Revert "reset links for idaholab/Malcolm"

This reverts commit 7053d00.

Minor tweaks to logstash workers and pipeline size to be a little mor…

…e conservative to avoid logstash crashes due to heap issues

Add documentation for using a third-party reverse proxy to handle cer…

…tificate issuance (see cisagov#15)

fix spelling error

Revert "reset links for mmguero-dev/Malcolm"

This reverts commit 5dba91b.

Merge pull request cisagov#188 from cisagov/v524_merge

v5.2.4 development

- New features
  - idaholab#74 (automatically generate Zeek intelligence indicators from STIX/TAXII)

- Improvements
  - group MAC addresses and OUI (vendors) into `related.mac` and `related.oui` for easier searching across all fields
  - improvements to default anomaly detectors

- Bug fixes
  - Fix idaholab#75 (OpenSearch Dashboards loads slowly without network connectivity)
  - Fix idaholab#76 (directory creation race condition starting up zeek on sensor which may cause zeekctl to fail)

Merge pull request cisagov#187 from cisagov/v523_merge

* Version bumps
    * Arkime [v3.3.1](https://github.com/arkime/arkime/blob/54fb9cb1ee007aa51bda0712e466fca525e1db71/CHANGELOG#L25-L30)
    * Zeek [v4.2.0](https://github.com/zeek/zeek/releases/tag/v4.2.0)

* Improvements
    * Added script and better documentation for putting Malcolm in "read-only" mode
    * Improved `Files` dashboard

* Bug fixes
    * Fixed an issue where Logstash wasn't parsing the `ftime` from `files.log` correctly (a field added by the Spicy ZIP analyzer)
    * Fixed idaholab#73 (path for tcpdump changed) for Hedgehog Linux
    * Fixed idaholab#72 (better file directory/name parsing and normalization in Logstash)

Merge pull request cisagov#186 from cisagov/v522_merge

Fleshed out the Malcolm API and a fix to how Zeek intel. files are managed on Hedgehog Linux.

* Added more capabilities to the API
    * added `/document/` API
    * added `filter` ability to `/agg/` and `/document/` API
    * added more documentation and examples
* For Zeek intel. files, changed location from `/opt/zeek/share/zeek/site/intel` to `/opt/sensor/sensor_ctl/zeek/intel` so that they aren't lost on reboot

reset links for CISA release

Merge pull request cisagov#185 from cisagov/v520_merge

v5.2.0 release development

* New features
    * Zeek Intelligence Framework (see idaholab#20)
        * To quote Zeek's Intelligence Framework documentation, "The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization. Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item." Zeek intelligence indicator types include IP addresses, URLs, file names, hashes, email addresses, and more.
        * Malcolm doesn't come bundled with intelligence files from any particular feed, but they can be easily included into your local instance. On startup, Malcolm's `malcolmnetsec/zeek` docker container enumerates the subdirectories under `./zeek/intel` (which is bind mounted into the container's runtime) and configures Zeek so that those intelligence files will be automatically included in its local policy. Subdirectories under `./zeek/intel` which contain their own `__load__.zeek` file will be `@load`-ed as-is, while subdirectories containing "loose" intelligence files will be loaded automatically with a `redef Intel::read_files` directive.
    * New [**OPCUA Binary** protocol parser](https://github.com/cisagov/icsnpp-opcua-binary) for Zeek and corresponding dashboard.

* Improvements
    * set `ecs.provider` to `arkime` for logs from Arkime's `capture` to make categorizing logs by source easier
    * API
        * allow bucketing multiple fields from `/agg/` API
        * added `/fields/` API to list fields
        added documentation
    * ECS normalization to [`related.hosts`](https://www.elastic.co/guide/en/ecs/current/ecs-related.html#field-related-hosts) field for all applicable protocols
    * updated documentation, screenshots and slides
    * spreadsheet mapping STIX v1.2 fields to Zeek fields and Malcolm normalized fields
    * updated MITRE ATT&CK mappings for Capa hits
    * added a pseudo-read-only NGINX configuration

* Version bumps
    * Arkime to [v3.3.0](https://github.com/arkime/arkime/blob/496ec1e5cd89d79e22ab1a0cddb9a7a2f301cd14/CHANGELOG#L25-L50)
    * OpenSearch to [v1.2.4](https://github.com/opensearch-project/opensearch-build/blob/main/release-notes/opensearch-release-notes-1.2.4.md)
    * Capa to [v3.1.0](https://github.com/mandiant/capa/releases/tag/v3.1.0)
    * [cve-2021-44228 Log4Shell detector plugin](https://github.com/corelight/cve-2021-44228) for Zeek to v0.5.3 (see corelight/cve-2021-44228#46)

* Bug Fixes
    * fix idaholab#71 (type mismatch for network.vlan.id between Malcolm and Arkime definitions) which prevented vlan traffic from indexing correctly from Arkime's `capture` with Malcolm's field template
    * fix for ethernet/IP traffic which could lead to Zeek runaway memory allocation until crash: "Fixed bug with Request Paths containing Port Segments" (cisagov/icsnpp-enip@4696a43)