remove fleetdm and wazuh

about.rst

@@ -5,7 +5,7 @@ About
 
 Security Onion
 --------------
-Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. It includes our own tools for :ref:`alerts`, :ref:`dashboards`, :ref:`hunt`, :ref:`pcap`, and :ref:`cases` as well as other tools such as :ref:`playbook`, :ref:`fleet`, :ref:`osquery`, :ref:`cyberchef`, :ref:`elasticsearch`, :ref:`logstash`, :ref:`kibana`, :ref:`suricata`, :ref:`zeek`, and :ref:`wazuh`. Security Onion has been downloaded over 2 million times and is being used by security teams around the world to monitor and defend their enterprises. Our easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
+Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. It includes our own tools for :ref:`alerts`, :ref:`dashboards`, :ref:`hunt`, :ref:`pcap`, and :ref:`cases` as well as other tools such as :ref:`playbook`, :ref:`osquery`, :ref:`cyberchef`, :ref:`elasticsearch`, :ref:`logstash`, :ref:`kibana`, :ref:`suricata`, and :ref:`zeek`. Security Onion has been downloaded over 2 million times and is being used by security teams around the world to monitor and defend their enterprises. Our easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
 
 Security Onion Solutions, LLC
 -----------------------------

adding-accounts.rst

@@ -17,7 +17,7 @@ For more information, please see ``man adduser``.
 SOC
 ---
 
-If you need to add a new account to :ref:`soc` and :ref:`fleet`, you can use the ``so-user-add`` command and specify the user's email address. For example, to add a new account for ``[email protected]``:
+If you need to add a new account to :ref:`soc`, you can use the ``so-user-add`` command and specify the user's email address. For example, to add a new account for ``[email protected]``:
 
 ::
 

architecture.rst

@@ -82,7 +82,6 @@ The manager node runs the following components:
 -  :ref:`curator`
 -  :ref:`elastalert`
 -  :ref:`redis`
--  :ref:`wazuh`
 
 Search Node
 ~~~~~~~~~~~
@@ -96,7 +95,6 @@ Search Nodes run the following components:
 -  :ref:`elasticsearch`
 -  :ref:`logstash`
 -  :ref:`curator`
--  :ref:`wazuh`
 
 Manager Search
 ~~~~~~~~~~~~~~
@@ -112,7 +110,6 @@ A manager search node runs the following components:
 -  :ref:`curator`
 -  :ref:`elastalert`
 -  :ref:`redis`
--  :ref:`wazuh`
 
 Forward Node
 ~~~~~~~~~~~~
@@ -124,7 +121,6 @@ Forward nodes run the following components:
 -  :ref:`zeek`
 -  :ref:`suricata`
 -  :ref:`stenographer`
--  :ref:`wazuh`
 
 Heavy Node
 ~~~~~~~~~~
@@ -143,18 +139,11 @@ Heavy Nodes run the following components:
 -  :ref:`zeek`
 -  :ref:`suricata`
 -  :ref:`stenographer`
--  :ref:`wazuh`
 
-Fleet Standalone Node
-~~~~~~~~~~~~~~~~~~~~~
+Elastic Fleet Standalone Node
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-A :ref:`fleet` Standalone Node is ideal when there are a large amount of osquery endpoints deployed. It reduces the amount of overhead on the manager node by transferring the workload associated with managing osquery endpoints to a dedicated system. It is also useful for off-network osquery endpoints that do not have  remote access to the Manager node as it can be deployed to the DMZ and TCP/8090 made accessible to your off-network osquery endpoints.
-
-If the Manager Node was originally setup with :ref:`fleet`, your grid will automatically switch over to using the :ref:`fleet` Standalone Node instead as a grid can only have one :ref:`fleet` instance active at a time.
-
-:ref:`fleet` Standalone Nodes run the following components:
-
--  :ref:`fleet`
+An Elastic Fleet Standalone Node is ideal when there are a large amount of Elastic endpoints deployed. It reduces the amount of overhead on the manager node by transferring the workload associated with managing endpoints to a dedicated system. It is also useful for off-network osquery endpoints that do not have remote access to the Manager node as it can be deployed to the DMZ and TCP/8090 made accessible to your off-network osquery endpoints.
 
 Receiver Node
 ~~~~~~~~~~~~~

dashboards.rst

@@ -52,7 +52,7 @@ Dashboards will try to detect your local time zone via your browser. You can man
 
 Query Bar
 ---------
-The easiest way to get started is to click the query drop down box and select one of the pre-defined dashboards. These pre-defined dashboards cover most of the major data types that you would expect to see in a Security Onion deployment: NIDS alerts from :ref:`suricata`, HIDS alerts from :ref:`wazuh`, protocol metadata logs from :ref:`zeek` or :ref:`suricata`, endpoint logs, and firewall logs.
+The easiest way to get started is to click the query drop down box and select one of the pre-defined dashboards. These pre-defined dashboards cover most of the major data types that you would expect to see in a Security Onion deployment: NIDS alerts from :ref:`suricata`, protocol metadata logs from :ref:`zeek` or :ref:`suricata`, endpoint logs, and firewall logs.
 
 .. image:: images/dashboards-query.png
   :target: _images/dashboards-query.png

directory.rst

@@ -34,7 +34,3 @@ The vast majority of data is stored in ``/nsm/``.
 /nsm/pcap
 ---------
 :ref:`stenographer` stores full packet capture in ``/nsm/pcap/``.
-
-/nsm/wazuh
--------------
-All :ref:`wazuh` files are stored in ``/nsm/wazuh/``. For convenience, we have placed symlinks for :ref:`wazuh` config at ``/opt/so/conf/wazuh/`` (linked to ``/nsm/wazuh/etc``) and :ref:`wazuh` rules at ``/opt/so/rules/hids/`` (``local_rules.xml`` links to ``/nsm/wazuh/etc/rules/local_rules.xml`` and ``ruleset`` links to ``/nsm/wazuh/ruleset``).

disabling-accounts.rst

@@ -17,7 +17,7 @@ For more information, please see ``man passwd`` and ``man usermod``.
 SOC
 ---
 
-If you need to disable an account in :ref:`soc` and :ref:`fleet`, you can use the ``so-user-disable`` command and specify the user's email address. For example, to disable the account for ``[email protected]``:
+If you need to disable an account in :ref:`soc`, you can use the ``so-user-disable`` command and specify the user's email address. For example, to disable the account for ``[email protected]``:
 
 ::
 

docker.rst

@@ -98,12 +98,6 @@ If you have VMware Tools installed and you suspend and then resume, the Docker i
 Dependencies
 ------------
 
-Fleet
-~~~~~
-| ``so-fleet`` - REQ - Fleet Web App
-| ``so-mysql`` - REQ - Fleet state data
-| ``so-redis`` - REQ - Required for live querying
-
 Playbook
 ~~~~~~~~
 | ``so-playbook`` - REQ - Playbook Web App

email.rst

@@ -3,7 +3,7 @@
 Email Configuration
 ===================
 
-Some applications rely on having a mail server in the OS itself and other applications (like :ref:`wazuh`) have their own mail configuration and so they don't rely on a mail server in the OS itself.
+Some applications rely on having a mail server in the OS itself and other applications have their own mail configuration and so they don't rely on a mail server in the OS itself.
 
 Operating System
 ----------------
@@ -14,8 +14,3 @@ Elastalert
 ----------
 
 Follow the steps on the `Elastalert <ElastAlert#email---internal>`__ page.
-
-Wazuh
------
-
-Follow the steps in the :ref:`wazuh` section.

faq.rst

@@ -126,7 +126,7 @@ Security Onion records full packet capture to disk via :ref:`stenographer`.
 How is my data kept secure?
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Standard network connections to or from Security Onion are encrypted. This includes SSH, HTTPS, :ref:`elasticsearch` network queries, and :ref:`salt` minion traffic. Endpoint agent traffic is encrypted where supported. This includes :ref:`wazuh` agents and :ref:`osquery` agents. Elastic :ref:`beats` agents support encryption with additional configuration. SOC user account passwords are hashed via bcrypt in Kratos and you can read more about that at https://github.com/ory/kratos.
+Standard network connections to or from Security Onion are encrypted. This includes SSH, HTTPS, :ref:`elasticsearch` network queries, and :ref:`salt` minion traffic. Endpoint agent traffic is encrypted where supported. This includes :ref:`osquery` agents. Elastic :ref:`beats` agents support encryption with additional configuration. SOC user account passwords are hashed via bcrypt in Kratos and you can read more about that at https://github.com/ory/kratos.
 
 `back to top <#top>`__
 

firewall.rst

@@ -30,7 +30,6 @@ When configuring network firewalls for Internet-connected deployments (non-:ref:
 - Ubuntu PPAs (OS Updates - Ubuntu only)  
 - download.docker.com (Docker packages - Ubuntu only)
 - repo.saltstack.com (Salt packages - Ubuntu only)
-- packages.wazuh.com (Wazuh packages - Ubuntu only) 
 
 In the case of a distributed deployment, you can configure your nodes to pull everything from the manager so that only the manager requires Internet access.
 

host.rst

@@ -3,10 +3,8 @@
 Host Visibility
 ===============
 
-When you logged into :ref:`soc`, you may have seen some host logs from :ref:`wazuh`. Security Onion can also consume many other kinds of host logs as well. You can send logs to Security Onion via your choice of either :ref:`osquery`, :ref:`beats`, :ref:`wazuh`, or :ref:`syslog`:
+Security Onion can consume many kinds of host logs. You can send logs to Security Onion via your choice of either :ref:`beats` or :ref:`syslog`:
 
-- Choose :ref:`osquery` if you want some live response actions and maybe light log transport. A good example here is a roaming laptop where log volume is low and you might want to send its logs to a dedicated :ref:`fleet` node in the DMZ.
-- Choose :ref:`wazuh` if you want HIDS functionality and log transport.
 - Choose :ref:`beats` for dedicated log transport. Examples would be high volume domain controllers or Windows Event Collectors.
 - Choose :ref:`syslog` if you can't install an agent but the device supports sending standard syslog. Examples include firewalls, switches, routers, and other network devices.
 
@@ -17,7 +15,6 @@ For Windows endpoints, you can optionally augment the standard Windows logging w
 
    osquery
    beats
-   wazuh
    syslog
    sysmon
    autoruns

ingest.rst

@@ -13,15 +13,15 @@ Import
 Eval
 ----
 | Core Pipeline: Filebeat [EVAL Node] --> ES Ingest [EVAL Node]
-| Logs: Zeek, Suricata, Wazuh, Osquery/Fleet
+| Logs: Zeek, Suricata, Osquery/Fleet
 | 
 | Osquery Shipper Pipeline: Osquery [Endpoint] --> Fleet [EVAL Node] --> ES Ingest via Core Pipeline
 | Logs: WEL, Osquery, syslog
 
 Standalone
 ----------
 | Core Pipeline: Filebeat [SA Node] --> Logstash [SA Node] --> Redis [SA Node] <--> Logstash [SA Node] --> ES Ingest [SA Node]
-| Logs: Zeek, Suricata, Wazuh, Osquery/Fleet, syslog
+| Logs: Zeek, Suricata, Osquery/Fleet, syslog
 | 
 | WinLogbeat: Winlogbeat [Windows Endpoint]--> Logstash [SA Node] --> Redis [SA Node] <--> Logstash [SA Node] --> ES Ingest [SA Node]
 | Logs: WEL, Sysmon
@@ -34,33 +34,33 @@ Fleet Standalone
 Manager (separate search nodes)
 -------------------------------
 | Core Pipeline: Filebeat [Fleet | Forward] --> Logstash [Manager] --> Redis [Manager]
-| Logs: Zeek, Suricata, Wazuh, Osquery/Fleet, syslog
+| Logs: Zeek, Suricata, Osquery/Fleet, syslog
 | 
 | WinLogbeat: Winlogbeat [Windows Endpoint]--> Logstash [Manager] --> Redis [Manager]
 | Logs: WEL
 
 Manager Search
 --------------
 | Core Pipeline: Filebeat [Fleet | Forward] --> Logstash [MS] --> Redis [MS] <--> Logstash [MS] --> ES Ingest [MS]
-| Logs: Zeek, Suricata, Wazuh, Osquery/Fleet, syslog
+| Logs: Zeek, Suricata, Osquery/Fleet, syslog
 | 
 | Pipeline: Filebeat [MS] --> Logstash [MS] --> ES Ingest [MS]
-| Logs: Local Wazuh, Osquery/Fleet
+| Logs: Local Osquery/Fleet
 | 
 | WinLogbeat: Winlogbeat [Windows Endpoint]--> Logstash [MS] --> ES Ingest [MS]
 | Logs: WEL
 
 Heavy
 -----
 | Pipeline: Filebeat [Heavy Node] --> Logstash [Heavy] --> Redis [Heavy] <--> Logstash [Heavy] --> ES Ingest [Heavy] 
-| Logs: Zeek, Suricata, Wazuh, Osquery/Fleet, syslog
+| Logs: Zeek, Suricata, Osquery/Fleet, syslog
 
 Search
 ------
 | Pipeline: Redis [Manager] --> Logstash [Search] --> ES Ingest [Search] 
-| Logs: Zeek, Suricata, Wazuh, Osquery/Fleet, syslog
+| Logs: Zeek, Suricata, Osquery/Fleet, syslog
 
 Forward
 -------
 | Pipeline: Filebeat [Forward] --> Logstash [M | MS] --> ES Ingest [S | MS]
-| Logs: Zeek, Suricata, Wazuh, syslog
+| Logs: Zeek, Suricata, syslog

introduction.rst

@@ -45,7 +45,7 @@ We also have an :ref:`idh` node that allows you to build a node that mimics serv
 Enterprise Security Monitoring
 ------------------------------
 
-In addition to network visibility, Security Onion provides endpoint visibility via agents like :ref:`beats`, :ref:`osquery`, and :ref:`wazuh`.
+In addition to network visibility, Security Onion provides endpoint visibility via agents like :ref:`beats` and :ref:`osquery`.
 
 For devices like firewalls and routers that don't support the installation of agents, Security Onion can consume standard :ref:`syslog`.
 
@@ -57,7 +57,7 @@ With all of the data sources mentioned above, there is an incredible amount of d
 Security Onion Console (SOC)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-:ref:`soc` is the first thing you see when you log into Security Onion. It includes our :ref:`alerts` interface which allows you to see all of your NIDS alerts from :ref:`suricata` and HIDS alerts from :ref:`wazuh`.
+:ref:`soc` is the first thing you see when you log into Security Onion. It includes our :ref:`alerts` interface which allows you to see all of your NIDS alerts from :ref:`suricata`.
 
 .. image:: images/alerts.png
   :target: _images/alerts.png

kibana.rst

@@ -20,7 +20,7 @@ Once you log into Kibana, you should start on the ``Security Onion - Home`` dash
 .. image:: images/kibana.png
   :target: _images/kibana.png
 
-Notice the visualization in the upper left is labeled ``Security Onion - Navigation``. This navigation panel contains links to other dashboards and will change depending on what dashboard you're currently looking at. For example, when you're on the ``Security Onion - Home`` dashboard and click the ``Alert`` link, you will go to the ``Security Onion - Alerts`` dashboard and the Navigation panel will then contain links to more specific alert dashboards for :ref:`playbook`, :ref:`suricata`, and :ref:`wazuh`. When you're done looking at alerts, you can click the ``Home`` link in the navigation panel to go back to the main ``Security Onion - Home`` dashboard.
+Notice the visualization in the upper left is labeled ``Security Onion - Navigation``. This navigation panel contains links to other dashboards and will change depending on what dashboard you're currently looking at. For example, when you're on the ``Security Onion - Home`` dashboard and click the ``Alert`` link, you will go to the ``Security Onion - Alerts`` dashboard and the Navigation panel will then contain links to more specific alert dashboards for :ref:`playbook` and :ref:`suricata`. When you're done looking at alerts, you can click the ``Home`` link in the navigation panel to go back to the main ``Security Onion - Home`` dashboard.
 
 If you ever need to reload dashboards, you can run the following command on your manager:
 

local-rules.rst

@@ -46,11 +46,6 @@ For example:
 
 -  You can then run ``curl http://testmynids.org/uid/index.html`` on the node to generate traffic which should cause this rule to alert (and the original rule that it was copied from, if it is enabled).
 
-HIDS
-----
-
-You can add :ref:`wazuh` HIDS rules in ``/opt/so/rules/hids/local_rules.xml``.
-
 YARA
 ----
 

managing-alerts.rst

@@ -11,7 +11,7 @@ Security Onion generates a lot of valuable information for you the second you pl
 
 Alerting Engines & Severity
 ---------------------------
-There are three alerting engines within Security Onion: :ref:`suricata`, :ref:`wazuh` and :ref:`playbook` (Sigma). Though each engine uses its own severity level system, Security Onion converts that to a standardized alert severity: 
+There are two alerting engines within Security Onion: :ref:`suricata` and :ref:`playbook` (Sigma). Though each engine uses its own severity level system, Security Onion converts that to a standardized alert severity: 
 
 ``event.severity``: ``4`` ==> ``event.severity_label``: ``critical``
 
@@ -23,11 +23,6 @@ There are three alerting engines within Security Onion: :ref:`suricata`, :ref:`w
 
 All alerts are viewable in :ref:`alerts`, :ref:`dashboards`, :ref:`hunt`, and :ref:`kibana`.
 
-Wazuh HIDS Alerts
------------------
-
-If you want to tune Wazuh HIDS alerts, please see the :ref:`wazuh` section.
-
 NIDS Testing
 ------------