Playbook creates wrong "SO Elasticsearch query" for DNS queries

[StefanSa]

Version

2.4.10

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

12

RAM

128GB

Storage for /

100GB

Storage for /nsm

2TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi the
Playbook contains and creates incorrect "SO Elasticsearch Query" at sigma dns queries.

Example:

detection:
  selection:
    QueryName|contains:
    - tor2web.org
    - tor2web.com
    - torlink.co

results in this SO Elasticsearch query:
dns.question.name .... but should be dns.query.name

in /opt/so/conf/elasticsearch/ingest/zeek.dns the zeek field is also mapped to dns.query.name

With this error, all DNS SO Elasticsearch query fails.

Can this please be fixed soon
Stefan

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[StefanSa]

Hi there,
I understand that the real problem is here.
But how to solve this ?

https://github.com/Security-Onion-Solutions/securityonion-image/blob/PlaybookMappings/so-soctopus/so-soctopus/playbook/securityonion-baseline.yml#L384

[defensivedepth]

I have created an issue to track a fix for this: #11498

[StefanSa]

hi @defensivedepth
Thank you for your reply.
Question, would it not be useful if said file in the case securityonion-baseline.yml would be accessible to the user as a configuration file.
The user could adjust the mapping himself if needed and would save you some tickets.

[defensivedepth]

Yes, this is something we are considering.

[defensivedepth]

@StefanSa Can you confirm that you are using 2.3 or 2.4?

[StefanSa]

@defensivedepth Josh
v2.4.20