear #10109
FIX: Improve Elasticsearch index deletion - so-elastic-cluster-delete-delete #10110
FIX: Make sure Setup image downloads populate the screen and the log #10052
FIX: Overview Customization link #10173
FIX: Prevent Jinja syntax from being entered into config values via UI/API #10187
FIX: Prevent Zeek from using a large amount of memory #10190
FIX: Remove legacy Kibana dashboards #8555
FIX: Remove template load from search nodes in distrib #10060
FIX: SOC only displaying data for users assigned the superuser role #10068
FIX: Sort grid members lists #10185
FIX: Suricata DNS A and CNAME parsing #10117
FIX: Using SOC Configuration to change mdengine from ZEEK to SURICATA fails #10189
FIX: Zeek @local and @local-sigs need to strip the @ for config but replace in local.zeek #10050
FIX: Zeek is not honoring lbprocs #10062
UPGRADE: Elastic 8.7.0 #10059
UPGRADE: Suricata 6.0.11 #10067
UPGRADE: Zeek 5.0.8 #10107
2.4.0 Beta 1 [20230328] Changes
https://blog.securityonion.net/2023/03/security-onion-24-beta-release-now.html