Update soc.json with default search info

2025-12-06 09:12:45 +01:00 · 2020-05-12 13:57:40 -04:00
parent d1eac195d8
commit 0b7568e08f
2 changed files with 63 additions and 63 deletions
--- a/salt/elasticsearch/files/ingest/common
+++ b/salt/elasticsearch/files/ingest/common
@@ -4,7 +4,7 @@
    { 	
 	"geoip":  { 
 		"field": "destination.ip",
-		"target_field": "geo",
+		"target_field": "destination.geo",
 		"database_file": "GeoLite2-City.mmdb",
 		"ignore_missing": true, 
 		"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
@@ -13,7 +13,7 @@
    { 
 	"geoip":  {
 		"field": "source.ip",
-		"target_field": "geo",
+		"target_field": "source.geo",
 		"database_file": "GeoLite2-City.mmdb",
 		"ignore_missing": true,
 		"properties": ["ip", "country_iso_code", "country_name", "continent_name", "region_iso_code", "region_name", "city_name", "timezone", "location"]
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -82,66 +82,66 @@
          "wineventlog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "computer_name", "event_id", "log_name", "source_name", "task" ]
        },
        "queries": [
-          { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby syslog-host_from"},
+          { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name.keyword"},
-          { "name": "", "description": "", "query": "_type:elastalert | groupby rule_name"},
+          { "name": "Elastalerts", "description": "", "query": "_type:elastalert | groupby rule.name.keyword"},
-          { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby classification,description"},
+          { "name": "Alerts", "description": "Show all alerts grouped by alert source", "query": "event.dataset.keyword: alert | groupby event.module.keyword"},
-          { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby command"},
+          { "name": "NIDS Alerts", "description": "Show all NIDS alerts grouped by alert name", "query": "event.category: network AND event.dataset: alert | groupby rule.name.keyword"},
-          { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby process"},
+          { "name": "OSSEC Alerts", "description": "", "query": "event_type:ossec AND alert | groupby rule.category.keyword"},
-          { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby username"},
+          { "name": "OSSEC Commands", "description": "", "query": "event_type:ossec AND alert | groupby process.command_line.keyword"},
-          { "name": "", "description": "", "query": "event_type:snort | groupby category,classification,alert"},
+          { "name": "OSSEC Processes", "description": "", "query": "event_type:ossec AND alert | groupby process.name.keyword"},
-          { "name": "", "description": "", "query": "event_type:sysmon | groupby event_id"},
+          { "name": "OSSEC Users", "description": "", "query": "event_type:ossec AND alert | groupby user.name.keyword"},
-          { "name": "", "description": "", "query": "event_type:sysmon | groupby username"},
+          { "name": "SYSMON", "description": "", "query": "event_type:sysmon | groupby event_id"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:notice | groupby note,msg"},
+          { "name": "SYSMON", "description": "", "query": "event_type:sysmon | groupby username"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby source.ip,destination.ip,protocol,destination.port"},
+          { "name": "Zeek Notice", "description": "Show notices from Zeek", "query": "event.module.keyword:zeek AND event.dataset:notice | groupby notice.note.keyword,notice.message.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby service,destination.port"},
+          { "name": "Connections", "description": "Connections grouped by IP and Port", "query": "event.module.keyword:zeek AND event.dataset:conn | groupby source.ip.keyword,destination.ip.keyword,network.protocol.keyword,destination.port"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby destination_geo.country_name"},
+          { "name": "Connections", "description": "Connections grouped by Service", "query": "event.module.keyword:zeek AND event.dataset:conn | groupby network.protocol.keyword,destination.port"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby source_geo.country_name"},
+          { "name": "Connections", "description": "Connections grouped by destination Geo", "query": "event.module.keyword:zeek AND event.dataset:conn | groupby destination_geo.country_name"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dce_rpc | groupby operation"},
+          { "name": "Connections", "description": "Connections grouped by source Geo", "query": "event.module.keyword:zeek AND event.dataset:conn | groupby source.geo.country_name.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dhcp | groupby hostname,domain_name,destination.ip"},
+          { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.module.keyword:zeek AND event.dataset:dce_rpc | groupby operation.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dhcp | groupby message_types"},
+          { "name": "DHCP", "description": "DHCP leases", "query": "event.module.keyword:zeek AND event.dataset:dhcp | groupby host.hostname.keyword,host.domain.keyword,destination.ip.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dnp3 | groupby fc_reply"},
+          { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.module.keyword:zeek AND event.dataset:dhcp | groupby message_types.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby query,destination.port"},
+          { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.module.keyword:zeek AND event.dataset:dnp3 | groupby dnp3.fc_reply.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby query_type_name,destination.port"},
+          { "name": "DNS", "description": "DNS queries grouped by port ", "query": "event.module.keyword:zeek AND event.dataset:dns | groupby dns.query.name.keyword,destination.port"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby highest_registered_domain"},
+          { "name": "DNS", "description": "DNS queries grouped by type", "query": "event.module.keyword:zeek AND event.dataset:dns | groupby dns.query.type_name.keyword,destination.port"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby parent_domain"},
+          { "name": "DNS", "description": "DNS highest registered domain", "query": "event.module.keyword:zeek AND event.dataset:dns | groupby highest_registered_domain"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:files | groupby mimetype,source"},
+          { "name": "DNS", "description": "DNS grouped by parent domain", "query": "event.module.keyword:zeek AND event.dataset:dns | groupby parent_domain"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ftp | groupby ftp_argument"},
+          { "name": "Files", "description": "Files grouped by mimetype", "query": "event.module.keyword:zeek AND event.dataset:files | groupby file.mime_type.keyword source.ip.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ftp | groupby ftp_command"},
+          { "name": "FTP", "description": "FTP grouped by argument", "query": "event.module.keyword:zeek AND event.dataset:ftp | groupby ftp_argument"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ftp | groupby username"},
+          { "name": "FTP", "description": "FTP grouped by command", "query": "event.module.keyword:zeek AND event.dataset:ftp | groupby ftp.command.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby destination.port"},
+          { "name": "FTP", "description": "FTP grouped by username", "query": "event.module.keyword:zeek AND event.dataset:ftp | groupby ftp.user.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby method"},
+          { "name": "HTTP", "description": "HTTP grouped by destination port", "query": "event.module.keyword:zeek AND event.dataset:http | groupby destination.port"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby status_code"},
+          { "name": "HTTP", "description": "HTTP grouped by method", "query": "event.module.keyword:zeek AND event.dataset:http | groupby http.method.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby status_message"},
+          { "name": "HTTP", "description": "HTTP grouped by status code", "query": "event.module.keyword:zeek AND event.dataset:http | groupby http.status_code"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby useragent"},
+          { "name": "HTTP", "description": "HTTP grouped by status message", "query": "event.module.keyword:zeek AND event.dataset:http | groupby http.status_message.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby virtual_host"},
+          { "name": "HTTP", "description": "HTTP grouped by user agent", "query": "event.module.keyword:zeek AND event.dataset:http | groupby http.useragent.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http AND resp_mime_types:dosexec | groupby virtual_host"},
+          { "name": "HTTP", "description": "HTTP grouped by virtual host", "query": "event.module.keyword:zeek AND event.dataset:http | groupby http.virtual_host.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:intel | groupby indicator"},
+          { "name": "HTTP", "description": "HTTP with exe downloads", "query": "event.module.keyword:zeek AND event.dataset:http AND resp_mime_types:dosexec | groupby http.virtual_host.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:irc | groupby irc_command"},
+          { "name": "Intel", "description": "Intel framework hits grouped by indicator", "query": "event.module.keyword:zeek AND event.dataset:intel | groupby intel.indicator.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:kerberos | groupby service"},
+          { "name": "IRC", "description": "IRC grouped by command", "query": "event.module.keyword:zeek AND event.dataset:irc | groupby irc.command.type.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:modbus | groupby function"},
+          { "name": "KERBEROS", "description": "KERBEROS grouped by service", "query": "event.module.keyword:zeek AND event.dataset:kerberos | groupby kerberos.service.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:mysql | groupby mysql_command"},
+          { "name": "MODBUS", "description": "MODBUS grouped by function", "query": "event.module.keyword:zeek AND event.dataset:modbus | groupby modbus.function.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:notice | groupby note"},
+          { "name": "MYSQL", "description": "MYSQL grouped by command", "query": "event.module.keyword:zeek AND event.dataset:mysql | groupby mysql.command.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:notice | groupby msg"},
+          { "name": "NOTICE", "description": "Zeek notice logs grouped by note", "query": "event.module.keyword:zeek AND event.dataset:notice | groupby notice.note.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ntlm | groupby server_dns_computer_name"},
+          { "name": "NOTICE", "description": "Zeek notice logs grouped by message", "query": "event.module.keyword:zeek AND event.dataset:notice | groupby notice.message.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:pe | groupby machine,os,subsystem"},
+          { "name": "NTLM", "description": "NTLM grouped by computer name", "query": "event.module.keyword:zeek AND event.dataset:ntlm | groupby ntlm.server.dns.name.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:radius | groupby username"},
+          { "name": "PE", "description": "PE files list", "query": "event.module.keyword:zeek AND event.dataset:pe | groupby file.machine.keyword,file.os.keyword,file.subsystem.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:rdp | groupby client_name"},
+          { "name": "RADIUS", "description": "RADIUS grouped by username", "query": "event.module.keyword:zeek AND event.dataset:radius | groupby user.name.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:rfb | groupby desktop_name"},
+          { "name": "RDP", "description": "RDP grouped by client name", "query": "event.module.keyword:zeek AND event.dataset:rdp | groupby client.name.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:signatures | groupby signature_id"},
+          { "name": "RFB", "description": "RFB grouped by desktop name", "query": "event.module.keyword:zeek AND event.dataset:rfb | groupby rfp.desktop.name.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:sip | groupby user_agent"},
+          { "name": "Signatures", "description": "Zeek signatures grouped by signature id", "query": "event.module.keyword:zeek AND event.dataset:signatures | groupby signature_id"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:smb_files | groupby action"},
+          { "name": "SIP", "description": "SIP grouped by user agent", "query": "event.module.keyword:zeek AND event.dataset:sip | groupby client.user_agent.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:smb_mapping | groupby path"},
+          { "name": "SMB_Files", "description": "SMB files grouped by action", "query": "event.module.keyword:zeek AND event.dataset:smb_files | groupby file.action.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:smtp | groupby subject"},
+          { "name": "SMB_Mapping", "description": "SMB mapping grouped by path", "query": "event.module.keyword:zeek AND event.dataset:smb_mapping | groupby file.path.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:snmp | groupby community,version"},
+          { "name": "SMTP", "description": "SMTP grouped by subject", "query": "event.module.keyword:zeek AND event.dataset:smtp | groupby smtp.subject.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:software | groupby software_type,name"},
+          { "name": "SNMP", "description": "SNMP grouped by version and string", "query": "event.module.keyword:zeek AND event.dataset:snmp | groupby snmp.community.keyword,snmp.version.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ssh | groupby version"},
+          { "name": "Software", "description": "List of software seen on the network", "query": "event.module.keyword:zeek AND event.dataset:software | groupby software.type.keyword,software.name.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ssl | groupby version,server_name"},
+          { "name": "SSH", "description": "SSH grouped by version", "query": "event.module.keyword:zeek AND event.dataset:ssh | groupby ssh.version.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:syslog | groupby severity,facility"},
+          { "name": "SSL", "description": "SSL grouped by version and server name", "query": "event.module.keyword:zeek AND event.dataset:ssl | groupby ssl.version.keyword,ssl.server_name.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:tunnels | groupby action"},
+          { "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.module.keyword:zeek AND event.dataset:syslog | groupby syslog.severity.keyword,syslog.facility.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:weird | groupby name"},
+          { "name": "Tunnels", "description": "Tunnels grouped by action", "query": "event.module.keyword:zeek AND event.dataset:tunnels | groupby event.action.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:x509 | groupby certificate_country_code"},
+          { "name": "Weird", "description": "Zeek weird log grouped by name", "query": "event.module.keyword:zeek AND event.dataset:weird | groupby weird.name.keyword"},
-          { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:x509 | groupby certificate_key_length"},
+          { "name": "x509", "description": "x.509 grouped by key length", "query": "event.module.keyword:zeek AND event.dataset:x509 | groupby x509.certificate.key.length"},
-          { "name": "", "description": "", "query": "event_type:firewall | groupby action"}
+          { "name": "Firewall", "description": "Firewall events grouped by action", "query": "event_type:firewall | groupby action"}
        ]
      }
    }