2.4.100

administration.rst

@@ -46,9 +46,9 @@ The Configuration page allows you to configure various components of your grid.
 .. image:: images/87_config.png
   :target: _images/87_config.png
 
-The most common configuration options are shown in the quick links on the right side. On the left side, you can click on a component in the tree view to drill into it and show all available settings for that component. You can then click on a setting to show the current setting or modify it if necessary. If you make a mistake, you can easily revert back to the default value. If a blue question mark appears on the setting page, you can click it to go to the documentation for that component.
+The most common configuration options are shown in the quick links on the right side. On the left side, click on a component in the tree view to drill into it and show all available settings for that component. You can then click on a setting to show the current setting or modify it if necessary. If you make a mistake, you can easily revert back to the default value. If a blue question mark appears on the setting page, click it to go to the documentation for that component.
 
-If you're not sure of which component a particular setting may belong to, you can use the Filter at the top of the list to look for a particular setting. To the right of the Filter field are buttons that do the following:
+If unsure of which component a particular setting may belong to, use the Filter at the top of the list to look for a particular setting. To the right of the Filter field are buttons that do the following:
 
 - apply the search filter
 - expand all settings
@@ -58,16 +58,18 @@ If you're not sure of which component a particular setting may belong to, you ca
 
 .. note::
 
-	If you see a key that includes ``_x_``, it is a placeholder value used to represent a period (``.``).
+	Keys that include ``_x_`` indicate a placeholder value used to represent a period (``.``).
 
-Some settings can be applied across the entire grid or to specific nodes. If you apply a setting to a specific node, it will override the grid setting.
+Some settings can be applied across the entire grid or to specific nodes. Applying a setting to a specific node will override the grid setting.
 
 .. _administration-advanced-settings:
 
 Advanced Settings
 ~~~~~~~~~~~~~~~~~
 
-By default, the Configuration page only shows the most widely used settings. If you want to see all settings, you can go to the Options bar at the top of the page and then click the toggle labeled ``Show all configurable settings, including advanced settings``.
+By default, the Configuration page excludes settings that are not intended to be adjusted by most grid administrators. These advanced settings can cause loss of data and other issues if adjusted incorrectly. To see the advanced settings, go to the Options bar at the top of the page and then click the toggle labeled ``Show advanced settings``.
+
+Enabling advanced settings will result in longer load times when viewing the Configuration screen.
 
 .. warning::
 
@@ -79,19 +81,19 @@ By default, the Configuration page only shows the most widely used settings. If
 Duplicate Settings
 ~~~~~~~~~~~~~~~~~~
 
-Starting in Security Onion 2.4.70, some settings can be duplicated to more easily create new settings. If a setting is eligible for duplication, then it will have a DUPLICATE button on the right side of the page, provided the Advanced Option is enabled at the top of the screen. Creating a duplicate setting is a TWO-STEP process.
+Starting in Security Onion 2.4.70, some settings can be duplicated to more easily create new settings. If a setting is eligible for duplication, then it will have a DUPLICATE button on the right side of the page, provided the ``Show advanced settings`` option is enabled at the top of the screen. Creating a duplicate setting is a TWO-STEP process.
 
-1. Click the DUPLICATE button and provide a name for the new setting, then click the CREATE SETTING button.
+1. Click the ``DUPLICATE`` button, provide a name for the new setting, and then click the ``CREATE SETTING`` button.
 2. The new setting will automatically be shown in the Configuration screen. At this point it is not yet saved to the server. The setting's value must be modified explicitly to persist this new setting. Once the value has been modified, click the green checkmark button to save it.
 
 .. note::
 
-  Duplicated settings do not retain their original setting's full behavior. For example, if the original setting only allowed for CIDR values, this new setting will not have the same protections on later views in the Configuration screen. Further, duplicated settings are marked as advanced settings. In order to see the new setting at a later time the Advanced Option toggle must be enabled under the Configuration Options at the top of the Configuration screen.
+  Duplicated settings do not retain their original setting's full behavior. For example, if the original setting only allowed for CIDR values, this new setting will not have the same protections on later views in the Configuration screen. Further, duplicated settings are marked as advanced settings. In order to see the new setting at a later time the ``Show advanced settings`` option must be enabled under the Configuration Options at the top of the Configuration screen. Finally, please note that duplicated settings cannot be removed or renamed via the SOC user interface.
 
 License Key
 -----------
 
 .. image:: images/91_licensekey.png
   :target: _images/91_licensekey.png
 
-Starting in Security Onion 2.4.70, you will have the option of adding a license key for :ref:`pro`.
+Starting in Security Onion 2.4.70 a new option will be available to add a license key for :ref:`pro`.

alerts.rst

@@ -89,17 +89,17 @@ Clicking a value in the page brings up a context menu that allows you to refine
 Include
 ~~~~~~~
 
-Clicking the ``Include`` option will add the selected value to your existing search to only show search results that include that value.
+Clicking the ``Include`` option will add the selected field:value pair to your existing search with an ``AND``. This will only show search results that include that value in that field.
 
 Exclude
 ~~~~~~~
 
-Clicking the ``Exclude`` option will exclude the selected value from your existing search results.
+Clicking the ``Exclude`` option will add the selected field:value pair to your existing search with an ``AND NOT``. This will only show search results that do not include that value in that field.
 
 Only
 ~~~~
 
-Clicking the ``Only`` option will start a new search for the selected value and retain any existing groupby terms.
+Clicking the ``Only`` option will start a new search for the selected value in any field. It will remove any existing filters but retain any existing groupby terms.
 
 Drilldown
 ~~~~~~~~~

cases.rst

@@ -191,7 +191,7 @@ To configure an analyzer, navigate to :ref:`administration` --> Configuration --
 .. image:: images/config-item-sensoroni.png
   :target: _images/config-item-sensoroni.png
 
-At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. Then navigate to sensoroni --> analyzers.
+At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then navigate to sensoroni --> analyzers.
 
 Developing Analyzers
 ~~~~~~~~~~~~~~~~~~~~

dashboards.rst

@@ -110,17 +110,17 @@ Clicking a value in the page brings up a context menu that allows you to refine
 Include
 ~~~~~~~
 
-Clicking the ``Include`` option will add the selected value to your existing search to only show search results that include that value.
+Clicking the ``Include`` option will add the selected field:value pair to your existing search with an ``AND``. This will only show search results that include that value in that field.
 
 Exclude
 ~~~~~~~
 
-Clicking the ``Exclude`` option will exclude the selected value from your existing search results.
+Clicking the ``Exclude`` option will add the selected field:value pair to your existing search with an ``AND NOT``. This will only show search results that do not include that value in that field.
 
 Only
 ~~~~
 
-Clicking the ``Only`` option will start a new search for the selected value and retain any existing groupby terms.
+Clicking the ``Only`` option will start a new search for the selected value in any field. It will remove any existing filters but retain any existing groupby terms.
 
 Group By
 ~~~~~~~~

detections.rst

@@ -14,7 +14,7 @@ Starting in Security Onion 2.4.70, :ref:`soc` includes our Detections interface
 
 .. note::
 
-    Check out our Detections sneak peek video at https://youtu.be/oxR4q53N6OI!
+    Check out our Detections video at https://youtu.be/DelAmqtU2hg!
 
 Rule Engine Status
 ------------------
@@ -33,7 +33,9 @@ Here is the list of possible status messages and what they mean:
 - **Rule Mismatch**: An integrity check process detected a mismatch between the deployed rules and the enabled rules. The SOC log will note the specific mismatched rules. One possible reason for this is if you had previously added custom rules to /opt/so/saltstack/local/salt/idstools/rules/local.rules. If this is the case, you can remove the rules from that file and then re-add them using the Detections interface. Another possible reason is if you have changed the default metadata engine setting from :ref:`zeek` to :ref:`suricata`. When using :ref:`suricata` as the metadata engine, there are some metadata rules that are enabled which cause the mismatch. This issue will be resolved in a future release.
 - **OK**: No known issues with the rule engine.
 
-Clicking the status text will navigate to :ref:`hunt` and attempt to find related logs.
+.. tip::
+
+        Clicking the status text will navigate to :ref:`hunt` and attempt to find related logs. If the status is reporting some kind of failure, then you might want to use :ref:`hunt` to hone in on things like ``integrity check failed`` or other errors.
 
 As part of the sync process, Detections checks for duplicates. If duplicates are found, Detections will log information about the duplicate.
 

elastalert.rst

@@ -38,7 +38,7 @@ Elastalert diagnostic logs are in ``/opt/so/log/elastalert/`` and may also appea
 
     sudo docker logs so-elastalert
 
-ElastAlert 2 stores rule status information, such as number of hits, times each rule last ran, etc to :ref:`elasticsearch` indices. This data can helpful in assisting with troubleshooting custom rules. Searching in :ref:`dashboards`, :ref:`hunt`, or :ref:`kibana`. :ref:`soc` does not automatically include the ``elastalert`` indices by default. To include them adjust the appropriate configuration setting. Find it in the Administration --> Configuration screen by filtering for ``elastic.index`` and selecting Options (at the top) and toggle on "Show all configurable settings". Add ``*:elastalert*`` to the ``index`` setting. The new setting value should resemble the following:
+ElastAlert 2 stores rule status information, such as number of hits, times each rule last ran, etc to :ref:`elasticsearch` indices. This data can helpful in assisting with troubleshooting custom rules. Searching in :ref:`dashboards`, :ref:`hunt`, or :ref:`kibana`. :ref:`soc` does not automatically include the ``elastalert`` indices by default. If you would like to include them, you can adjust the appropriate configuration setting. In :ref:`soc`, navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then filter for ``elastic.index`` to locate the setting. On the right side of the screen, add ``*:elastalert*`` to the existing ``index`` setting. The updated setting should resemble the following:
 
 ::
 

elastic-agent.rst

@@ -25,7 +25,7 @@ Once there, select the ``elastic_agent_endpoint`` option.
 
 .. note::
 
-    If you'd like to see this in action, check out our Youtube video at https://youtu.be/cGmQMsFuAvw.
+    Check out our Elastic Agent video at https://youtu.be/cGmQMsFuAvw!
 
 Linux
 ~~~~~
@@ -70,6 +70,16 @@ Integrations
 
 You can read more about integrations in the :ref:`elastic-fleet` section and at https://docs.elastic.co/integrations.
 
+Reinstalling
+------------
+
+If for some reason you need to uninstall and reinstall the Elastic Agent on one of your Security Onion grid members, you can do so as follows:
+
+::
+
+        sudo elastic-agent uninstall
+        sudo salt-call state.apply elasticfleet.install_agent_grid
+
 More Information
 ----------------
 

elastic-fleet.rst

@@ -175,7 +175,7 @@ First, go to :ref:`administration` --> Configuration --> elasticfleet.
 .. image:: images/config-item-elasticfleet.png
   :target: _images/config-item-elasticfleet.png
 
-At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. Then, navigate to elasticfleet --> config --> server --> custom_fqdn and set your custom FQDN. Within 15 minutes, the grid will apply these new settings and you should see the new FQDNs show up in Elastic Fleet settings. New agent installers will also be regenerated to use this new setting.
+At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then, navigate to elasticfleet --> config --> server --> custom_fqdn and set your custom FQDN. Within 15 minutes, the grid will apply these new settings and you should see the new FQDNs show up in Elastic Fleet settings. New agent installers will also be regenerated to use this new setting.
 
 More Information
 ----------------

elasticsearch.rst

@@ -84,7 +84,7 @@ so-elasticsearch-indices-delete
 
 ``so-elasticsearch-indices-delete`` manages size-based deletion of Elasticsearch indices based on the value of the ``elasticsearch.retention.retention_pct`` setting. This setting is checked against the total disk space available for ``/nsm/elasticsearch`` across all nodes in the Elasticsearch cluster. If your indices are using more than ``retention_pct``, then ``so-elasticsearch-indices-delete`` will delete old indices until available disk space is back under ``retention_pct``. The default value for this setting is ``50`` percent so that standalone deployments have sufficient space for not only Elasticsearch but also full packet capture and other logs. For distributed deployments with dedicated search nodes where Elasticsearch is main consumer of disk space, you may want to increase this default value.
 
-To modify the ``retention_pct`` value, first navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show all configurable settings, including advanced settings.`` option. Then navigate to elasticsearch --> retention --> retention_pct. Once you make the change and save it, the new setting will take effect at the next 15 minute interval. If you would like to make the change immediately, you can click the ``SYNCHRONIZE GRID`` button under the ``Options`` menu at the top of the page.
+To modify the ``retention_pct`` value, first navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then navigate to elasticsearch --> retention --> retention_pct. Once you make the change and save it, the new setting will take effect at the next 15 minute interval. If you would like to make the change immediately, you can click the ``SYNCHRONIZE GRID`` button under the ``Options`` menu at the top of the page.
 
 ILM
 ~~~
@@ -102,7 +102,7 @@ ILM settings can be found by navigating to :ref:`administration` --> Configurati
 
 To edit the global policy that applies to ALL indices, navigate to global_overrides --> policy --> phases and there you will see the cold, delete, hot, and warm ILM phases.
 
-To edit the policy for an individual index, first click the ``Options`` menu at the top of the page and then enable the ``Show all configurable settings, including advanced settings.`` option. Then navigate to $index --> policy --> phases. There you will see the cold, delete, hot, and warm ILM phases for that particular index.
+To edit the policy for an individual index, first click the ``Options`` menu at the top of the page and then enable the ``Show advanced settings`` option. Then navigate to $index --> policy --> phases. There you will see the cold, delete, hot, and warm ILM phases for that particular index.
 
 It's important to note that settings like ``min_age`` are calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete ``min_age`` set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before deletion.
 
@@ -147,7 +147,7 @@ If you want to set certain search nodes to the ``data_hot``, ``data_warm``, or `
 
    Elasticsearch node roles is an advanced setting and you should be careful to avoid disruption to your cluster!
 
-To see and modify Elasticsearch node roles, first navigate to :ref:`administration` --> Configuration, click the ``Options`` menu at the top of the page, and enable the ``Show all configurable settings, including advanced settings.`` option. Then navigate to elasticsearch --> so_roles and select the desired role. Finally, navigate to config --> node --> roles and the list of roles should appear on the right side of the page.
+To see and modify Elasticsearch node roles, first navigate to :ref:`administration` --> Configuration, click the ``Options`` menu at the top of the page, and enable the ``Show advanced settings`` option. Then navigate to elasticsearch --> so_roles and select the desired role. Finally, navigate to config --> node --> roles and the list of roles should appear on the right side of the page.
 
 Templates
 ---------
@@ -246,15 +246,18 @@ If you want to clear all Elasticsearch data including documents and indices, you
 GeoIP
 -----
 
-Elasticsearch 8 no longer includes GeoIP databases by default. We include GeoIP databases for Elasticsearch so that all users will have GeoIP functionality. If your search nodes have Internet access and can reach geoip.elastic.co and storage.googleapis.com, then you can opt-in to database updates if you want more recent information. To do this, add the following to your Elasticsearch :ref:`salt` config:
+Elasticsearch 8 no longer includes GeoIP databases by default. We include GeoIP databases for Elasticsearch so that all users will have GeoIP functionality. If your search nodes have Internet access and can reach geoip.elastic.co and storage.googleapis.com, then you can opt-in to database updates if you want more recent information. In :ref:`soc`, navigate to :ref:`administration` --> Configuration. At the top of the page, click the ``Options`` menu and then enable the ``Show advanced settings`` option. Then navigate to elasticsearch --> advanced and add the following config on the right side of the screen.
 
 ::
 
-    config:
-      ingest:
-        geoip:
-          downloader:
-            enabled: true
+    elasticsearch:
+      config:
+        ingest:
+          geoip:
+            downloader:
+              enabled: true
+
+Once the config is added, click the green check mark to save the configuration.
 
 Diagnostic Logging
 ------------------