Release Notes

Known Issues

If you notice an Elasticsearch status of Pending in the Grid interface, you can view affected indices by running the following command from the CLI on the manager node:

sudo so-elasticsearch-query _cat/shards | grep UN

The result of the query should display affected indices. Older metrics indices for Elastic Endpoint logs may have been assigned a replica, so if you are running a single-node Elastic cluster there will be nowhere for the replica to exist.

To resolve the issue, run the following command for each affected index (replacing $index with the actual index name):

sudo so-elasticsearch-query $index/_settings -d '{"number_of_replicas":0}' -XPUT

After running the command, the index should no longer use replicas and the status should change from “Pending” to “OK” once all indices have been successfully modified.

2.4.60 [20240320] Changes

FEATURE: Add Suricata classification.config for editing #12391
FEATURE: Add Suricata support for full PCAP #12571
FEATURE: Add default columns for endpoint.events datasets #12425
FEATURE: Add new SOC action for Process Info #12421
FEATURE: Add new endpoint dashboards #12428
FEATURE: Additional Supported Integrations #5
FEATURE: Improve Grid page Reboot indicators #12546
FEATURE: Initial implementation of the new Detections system (currently disabled)
FIX: Accept Uppercase emails #12559
FIX: Change the default setting for steno diskfreepercentage on standalone installations to 21 #12541
FIX: Download only newest packages for network installs
FIX: EA packages are not downloadable once STIGs have been applied
FIX: Endpoint diagnostic template pattern #12433
FIX: Exclude templates from global overrides when necessary #12382
FIX: Improve the accuracy of the stenoloss script #12477
FIX: Receiver node Redis queue fills up using Managersearch without a Searchnode #12535
FIX: Support Oinkcode values containing leading 0’s #12506
FIX: Update SOC annotations for Stenographer PCAP #12539
FIX: Update correlate quick action with new icon #12387
FIX: Update ks.cfg for appliances
FIX: error.message mapping for system.syslog #12518
FIX: so-saltstack-update should use the proper repo in 2.4 #12570
UPGRADE: CyberChef 10.8.2 #12454
UPGRADE: Kratos to 1.1.0 #12479
UPGRADE: Suricata 7.0.4 #12609

2.4.50 [20240220] Changes

FEATURE: Add Suricata PCAP module to Sensoroni (currently disabled) #12255
FEATURE: Add new SOC action to show process ancestry #12345
FEATURE: Add new dashboards for community_id and firewall auth #12323
FEATURE: Additional Supported Integrations #4
FEATURE: Allow user to create custom elastic search pipelines without copying them over via ssh
FEATURE: Allow user to create custom logstash pipelines without copying them over via ssh
FEATURE: Dedicated Fleet node should have an nginx entry and cert that works for /artifacts #11346
FEATURE: Determine if Elastic is on its own mount point if so adjust size for watermark #12364
FEATURE: Improve Correlate and Hunt actions on SOC Actions menu #12315
FEATURE: RITA Logs #12226
FEATURE: Support PCAP pivots for ICMP packets in SOC
FIX: suricata.ike ingest pipeline does not exist #12174
FIX: Add stenographer logging #12282
FIX: Change field groupby button to new groupby #12228
FIX: Correct SOC error messages related to malformed queries #12269
FIX: Endpoint diagnostic collection index created with replicas #12256
FIX: Expose node Reboot status as its own state; other grid/feature improvements
FIX: Network Transport for suricata alerts should be lowercase #12217
FIX: Strelka scan.pe.flags mapping #12251
FIX: Sync the event.dataset values between the Windows Sysmon and ElasticAgent defend logs
FIX: Syntax error running elastic fleet scripts during highstate
FIX: User count logic providing inconsistent results #12258
UPGRADE: CyberChef 10.6.0 #12310
UPGRADE: Salt 3006.6 #12304
UPGRADE: Strelka 0.24.01.18 #12229
UPGRADE: Suricata 7.0.3 #12327
UPGRADE: Zeek 6.0.3 #12225

2.4.40 [20240116] Changes

FEATURE: Add geoip support to Suricata #11901
FEATURE: Additional Supported Integrations #2 #11958
FEATURE: Additional Supported Integrations #3 #12056
FEATURE: Add server reboot notification to SOC #11852
FEATURE: Allow an easy way to disable incoming events to a manager #12033
FEATURE: Carve out the cert_chain_fps value from SSL traffic #11806
FEATURE: Echotrail, Elasticsearch, MalwareBazaar, and ThreatFox Analyzers #12014
FEATURE: Grid page status/metric enhancements #11971
FEATURE: Manipulate event table columns #12145
FEATURE: Sublime Platform Analyzer #11883
FIX: Add force option to integrations #12017
FIX: Adding extra_hosts for SOC, Elasticsearch and Logstash Docker containers fails #12015
FIX: Begin kickstart consolidation
FIX: Corrupt job files should not cause SOC to exit during startup #12082
FIX: Disable Elastic Agent Downloads for Import and Eval mode
FIX: Docker service sometimes not started or enabled on remote nodes during setup #12101
FIX: Documentation links under SOC - Administration - Configuration need updating #11828
FIX: FIM Integration #11847
FIX: Ignore Zeek analyzer log #11892
FIX: Improve salt-relay reponse integrity
FIX: ISO image should default to 1GB /boot partition #12002
FIX: Logstash pipeline to point to self instead of manager #12038
FIX: Make sure optional integration pillar values are merged with defaults #12163
FIX: Playbook Navigator Layer #11380
FIX: Remove Curator
FIX: Remove sudo entry for so-setup after setup completes
FIX: Rerunning setup should uninstall local Elastic Agent #12030
FIX: Show more readable column names for default Case list screen #12162
FIX: SOC Hunt HTTP EXE query #11784
FIX: so-elastic-fleet-reset non-destructive #12142
FIX: so-playbook-reset #11790
FIX: Update clear scripts #11991
FIX: Update dashboard and hunt query for firewall logs #12021
FIX: Update NIDS rule.reference in common.nids pipeline #11846
UPGRADE: Salt 3006.5 #12143
UPGRADE: SOC dependencies to latest versions #12041
UPGRADE: Strelka 0.23.12.01 #11770

2.4.30 Hotfix [20231228] Changes

FIX: Appliance kickstart files are not copying Elastic Agent tarballs #12081

2.4.30 Hotfix [20231219] Changes

FIX: Update appliance kickstart scripts to fix issue with package copy #12044

2.4.30 Hotfix [20231204] Changes

FIX: Choosing Desktop or IDH from ISO GRUB menu results in failure #11865
FIX: Ensure airgap rule updates are being copied to the proper location #11932
FIX: outdated import-evtx-logs pipeline versions #11889
FIX: x509.pem_managed errors

2.4.30 Hotfix [20231121] Changes

FIX: Salt minion service disabled highstate in upgrade to 2.4.30 #11851

2.4.30 Hotfix [20231117] Changes

FIX: Elastic Defend Integration Policy Downgrade #11810
FIX: Update SSL cert to avoid Google Chrome error (2.4) #11824

2.4.30 [20231113] Changes

FEATURE: Additional Supported Integrations #11513
FEATURE: Allow for BPF comments in SOC #11738
FEATURE: OpenID Connect (OIDC) support
FEATURE: so-elastic-fleet-reset #11697
FEATURE: Sublime Platform Integration #11579
FIX: Add -watch to soctopus saltstate for file SOCtopus.conf. Makes container restart @ highstate if file is updated. #11700
FIX: Allow ICMP to allow a node to respond to ping #11495
FIX: Allow standalone install type to work with 16GB of ram #11699
FIX: Allow the setting up of data_warm to the nodes list in ES
FIX: Data not returned from mine for network.ip_addrs #11502
FIX: Delete all obsolete scripts and unused code (also check so-setup, so-functions)
FIX: Fail so-setup if Elastic Fleet Setup encounters an error #11696
FIX: Global BPF prevents new sensor from applying highstate #11610
FIX: Improve error handling of Elasticsearch pipeline and template load scripts #11728
FIX: Logs not parsed correctly when shipped from Fleet Node #11698
FIX: Only heavy nodes should be treated as remote Elastic clusters in SOC #11553
FIX: Reduce ISO size #11510
FIX: Set days for warm for all so-* indices
FIX: Show container download status during soup #11550
FIX: Sigma DNS mapping #11498
FIX: Suricata 7 pkt_src field needs to be parsed #11566
FIX: The values for specific nodes in zeek.config.local.load are being populated incorrectly #11472
UPGRADE: NetworkMiner 2.8.1 #11457
UPGRADE: Salt 3006.3 #11529
UPGRADE: SOC dependency Axios to 1.6.1 #11763
UPGRADE: Sophos Integration #11548
UPGRADE: Upgrade Elastic to 8.10.4
UPGRADE: Upgrade InfluxDB to 2.7.1 and Telegraf to 1.28.2
UPGRADE: Upgrade Suricata to 7.0.2
UPGRADE: Zeek 6.0.2

2.4.20 Hotfix [20231012] Changes

FIX: Elastic Defend Integration Policy Corrupted #11527

2.4.20 [20231006] Changes

FEATURE: Add ingest parser for pfSense OpenVPN logs #7656
FEATURE: Add new so-log-check tool to scan SO logging for anomalies
FEATURE: Enable Analyzers to be managed through SOC #11211
FEATURE: Grid screen improvements; support for desktop nodes
FEATURE: Provide global replica value for index templates #10998
FEATURE: SOC Grid Members should prompt for confirmation before actually deleting #11223
FIX: Adding custom action to SOC causes the Endgame action to be replicated #11210
FIX: Add Transform Role #11309
FIX: CentOS stream 9 installation #11168
FIX: Clean component template directory #11331
FIX: Desktop via network install fails #10975
FIX: Disable conn stats from being generated by default #11410
FIX: Docker custom_bind_mounts not working for some containers #11122
FIX: Duplicate cronjobs for filecheck #11400
FIX: Elastic Agent - Installation “Not Accessible” Message #11191
FIX: Elastic Fleet key and cert errors on heavynode #11026
FIX: Exclude Zeek console log ingestion #11082
FIX: Features pillar not showing all enabled features #11130
FIX: Fleet plugin logs ERROR during kibana restart #10955
FIX: Force nginx to run as user nobody #11402
FIX: Heavy nodes are missing ElasticFleet integration policies #11189
FIX: Heavy Nodes are not properly added to the soc.json #11192
FIX: Improve consistency in cert storage across OS families #11162
FIX: Improve default settings to avoid Elasticsearch hitting watermark #11305
FIX: Kibana Elastic Agent Dashboard 404 #11018
FIX: Maintain minion log in INFO level, add logrotate #10921
FIX: Make sure a data stream is created for syslog #11209
FIX: Make sure Elastic packages are loaded when changed #11428
FIX: Minimum system requirements checks during setup #11324
FIX: Minion log appears to show timezone bouncing #10922
FIX: osquery not working on macOS
FIX: Pre-load Integration Templates #11146
FIX: Prevent repeated creation of unused Docker volumes #9941
FIX: Remove default component templates to prevent conflicts #11260
FIX: Remove OSSEC and add Playbook mappings for the SOC Alerts Event Table #11015
FIX: Remove telegraf beats EPS script #11412
FIX: Rename some SOC log fields to more unique field names #11429
FIX: Reposync and yara rules shot not run in airgap #11427
FIX: SOC Config pcap doc links should point to steno docs #11302
FIX: SOC Config sensoroni doc links should point to correct docs #11362
FIX: SOC doesn’t return user to login page after session expires #11438
FIX: SOC fails to parse incomplete Elastic error response #11435
FIX: SOC Grid Import inconsistency with larger files #11143
FIX: Some packages are installed/removed and upgraded/downgraded every 15min #11458
FIX: so-import-evtx incorrect dates #11332
FIX: so-salt-minion-check not rendering as jinja #11390
FIX: Stop zeek from trying to email reports #11407
FIX: Strelka ingest pipeline should properly index entropy 0 values and float values in the same field
FIX: Suricata filter and extraction rules are not properly updated #11229
FIX: Update firewall docs for custom port and host groups #11053
FIX: Update IDH Opencanary Modules to indicate they only apply to IDH nodes #10170
UPGRADE: Kratos to v1.0.0
UPGRADE: Suricata 6.0.14 #11319
UPGRADE: Zeek 5.0.10 #11301

2.4.10 Hotfix [20230821] Changes

FIX: Component templates not updated when packages are updated #11065
FIX: Importing both PCAP and EVTX files fails #11030
FIX: Logstash container missing on distributed receiver #11099
FIX: pipeline with id logs-system.syslog-1.6.4 does not exist #11038
FIX: Suricata permissions on Heavy Nodes are incorrect #11031

2.4.10 [20230815] Changes

FEATURE: Auto-Upgrade Node Agents #10949
FEATURE: Customize desktop environment #10957
FIX: Custom actions, queries, tools can cause SOC restart to fail #11022
FIX: Elastic Agents won’t upgrade without Internet connection #10981
FIX: Elastic Integrations not upgrading during SOUP #10984
FIX: Elastic index settings annotations need synchronized with those specified in defaults #10999
FIX: File extraction not working after switching from Zeek metadata to Suricata metadata #10973
FIX: Fleet - url_base not working in cert CN #11003
FIX: Improve wording for Firewall entries under Grid Administration Quick Links #10990
FIX: Influx reporting No Results for Zeek Capture Loss #10956
FIX: Suricata should not assume the interface will always be bond0 #10954
FIX: Sysmon Events Table Field Rendering #10985
FIX: so-desktop-install needs to change from Rocky to Oracle #10962
FIX: soup may fail while trying to query Fleet server #10974

2.4.5 RC2 [20230807] Changes

FEATURE: Add NetworkMiner to Security Onion Desktop #10865
FEATURE: Add value from record in Hunt, etc as an observable to an existing or new case #7992
FEATURE: Enable CommunityID for Elastic Defend Logs #10811
FEATURE: Heavy Node Support #10671
FEATURE: so-import-evtx - timeshift #10743
FEATURE: soup should rotate its log file #10951
FIX: Dashboards with multiple groupby charts always filter by the first chart’s, first groupby field #10856
FIX: Disable offload on monitor NICs #10900
FIX: EQL Field Mappings #10783
FIX: Elastic Fleet Improvements #10846
FIX: Firewall state custom host group assignments for single portgroup entry #10917
FIX: IDH node #10882
FIX: IPTables Persistence #10884
FIX: Install Error: so-yara-download failed #10880
FIX: Install screen - Firewall #10945
FIX: List settings updated with blank values should be stored as empty lists #10936
FIX: Login page shows error banner briefly on initial page load #10911
FIX: RAID status on Grid page #10935
FIX: SOC Auth dashboard #10878
FIX: Security Onion Desktop state should default to Gnome Classic #10958
FIX: sensor MTU setting in SOC Config should be read only #10883
FIX: so-status taking several seconds to complete #10909
FIX: soup #10902
FIX: syslog not working #10896
FIX: verbiage and links in soc_sensor.yaml #10906
UPGRADE: Elastic 8.8.2 #10864

2.4.4 RC1 [20230728] Changes

FEATURE: Add DNS lookup action to SOC #8655
FEATURE: Add Oracle Linux Support #10844
FEATURE: Add pivots for relational operators on numbers #8024
FEATURE: Add relative Timeframe and Refresh Interval as URL Parameters to Hunt #3352
FEATURE: Cases - Add ability to enable dynamic observable extraction #7972
FEATURE: Oracle Linux ISO #10845
FEATURE: Security Onion Desktop #10862
FIX: Add retry to Elastic Agent installer #10488
FIX: Case status code 404 error #10759
FIX: Intermittent pcap retrieval #10750
FIX: Navigator Errors #10742
FIX: Remove .security subfield #10745
UPGRADE: CyberChef 10.5.2 #10781
UPGRADE: so-registry docker image #10727

2.4.3 Beta 4 [20230711] Changes

FEATURE: Add link to Downloads page for convenient access to firewall settings #10702
FEATURE: Add more SOC Config quick links #10563
FEATURE: Add time zone selection to Grid page #8629
FEATURE: Add webauthn support to SOC #10608
FEATURE: Allow import of PCAP and EVTX via SOC UI #10413
FEATURE: Elastic Fleet - Automatically Update Logstash Outputs #10746
FEATURE: Elastic Fleet Server URL - Custom Domain #10744
FEATURE: Supported Integrations #10590
FEATURE: so-import-evtx #10673
FIX: Strelka rule path #10715
FIX: 2.4 ISO image won’t install on Virtualbox #10534
FIX: Account for Suricata XFF function in parsing and ingestion #8643
FIX: Add more Zeek logs to excluded list #10569
FIX: Analyzer requests and whoisit updates #10524
FIX: Change Playbook index to data stream and update event.severity_label #10523
FIX: Cleanup log-rotate.conf #10545
FIX: Curator should ignore empty list #10512
FIX: Don’t override default integration ingest node pipelines #10542
FIX: Ensure operations on records with “Missing” fields use correct search #8025
FIX: Ensure packages aren’t installed from default Rocky repos #10630
FIX: Exclude System logs from Hunt/Dashboard Queries. #10122
FIX: Finish SSL cert integration into SOC config UI #10533
FIX: Improve SOC login error message for disabled users #8908
FIX: Increase net.core.wmem_default value #10602
FIX: InfluxDB NSM Disk Usage visualization #10520
FIX: Integration logs not parsed correctly #10672
FIX: Logstash soc.fields.query warning #10528
FIX: Node description config setting should only apply at the node level #10562
FIX: Remove default excluded rules from YARA repo #10718
FIX: Review Kibana Dashboards #10664
FIX: Rework dataset name and add tags based on suffix #10526
FIX: Rework field to account for missing classifiers #10420
FIX: SOC Config NTP quick link #10519
FIX: Scheduled jobs trying to run during setup #10468
FIX: Set Elastic Fleet certs to use url_base #10510
FIX: Setup re-runs when SSH’ing into a successfully installed minion node #10498
FIX: Strelka rule exclusions #10716
FIX: Suricata DHCP logs not ingesting #10565
FIX: Suricata dataset values for certain types of metadata #10551
FIX: Update README.md #10554
FIX: Update cheat sheet for 2.4 #10532
UPGRADE: CyberChef 10.4.0 #10581
UPGRADE: Suricata 6.0.13 #10594

2.4.2 Beta 3 [20230531] Changes

FEATURE: Add additional alerts for Influxdb #10388
FEATURE: Add link to SOC error messages that takes user to hunt and auto-searches for recent SOC-related errors. #10283
FEATURE: Add Protected checkbox on Attachment upload form #10203
FEATURE: Add support for Apple Silicon Elastic Agent Installer #10473
FEATURE: Add support for EQL to Playbook #10471
FEATURE: Allow for any docker container to have extra hosts and custom binds #10301
FEATURE: Allow users to switch between airgap and non airgap. #10470
FEATURE: Dedicated Elastic Fleet Node #10474
FEATURE: Enable Elastic Defend Integration on Endpoints Policy #10475
FEATURE: Integrate Elastic Artifact Repo #10053
FEATURE: Integrate Elastic Package Registry #10472
FEATURE: ISO image #10476
FEATURE: Link the Grid Interface with Docker container log files #10149
FEATURE: Prompt user to verify the manager nodes IP address if a DNS record if found during setup. #10334
FEATURE: Quicklinks to common configs #10395
FEATURE: SOC config UI should process each line individually with regex when multiline: True is set #10243
FEATURE: Support authentication rate limiting #10308
FIX: AWS Instances with forced IMDSv2 enabled fail to detect running in AWS #10205
FIX: Cluster delete script should use different disk space logic when /nsm is shared among services #10418
FIX: Correct SOC Annotations for idstools in Grid Configuration. #10208
FIX: Correct SOC Annotations of Zeek in Grid Configuration. #10211
FIX: Hunt Quick Drilldown #10377
FIX: If mdengine is changed to Suricata, Zeek is still shown in so-status #10232
FIX: Improve SOC configuration handling of lists #10219
FIX: Improve soup’s local file modification logic #8972
FIX: In distributed deployment, Dashboards/Kibana only show data from the first sensor added. #10231
FIX: Influxdb Elasticsearch cells showing duplicate data. #10336
FIX: Kibana: Ensure _id fields beginning with a hyphen work properly when pivoting to SOC from Kibana #10305
FIX: Logstash WARN logstash.outputs.elasticsearch on searchnode #10291
FIX: Prepare SOUP for 2.4 #10056
FIX: Prevent duplicate observables from being automatically created when attaching events to a case. #10123
FIX: Review 2.4 file permissions and other local security changes #9110
FIX: Setting CPU affinity or number of threads for Suricata not being applied. #10240
FIX: Simplify cloud detection #10261
FIX: Some SOC Config settings are only visible when Advanced is enabled #10429
FIX: Strelka YARA Compilation #10271
FIX: Suricata ignores the threads and always is set to 1 #10230
FIX: Unable to disable PCAP via web configuration #10229
FIX: Use pillar values to allow Zeek log ingestion selection from the UI #10322
FIX: Zeek local policies are not being updated when changed in Current Grid value. #10209
FIX: Zeek not ignoring lb_procs when Zeek pins configured #10215
UPGRADE: Elastic 8.7.1 #10269
UPGRADE: Kratos to 0.13.0 #10309
UPGRADE: SOC external dependencies #10268
UPGRADE: Suricata 6.0.12 #10311
UPGRADE: Zeek 5.0.9 #10374

2.4.1 Beta 2 [20230424] Changes

FIX: Add Dedicated Fleet Node #10054
FIX: Don’t create curl.config on Forward Nodes #10057
FIX: Force case attachments to be downloaded #10186
FIX: Improve Elasticsearch index deletion - so-elastic-clear #10109
FIX: Improve Elasticsearch index deletion - so-elastic-cluster-delete-delete #10110
FIX: Make sure Setup image downloads populate the screen and the log #10052
FIX: Overview Customization link #10173
FIX: Prevent Jinja syntax from being entered into config values via UI/API #10187
FIX: Prevent Zeek from using a large amount of memory #10190
FIX: Remove legacy Kibana dashboards #8555
FIX: Remove template load from search nodes in distrib #10060
FIX: SOC only displaying data for users assigned the superuser role #10068
FIX: Sort grid members lists #10185
FIX: Suricata DNS A and CNAME parsing #10117
FIX: Using SOC Configuration to change mdengine from ZEEK to SURICATA fails #10189
FIX: Zeek @local and @local-sigs need to strip the @ for config but replace in local.zeek #10050
FIX: Zeek is not honoring lbprocs #10062
UPGRADE: Elastic 8.7.0 #10059
UPGRADE: Suricata 6.0.11 #10067
UPGRADE: Zeek 5.0.8 #10107

2.4.0 Beta 1 [20230328] Changes

https://blog.securityonion.net/2023/03/security-onion-24-beta-release-now.html