diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index af739a3ef..ef2535eb3 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -14,16 +14,136 @@ "kratos": { "hostUrl": "http://{{ MASTERIP }}:4434/" }, - "securityonion": { - "elasticsearchHost": "http://{{ MASTERIP }}:9200", - "elasticsearchUsername": "", - "elasticsearchPassword": "", - "elasticsearchVerifyCert": false + "elastic": { + "hostUrl": "http://{{ MASTERIP }}:9200", + "username": "", + "password": "", + "verifyCert": false }, "statickeyauth": { "anonymousCidr": "172.17.0.0/24", "apiKey": "{{ SENSORONIKEY }}" } + }, + "client": { + "hunt": { + "groupFetchLimit": 10, + "eventFetchLimit": 100, + "dateRangeMinutes": 1440, + "mostRecentlyUsedLimit": 5, + "eventFields": { + "default": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], + "bro_conn": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "protocol", "service", "log.id.uid" ], + "bro_dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "endpoint", "named_pipe", "operation", "log.id.uid" ], + "bro_dhcp": ["soc_timestamp", "source.ip", "destination.ip", "domain_name", "hostname", "message_types", "log.id.uid" ], + "bro_dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "fc_reply", "log.id.uid" ], + "bro_dns": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "protocol", "query", "query_type_name", "rcode_name", "log.id.uid" ], + "bro_dpd": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], + "bro_files": ["soc_timestamp", "source.ip", "destination.ip", "log.id.flog.id.uid", "mimetype", "source", "log.id.uid" ], + "bro_ftp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ftp_argument", "ftp_command", "reply_code", "log.id.uid", "username" ], + "bro_http": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "method", "virtual_host", "status_code", "status_message", "log.id.uid" ], + "bro_intel": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "indicator", "indicator_type", "seen_where", "log.id.uid" ], + "bro_irc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "irc_command", "log.id.uid", "value" ], + "bro_kerberos": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "client", "service", "request_type", "log.id.uid" ], + "bro_modbus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "function", "log.id.uid" ], + "bro_mysql": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "mysql_argument", "mysql_command", "mysql_success", "response", "log.id.uid" ], + "bro_notice": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "note", "msg", "log.id.uid" ], + "bro_ntlm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "hostname", "ntlm_success", "server_dns_computer_name", "server_nb_computer_name", "server_tree_name", "log.id.uid" ], + "bro_pe": ["soc_timestamp", "is_64bit", "is_exe", "machine", "os", "subsystem", "log.id.flog.id.uid" ], + "bro_radius": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "username", "framed_addr", "reply_msg", "result" ], + "bro_rdp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "client_build", "client_name", "cookie", "encryption_level", "encryption_method", "keyboard_layout", "result", "security_protocol", "log.id.uid" ], + "bro_rfb": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "authentication_method", "auth", "share_flag", "desktop_name", "log.id.uid" ], + "bro_signatures" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "note", "signature_id", "event_message", "sub_message", "signature_count", "host_count", "log.id.uid" ], + "bro_sip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "method", "uri", "request_from", "request_to", "response_from", "response_to", "call_id", "subject", "user_agent", "status_code", "log.id.uid" ], + "bro_smb_files" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.flog.id.uid", "action", "path", "name", "size", "prev_name", "log.id.uid" ], + "bro_smb_mapping" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "path", "service", "share_type", "log.id.uid" ], + "bro_smtp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "helo", "mail_from", "recipient_to", "from", "to", "cc", "reply_to", "subject", "useragent", "log.id.uid" ], + "bro_snmp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "community", "version", "log.id.uid" ], + "bro_socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid" ], + "bro_software": ["soc_timestamp", "source.ip", "name", "software_type" ], + "bro_ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "version", "hassh", "direction", "client", "server", "log.id.uid" ], + "bro_ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "cipher", "curve", "server_name", "log.id.uid", "validation_status", "version" ], + "bro_syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "facility", "protocol", "severity", "syslog-priority", "log.id.uid" ], + "bro_tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid" ], + "bro_weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "name", "log.id.uid" ], + "bro_x509": ["soc_timestamp", "certificate_common_name", "certificate_country_code", "certificate_key_length", "issuer_organization", "log.id.id" ], + "cron" : ["soc_timestamp", "message" ], + "anacron": ["soc_timestamp", "message" ], + "bluetoothd": ["soc_timestamp", "message" ], + "firewall": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "protocol", "direction", "interface", "action", "reason" ], + "ntpd" : ["soc_timestamp", "message" ], + "ossec": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "alert_level", "classification", "description", "username", "escalated_user", "location", "process" ], + "pulseaudio": ["soc_timestamp", "message" ], + "snort": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "sid", "alert", "category", "classification", "severity" ], + "su" : ["soc_timestamp", "message" ], + "sudo" : ["soc_timestamp", "message" ], + "systemd": ["soc_timestamp", "message" ], + "sysmon": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "computer_name", "event_id", "parent_image_path", "source_name", "task", "username" ], + "wineventlog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "computer_name", "event_id", "log_name", "source_name", "task" ] + }, + "queries": [ + { "name": "Default Query", "description": "Show all events grouped by the origin host", "query": "* | groupby syslog-host_from"}, + { "name": "", "description": "", "query": "_type:elastalert | groupby rule_name"}, + { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby classification,description"}, + { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby command"}, + { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby process"}, + { "name": "", "description": "", "query": "event_type:ossec AND alert | groupby username"}, + { "name": "", "description": "", "query": "event_type:snort | groupby category,classification,alert"}, + { "name": "", "description": "", "query": "event_type:sysmon | groupby event_id"}, + { "name": "", "description": "", "query": "event_type:sysmon | groupby username"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:notice | groupby note,msg"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby source.ip,destination.ip,protocol,destination.port"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby service,destination.port"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby destination_geo.country_name"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:conn | groupby source_geo.country_name"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dce_rpc | groupby operation"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dhcp | groupby hostname,domain_name,destination.ip"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dhcp | groupby message_types"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dnp3 | groupby fc_reply"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby query,destination.port"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby query_type_name,destination.port"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby highest_registered_domain"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:dns | groupby parent_domain"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:files | groupby mimetype,source"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ftp | groupby ftp_argument"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ftp | groupby ftp_command"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ftp | groupby username"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby destination.port"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby method"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby status_code"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby status_message"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby useragent"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http | groupby virtual_host"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:http AND resp_mime_types:dosexec | groupby virtual_host"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:intel | groupby indicator"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:irc | groupby irc_command"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:kerberos | groupby service"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:modbus | groupby function"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:mysql | groupby mysql_command"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:notice | groupby note"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:notice | groupby msg"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ntlm | groupby server_dns_computer_name"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:pe | groupby machine,os,subsystem"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:radius | groupby username"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:rdp | groupby client_name"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:rfb | groupby desktop_name"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:signatures | groupby signature_id"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:sip | groupby user_agent"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:smb_files | groupby action"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:smb_mapping | groupby path"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:smtp | groupby subject"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:snmp | groupby community,version"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:software | groupby software_type,name"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ssh | groupby version"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:ssl | groupby version,server_name"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:syslog | groupby severity,facility"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:tunnels | groupby action"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:weird | groupby name"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:x509 | groupby certificate_country_code"}, + { "name": "", "description": "", "query": "event.type:zeek AND event.dataset:x509 | groupby certificate_key_length"}, + { "name": "", "description": "", "query": "event_type:firewall | groupby action"} + ] + } } } } diff --git a/setup/so-setup b/setup/so-setup index 2bdc8c881..4d8fa796b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -62,7 +62,7 @@ if [ "$install_type" = 'EVAL' ]; then is_master=true is_sensor=true is_eval=true -elif [ "$install_type" = 'PROD' ]; then +elif [ "$install_type" = 'STANDALONE' ]; then is_master=true is_distmaster=true is_node=true