diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9ef987d0a..98c58ed4e 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1159,7 +1159,7 @@ soc: showSubtitle: true - name: Sysmon Usernames description: Show all Sysmon logs grouped by username - query: 'event.dataset: windows.sysmon_operational | groupby event.action, user.name.keyword' + query: 'event.dataset: windows.sysmon_operational | groupby event.action, user.name' showSubtitle: true - name: Strelka description: Show all Strelka logs grouped by file type @@ -1215,11 +1215,11 @@ soc: showSubtitle: true - name: DNS description: DNS highest registered domain - query: 'tags:dns | groupby dns.highest_registered_domain.keyword destination.port' + query: 'tags:dns | groupby dns.highest_registered_domain destination.port' showSubtitle: true - name: DNS description: DNS grouped by parent domain - query: 'tags:dns | groupby dns.parent_domain.keyword destination.port' + query: 'tags:dns | groupby dns.parent_domain destination.port' showSubtitle: true - name: DPD description: Dynamic Protocol Detection errors @@ -1263,7 +1263,7 @@ soc: showSubtitle: true - name: Intel description: Intel framework hits grouped by indicator - query: 'tags:intel | groupby intel.indicator.keyword' + query: 'tags:intel | groupby intel.indicator' showSubtitle: true - name: IRC description: IRC grouped by command @@ -1295,7 +1295,7 @@ soc: showSubtitle: true - name: RADIUS description: RADIUS grouped by username - query: 'tags:radius | groupby user.name.keyword' + query: 'tags:radius | groupby user.name' showSubtitle: true - name: RDP description: RDP grouped by client name @@ -1303,7 +1303,7 @@ soc: showSubtitle: true - name: RFB description: RFB grouped by desktop name - query: 'tags:rfb | groupby rfb.desktop.name.keyword' + query: 'tags:rfb | groupby rfb.desktop.name' showSubtitle: true - name: Signatures description: Zeek signatures grouped by signature id @@ -1477,13 +1477,13 @@ soc: query: 'tags:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit' - name: RADIUS description: RADIUS (Remote Authentication Dial-In User Service) network metadata - query: 'tags:radius | groupby -sankey user.name.keyword destination.ip | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:radius | groupby -sankey user.name destination.ip | groupby user.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: RDP description: RDP (Remote Desktop Protocol) network metadata query: 'tags:rdp | groupby client.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: RFB description: RFB (Remote Frame Buffer) network metadata - query: 'tags:rfb | groupby rfb.desktop.name.keyword | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'tags:rfb | groupby rfb.desktop.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Signatures description: Zeek signatures query: 'event.dataset:zeek.signatures | groupby signature_id'