CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove keyword

Browse Source
This commit is contained in:
Wes
2023-07-19 13:52:15 +00:00
parent a59eda319e
commit 1848a835f5
1 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
salt/soc/defaults.yaml
View File

@@ -1159,7 +1159,7 @@ soc:
showSubtitle: true
- name: Sysmon Usernames
description: Show all Sysmon logs grouped by username
query: 'event.dataset: windows.sysmon_operational | groupby event.action, user.name.keyword'
query: 'event.dataset: windows.sysmon_operational | groupby event.action, user.name'
showSubtitle: true
- name: Strelka
description: Show all Strelka logs grouped by file type
@@ -1215,11 +1215,11 @@ soc:
showSubtitle: true
- name: DNS
description: DNS highest registered domain
query: 'tags:dns | groupby dns.highest_registered_domain.keyword destination.port'
query: 'tags:dns | groupby dns.highest_registered_domain destination.port'
showSubtitle: true
- name: DNS
description: DNS grouped by parent domain
query: 'tags:dns | groupby dns.parent_domain.keyword destination.port'
query: 'tags:dns | groupby dns.parent_domain destination.port'
showSubtitle: true
- name: DPD
description: Dynamic Protocol Detection errors
@@ -1263,7 +1263,7 @@ soc:
showSubtitle: true
- name: Intel
description: Intel framework hits grouped by indicator
query: 'tags:intel | groupby intel.indicator.keyword'
query: 'tags:intel | groupby intel.indicator'
showSubtitle: true
- name: IRC
description: IRC grouped by command
@@ -1295,7 +1295,7 @@ soc:
showSubtitle: true
- name: RADIUS
description: RADIUS grouped by username
query: 'tags:radius | groupby user.name.keyword'
query: 'tags:radius | groupby user.name'
showSubtitle: true
- name: RDP
description: RDP grouped by client name
@@ -1303,7 +1303,7 @@ soc:
showSubtitle: true
- name: RFB
description: RFB grouped by desktop name
query: 'tags:rfb | groupby rfb.desktop.name.keyword'
query: 'tags:rfb | groupby rfb.desktop.name'
showSubtitle: true
- name: Signatures
description: Zeek signatures grouped by signature id
@@ -1477,13 +1477,13 @@ soc:
query: 'tags:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
- name: RADIUS
description: RADIUS (Remote Authentication Dial-In User Service) network metadata
query: 'tags:radius | groupby -sankey user.name.keyword destination.ip | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:radius | groupby -sankey user.name destination.ip | groupby user.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: RDP
description: RDP (Remote Desktop Protocol) network metadata
query: 'tags:rdp | groupby client.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: RFB
description: RFB (Remote Frame Buffer) network metadata
query: 'tags:rfb | groupby rfb.desktop.name.keyword | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:rfb | groupby rfb.desktop.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Signatures
description: Zeek signatures
query: 'event.dataset:zeek.signatures | groupby signature_id'