Merge pull request #121 from Security-Onion-Solutions/dev

Update from dev
Security-Onion-Solutions · Oct 18, 2024 · 03dd1e6 · 03dd1e6
2 parents c7eef0f + 30346bc
commit 03dd1e6
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 0 deletions.
diff --git a/elasticsearch.rst b/elasticsearch.rst
@@ -259,6 +259,33 @@ Elasticsearch 8 no longer includes GeoIP databases by default. We include GeoIP
 
 Once the config is added, click the green check mark to save the configuration.
 
+Health
+------
+
+To check Elasticsearch health, go to the :ref:`grid` interface and check the Elasticsearch Status field. If it shows anything other than OK, then run the following command from the CLI on the manager node to check for additional clues:
+
+::
+
+        sudo so-elasticsearch-query _cluster/health?pretty
+
+Status Pending
+--------------
+
+If the :ref:`grid` interface shows Elasticsearch Status as ``Pending``, check for unassigned shards by running the following command from the CLI on the manager node:
+
+::
+
+       sudo so-elasticsearch-query _cat/shards | grep UN
+
+The result of the query should display affected indices. Older metrics indices for Elastic Endpoint logs may have been assigned a replica, so if you are running a single-node Elastic cluster there will be nowhere for the replica to exist.
+To resolve the issue, run the following command for each affected index (replacing ``$index`` with the actual index name):
+
+::
+
+        sudo so-elasticsearch-query $index/_settings -d '{"number_of_replicas":0}' -XPUT
+
+After running the command, the index should no longer use replicas and the status should change from "Pending" to "OK" once all indices have been successfully modified.
+
 Diagnostic Logging
 ------------------
 

diff --git a/release-notes.rst b/release-notes.rst
@@ -12,6 +12,12 @@ Field conflicts can be identified by navigating to ``Kibana -> Management -> Dat
 
 For example, you may have a conflict for ``source.ip``, where it was previously correctly mapped as field type of ``ip``, but the index mappings were inadvertently changed and ``source.ip`` is now mapped as a field type of ``keyword`` in the ``logs-system.security`` and ``logs-system.syslog`` data streams.  The mappings have been fixed, but the data streams need to be rolled over to pick up the correct mappings, and the affected index containing ``source.ip`` mapped as a field type of ``keyword`` needs to be deleted to resolve the conflict.  
 
+Conflicts for the following fields can be ignored for now, as they will be fixed in a future version:
+
+- metadata.input.beats.host.ip
+- recordedfuture.evidence_details
+- version
+
 You can issue the following commands from the CLI to resolve the conflict.
 
 First, become root:

diff --git a/zeek.rst b/zeek.rst
@@ -124,6 +124,11 @@ We also include MITRE BZAR scripts and you can read more about them at https://g
 
 As you can see, Zeek log data can provide a wealth of information to the analyst, all easily accessible through :ref:`dashboards`, :ref:`hunt`, or :ref:`kibana`.
 
+File Extraction
+---------------
+
+By default, Zeek will extract files from network traffic and :ref:`strelka` will then analyze those extracted files.
+
 VLAN Tags
 ---------