Merge pull request #14186 from Security-Onion-Solutions/reyesj2/es-upgrade-policies

reyesj2 · web-flow · commit c42891ec6a99 · 2025-02-04T09:04:00.000-06:00
Reyesj2/es upgrade policies
diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom
@@ -8,7 +8,9 @@
   "processors": [
     { "set":        { "ignore_failure": true,  "field": "event.module", "value": "elastic_agent" } },
     { "split":      { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp"  } },
+    { "split":      { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } },
     { "set":        { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } },
+    { "set":        { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "description":"Fix EA network packet capture" } },
     { "gsub":       { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } },
     { "append":     { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false  } },
     { "set":        { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } },
@@ -22,6 +24,6 @@
     { "set":        { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } },
     { "rename":        { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } },
     { "set":        { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
-    { "remove":     { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } 
+    { "remove":     { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
   ]
 }
diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup
@@ -534,14 +534,16 @@ post_to_2.4.120() {
   # Manually rollover suricata alerts index to ensure data_stream.dataset expected mapping is set to 'suricata'
   rollover_index "logs-suricata.alerts-so"
 
-  # Sync the newly generated index templates for elasticfleet integrations
-  salt-call state.apply elasticsearch queue=True
-
   POSTVERSION=2.4.120
 }
 
 post_to_2.4.130() {
-  echo "Nothing to apply"
+  # Integrations policies need to be updated
+  rm -f /opt/so/state/eaintegrations.txt
+
+  # Sync the newly generated index templates for elasticfleet integrations
+  salt-call state.apply elasticsearch queue=True
+
   POSTVERSION=2.4.130
 }
 
@@ -725,7 +727,7 @@ up_to_2.4.90() {
 
 up_to_2.4.100() {
   echo "Nothing to do for 2.4.100"
-  
+
   INSTALLEDVERSION=2.4.100
 }
 
