From aa7c39d31224a757b9241a0b0088404578031f5c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:08:39 -0500 Subject: [PATCH 01/26] Add dashboards for stun, tds, and wireguard --- salt/soc/files/soc/dashboards.queries.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 55d269a8b..d8dbc7c57 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -47,5 +47,8 @@ { "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, - { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} + { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "STUN", "description": "Session Traversal Utilities for NAT", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "TDS", "description": "Tabular Data Stream", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "Wireguard", "description": "Wireguard", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"} ] From 595f615ed961527ca275188d36da4ab6e71be51a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:22:55 -0500 Subject: [PATCH 02/26] Add ICS dashboard --- salt/soc/files/soc/dashboards.queries.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index d8dbc7c57..4edaff1d5 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -48,7 +48,8 @@ { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS", "description": "Industrial Control Systems", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "STUN", "description": "Session Traversal Utilities for NAT", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "TDS", "description": "Tabular Data Stream", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Wireguard", "description": "Wireguard", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"} + { "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"} ] From 2a805ac1a64cb9fe05e4886bcdac8d160aa2336d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:29:55 -0500 Subject: [PATCH 03/26] Add tds entries to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 0c7959b70..d19f2904a 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -56,6 +56,10 @@ "::process_creation": ["soc_timestamp","process.command_line", "process.pid", "process.parent.executable", "process.working_directory"], "::registry_create_delete": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"], "::dns_query": ["soc_timestamp", "dns.query.name", "dns.answers.name", "process.executable", "winlog.computer_name"], - "::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"] + "::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"], + "::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "tds.command", "event.dataset" ], + "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "tds.procedure_name", "event.dataset" ], + "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "tds.header_type", "event.dataset" ] + } From 51cc04793332fcf8aa2c6444c5378867f072d753 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:40:22 -0500 Subject: [PATCH 04/26] add cip to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index d19f2904a..a9709a6a6 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -59,7 +59,9 @@ "::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"], "::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "tds.command", "event.dataset" ], "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "tds.procedure_name", "event.dataset" ], + "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "cip.service", "cip.status_code", "event.dataset" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "tds.header_type", "event.dataset" ] + } From b522c9eea4301c5803daa51bab4b010721e73eb6 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:43:01 -0500 Subject: [PATCH 05/26] reorder fields in hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index a9709a6a6..2e77780d3 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -57,10 +57,10 @@ "::registry_create_delete": ["soc_timestamp", "winlog.event_data.TargetObject", "process.executable", "process.pid", "winlog.computer_name"], "::dns_query": ["soc_timestamp", "dns.query.name", "dns.answers.name", "process.executable", "winlog.computer_name"], "::file_create_stream_hash": ["soc_timestamp", "file.target", "hash.md5", "hash.sha256", "process.executable", "process.pid", "winlog.computer_name"], - "::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "tds.command", "event.dataset" ], - "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "tds.procedure_name", "event.dataset" ], - "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "cip.service", "cip.status_code", "event.dataset" ], - "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "tds.header_type", "event.dataset" ] + "::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.command", "log.id.uid", "event.dataset" ], + "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.procedure_name", "log.id.uid", "event.dataset" ], + "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ], + "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From 264ae2b9ac492b0695a6de1bc2d7dbc3c2bbba15 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:45:20 -0500 Subject: [PATCH 06/26] add enip to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 2e77780d3..80726bd21 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -60,6 +60,7 @@ "::tds": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.command", "log.id.uid", "event.dataset" ], "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.procedure_name", "log.id.uid", "event.dataset" ], "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ], + "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From ae582caa5510208139de0fd7b4f035d640faad4a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:48:33 -0500 Subject: [PATCH 07/26] Add modbus_detailed to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 80726bd21..15ffe00d1 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -61,6 +61,7 @@ "::tds_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.procedure_name", "log.id.uid", "event.dataset" ], "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ], "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], + "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From 84d333e9157275628254cca080ed04f10dc7b95f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:51:06 -0500 Subject: [PATCH 08/26] add s7comm to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 15ffe00d1..d87fcebca 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -62,6 +62,7 @@ "::cip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.service", "cip.status_code", "log.id.uid", "event.dataset" ], "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], + "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From 80e50fa7b4c133dd294f64aa73c7398d879c3479 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:53:48 -0500 Subject: [PATCH 09/26] add ecat_arp_info to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index d87fcebca..dd48861a8 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -63,6 +63,7 @@ "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], + "::ecat_arp_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ecat.arp.type", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From 07a53db09a68315714eb10d3165018c51faceb6d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:55:39 -0500 Subject: [PATCH 10/26] add cip_identity to hunt.evenfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index dd48861a8..761c16f9d 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -63,6 +63,7 @@ "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], + "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ecat.arp.type", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From 73c282595d7de56293deb60035549ce1e0d9ac09 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:57:06 -0500 Subject: [PATCH 11/26] update dnp3 in hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 761c16f9d..c1c83d668 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -4,7 +4,7 @@ "::conn": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.protocol", "log.id.uid", "network.community_id" ], "::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid" ], "::dhcp": ["soc_timestamp", "client.address", "server.address", "host.domain", "host.hostname", "dhcp.message_types", "log.id.uid" ], - "::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_reply", "log.id.uid" ], + "::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_request", "dnp3.fc_reply", "log.id.uid" ], "::dns": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "dns.query.name", "dns.query.type_name", "dns.response.code_name", "log.id.uid", "network.community_id" ], "::dpd": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.protocol", "observer.analyser", "error.reason", "log.id.uid" ], "::file": ["soc_timestamp", "source.ip", "destination.ip", "file.name", "file.mime_type", "file.source", "file.bytes.total", "log.id.fuid", "log.id.uid" ], From bbcefea4172ac41c75746530cf5cef9838be24c6 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 10:58:42 -0500 Subject: [PATCH 12/26] add s7comm_plus to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index c1c83d668..d11d9fee9 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -63,6 +63,7 @@ "::enip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "enip.command", "enip.status_code", "log.id.uid", "event.dataset" ], "::modbus_detailed": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], + "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ecat.arp.type", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From 073f5ed78911d4c7e0a95a6ed45ef6054a280124 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 11:02:21 -0500 Subject: [PATCH 13/26] add dnp3_objects to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index d11d9fee9..13364f98a 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -5,6 +5,7 @@ "::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid" ], "::dhcp": ["soc_timestamp", "client.address", "server.address", "host.domain", "host.hostname", "dhcp.message_types", "log.id.uid" ], "::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_request", "dnp3.fc_reply", "log.id.uid" ], + "::dnp3_objects": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.function_code", "dnp3.object_type", "log.id.uid" ], "::dns": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "dns.query.name", "dns.query.type_name", "dns.response.code_name", "log.id.uid", "network.community_id" ], "::dpd": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.protocol", "observer.analyser", "error.reason", "log.id.uid" ], "::file": ["soc_timestamp", "source.ip", "destination.ip", "file.name", "file.mime_type", "file.source", "file.bytes.total", "log.id.fuid", "log.id.uid" ], From af626fe3a122bfe57fbac35defb060c72f77f609 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 11:03:45 -0500 Subject: [PATCH 14/26] add bacnet to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 13364f98a..4afbf413e 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -67,6 +67,7 @@ "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ecat.arp.type", "log.id.uid" ], + "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From 1ad7a0db59b88a943e5e0dd343b69aedc8d86423 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 11:05:26 -0500 Subject: [PATCH 15/26] add bacnet_property to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 4afbf413e..75e880599 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -68,6 +68,7 @@ "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ecat.arp.type", "log.id.uid" ], "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], + "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From db58a355624df38aa9eedad1c8f420126d6aba50 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 11:07:03 -0500 Subject: [PATCH 16/26] add profinet to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 75e880599..58c5e6a9f 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -69,6 +69,7 @@ "::ecat_arp_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ecat.arp.type", "log.id.uid" ], "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], + "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From 10ac789fbf005b4fdc4c205dd286d54da801e76b Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 11:08:24 -0500 Subject: [PATCH 17/26] add profinet_dce_rpc to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 58c5e6a9f..ad93ea491 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -70,6 +70,7 @@ "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], + "::profinet_dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.operation", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From 24ee38369f129a663dcf10974425e3bcb1a81d4f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 12:49:33 -0500 Subject: [PATCH 18/26] add cotp to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index ad93ea491..ee924a54e 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -71,6 +71,7 @@ "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], "::profinet_dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.operation", "log.id.uid" ], + "::cotp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cotp.pdu.name", "log.id.uid" ], "::tds_sql_batch": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tds.header_type", "log.id.uid", "event.dataset" ] From 724b26228c05ecfbd5af9ea19b78596f1927be3f Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 13:09:27 -0500 Subject: [PATCH 19/26] add ecat_log_address to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index ee924a54e..fbfa997a5 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -67,6 +67,7 @@ "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ecat.arp.type", "log.id.uid" ], + "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "log.id.uid" ], "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], From 9cd6273bebad4788a8e9cbf72a57c33ccb883ff6 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 13:10:46 -0500 Subject: [PATCH 20/26] update ecat_log_address in hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index fbfa997a5..02520469b 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -67,7 +67,7 @@ "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ecat.arp.type", "log.id.uid" ], - "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "log.id.uid" ], + "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], From 8a9a13865c8da6b733e92f9763902ad459348eb7 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 13:12:24 -0500 Subject: [PATCH 21/26] add ecat_registers to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 02520469b..e1c7e48a8 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -68,6 +68,7 @@ "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ecat.arp.type", "log.id.uid" ], "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], + "::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ], "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], From 5a107c63b8d838cfc9bc052d3f3d6f3086c5114d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 13:16:47 -0500 Subject: [PATCH 22/26] add source.mac and destination.mac to dashboards.queries.json --- salt/soc/files/soc/dashboards.queries.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 4edaff1d5..ed1e38dd9 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -48,7 +48,7 @@ { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "ICS", "description": "Industrial Control Systems", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "ICS", "description": "Industrial Control Systems", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, { "name": "STUN", "description": "Session Traversal Utilities for NAT", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "TDS", "description": "Tabular Data Stream", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"} From 4e5106c863ac560aadabaa0df986f58ac4c7f519 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 13:21:33 -0500 Subject: [PATCH 23/26] update ecat_arp_info in hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index e1c7e48a8..37f35db5b 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -66,7 +66,7 @@ "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], - "::ecat_arp_info": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ecat.arp.type", "log.id.uid" ], + "::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type", "log.id.uid" ], "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], "::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ], "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], From e0cd55082059523b82303328b7e8caab107e291a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 13:23:45 -0500 Subject: [PATCH 24/26] update ecat_arp_info in hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 37f35db5b..28bbf3cfd 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -66,7 +66,7 @@ "::s7comm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.ros.control.name", "s7.function.name", "log.id.uid" ], "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], - "::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type", "log.id.uid" ], + "::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type" ], "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], "::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ], "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], From f40ccb7effcd4e074571a25d2da5fc877f235064 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 13:27:26 -0500 Subject: [PATCH 25/26] add bacnet_discovery to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index 28bbf3cfd..b7b0c7242 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -70,6 +70,7 @@ "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], "::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ], "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ], + "::bacnet_discovery": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.vendor", "bacnet.pdu.service", "log.id.uid" ], "::bacnet_property": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.property", "bacnet.pdu.service", "log.id.uid" ], "::profinet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.index", "profinet.operation_type", "log.id.uid" ], "::profinet_dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "profinet.operation", "log.id.uid" ], From 7caf827b777930eac182ed4ab76240c38284e9fe Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 22 Nov 2022 13:33:06 -0500 Subject: [PATCH 26/26] add ecat_aoe_info to hunt.eventfields.json --- salt/soc/files/soc/hunt.eventfields.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json index b7b0c7242..e43fedd4f 100644 --- a/salt/soc/files/soc/hunt.eventfields.json +++ b/salt/soc/files/soc/hunt.eventfields.json @@ -67,6 +67,7 @@ "::s7comm_plus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "s7.opcode.name", "s7.version", "log.id.uid" ], "::cip_identity": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cip.device.type.name", "cip.vendor.name", "log.id.uid" ], "::ecat_arp_info": ["soc_timestamp", "source.ip", "destination.ip", "source.mac", "destination.mac", "ecat.arp.type" ], + "::ecat_aoe_info": ["soc_timestamp", "source.mac", "source.port", "destination.mac", "destination.port", "ecat.command" ], "::ecat_log_address": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command" ], "::ecat_registers": ["soc_timestamp", "source.mac", "destination.mac", "ecat.command", "ecat.register.type" ], "::bacnet": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "bacnet.bclv.function", "bacnet.result.code", "log.id.uid" ],