From 1b5c1fecd4544082204ff89f375543929f8e4c8f Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 6 Dec 2022 17:28:30 +0000 Subject: [PATCH] Revert SOC default 'alerts' event fields and specify additional event fields for ICS/SCADA events --- salt/soc/defaults.yaml | 1345 ++++++++++++---------------------------- 1 file changed, 404 insertions(+), 941 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 73fd4efdf..ba7100382 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -707,6 +707,384 @@ soc: - process.executable - process.pid - winlog.computer_name + ' ::bacnet': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.bclv.function + - bacnet.result.code + - log.id.uid + ' ::bacnet_discovery': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.vendor + - bacnet.pdu.service + - log.id.uid + ' ::bacnet_property': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.property + - bacnet.pdu.service + - log.id.uid + ' ::bsap_ip_header': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bsap.message.type + - bsap.number.messages + - log.id.uid + ' ::bsap_ip_rdb': + - soc_timestamp + - bsap.application.function + - bsap.application.sub.function + - bsap.vector.variables + - log.id.uid + ' ::bsap_serial_header': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bsap.source.function + - bsap.destination.function + - bsap.message.type + - log.id.uid + ' ::bsap_serial_rdb': + - soc_timestamp + - bsap.rdb.function + - bsap.vector.variables + - log.id.uid + ' ::cip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.service + - cip.status_code + - log.id.uid + - event.dataset + ' ::cip_identity': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.device.type.name + - cip.vendor.name + - log.id.uid + ' ::cip_io': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.connection.id + - cip.io.data + - log.id.uid + ' ::cotp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cotp.pdu.name + - log.id.uid + ' ::ecat_arp_info': + - soc_timestamp + - source.ip + - destination.ip + - source.mac + - destination.mac + - ecat.arp.type + ' ::ecat_aoe_info': + - soc_timestamp + - source.mac + - source.port + - destination.mac + - destination.port + - ecat.command + ' ::ecat_coe_info': + - soc_timestamp + - ecat.message.number + - ecat.message.type + - ecat.request.response.type + - ecat.index + - ecat.sub.index + ' ::ecat_dev_info': + - soc_timestamp + - ecat.device.type + - ecat.features + - ecat.ram.size + - ecat.revision + - ecat.slave.address + ' ::ecat_log_address': + - soc_timestamp + - source.mac + - destination.mac + - ecat.command + ' ::ecat_registers': + - soc_timestamp + - source.mac + - destination.mac + - ecat.command + - ecat.register.type + ' ::enip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - enip.command + - enip.status_code + - log.id.uid + - event.dataset + ' ::modbus_detailed': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + ' ::opcua_binary': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.identifier_string + - opcua.message_type + - log.id.uid + ' ::opcua_binary_activate_session': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.identifier_string + - opcua.user_name + - log.id.uid + ' ::opcua_binary_activate_session_diagnostic_info': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.activate_session_diag_info_link_id + - opcua.diag_info_link_id + - log.id.uid + ' ::opcua_binary_activate_session_locale_id': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.local_id + - opcua.locale_link_id + - log.id.uid + ' ::opcua_binary_browse': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.service_type + - log.id.uid + ' ::opcua_binary_browse_description': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + ' ::opcua_binary_browse_response_references': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.node_class + - opcua.display_name_text + - log.id.uid + ' ::opcua_binary_browse_result': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.response_link_id + - log.id.uid + ' ::opcua_binary_create_session': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - log.id.uid + ' ::opcua_binary_create_session_endpoints': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_link_id + - opcua.endpoint_url + - log.id.uid + ' ::opcua_binary_create_session_user_token': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.user_token_link_id + - log.id.uid + ' ::opcua_binary_create_subscription': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - log.id.uid + ' ::opcua_binary_get_endpoints': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_url + - opcua.link_id + - log.id.uid + ' ::opcua_binary_get_endpoints_description': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_description_link_id + - opcua.endpoint_uri + - log.id.uid + ' ::opcua_binary_get_endpoints_user_token': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.user_token_link_id + - opcua.user_token_type + - log.id.uid + ' ::opcua_binary_read': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.read_results_link_id + - log.id.uid + ' ::opcua_binary_status_code_detail': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.info_type_string + - opcua.source_string + - log.id.uid + ' ::profinet': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - profinet.index + - profinet.operation_type + - log.id.uid + ' ::profinet_dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - profinet.operation + - log.id.uid + ' ::s7comm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.ros.control.name + - s7.function.name + - log.id.uid + ' ::s7comm_plus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.opcode.name + - s7.version + - log.id.uid + ' ::s7comm_read_szl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.szl_id_name + - s7.return_code_name + - log.id.uid + ' ::s7comm_upload_download': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.ros.control.name + - s7.function_code + - log.id.uid + ' ::tds': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.command + - log.id.uid + - event.dataset + ' ::tds_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.procedure_name + - log.id.uid + - event.dataset + ' ::tds_sql_batch': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.header_type + - log.id.uid + - event.dataset queryBaseFilter: '' queryToggleFilters: - name: caseExcludeToggle @@ -1746,947 +2124,32 @@ soc: aggregationActionsEnabled: true eventFields: default: - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - - network.community_id - - event.dataset - ' :kratos:audit': - - soc_timestamp - - http_request.headers.x-real-ip - - identity_id - - http_request.headers.user-agent - ' ::conn': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - network.protocol - - log.id.uid - - network.community_id - ' ::dce_rpc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dce_rpc.endpoint - - dce_rpc.named_pipe - - dce_rpc.operation - - log.id.uid - ' ::dhcp': - - soc_timestamp - - client.address - - server.address - - host.domain - - host.hostname - - dhcp.message_types - - log.id.uid - ' ::dnp3': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dnp3.fc_request - - dnp3.fc_reply - - log.id.uid - ' ::dnp3_control': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dnp3.function_code - - dnp3.block_type - - log.id.uid - ' ::dnp3_objects': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dnp3.function_code - - dnp3.object_type - - log.id.uid - ' ::dns': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - dns.query.name - - dns.query.type_name - - dns.response.code_name - - log.id.uid - - network.community_id - ' ::dpd': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.protocol - - observer.analyser - - error.reason - - log.id.uid - ' ::file': - - soc_timestamp - - source.ip - - destination.ip - - file.name - - file.mime_type - - file.source - - file.bytes.total - - log.id.fuid - - log.id.uid - ' ::ftp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ftp.user - - ftp.command - - ftp.argument - - ftp.reply_code - - file.size - - log.id.uid - ' ::http': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - http.method - - http.virtual_host - - http.status_code - - http.status_message - - http.request.body.length - - http.response.body.length - - log.id.uid - - network.community_id - ' ::intel': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - intel.indicator - - intel.indicator_type - - intel.seen_where - - log.id.uid - ' ::irc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - irc.username - - irc.nickname - - irc.command.type - - irc.command.value - - irc.command.info - - log.id.uid - ' ::kerberos': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - kerberos.client - - kerberos.service - - kerberos.request_type - - log.id.uid - ' ::modbus': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - modbus.function - - log.id.uid - ' ::mysql': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - mysql.command - - mysql.argument - - mysql.success - - mysql.response - - log.id.uid - ' ::notice': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - notice.note - - notice.message - - log.id.fuid - - log.id.uid - - network.community_id - ' ::ntlm': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ntlm.name - - ntlm.success - - ntlm.server.dns.name - - ntlm.server.nb.name - - ntlm.server.tree.name - - log.id.uid - ' ::pe': - - soc_timestamp - - file.is_64bit - - file.is_exe - - file.machine - - file.os - - file.subsystem - - log.id.fuid - ' ::radius': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - - username - - radius.framed_address - - radius.reply_message - - radius.result - ' ::rdp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rdp.client_build - - client_name - - rdp.cookie - - rdp.encryption_level - - rdp.encryption_method - - rdp.keyboard_layout - - rdp.result - - rdp.security_protocol - - log.id.uid - ' ::rfb': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rfb.authentication.method - - rfb.authentication.success - - rfb.share_flag - - rfb.desktop.name - - log.id.uid - ' ::signatures': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - note - - signature_id - - event_message - - sub_message - - signature_count - - host.count - - log.id.uid - ' ::sip': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - sip.method - - sip.uri - - sip.request.from - - sip.request.to - - sip.response.from - - sip.response.to - - sip.call_id - - sip.subject - - sip.user_agent - - sip.status_code - - log.id.uid - ' ::smb_files': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.fuid - - file.action - - file.path - - file.name - - file.size - - file.prev_name - - log.id.uid - ' ::smb_mapping': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - smb.path - - smb.service - - smb.share_type - - log.id.uid - ' ::smtp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - smtp.from - - smtp.recipient_to - - smtp.subject - - smtp.useragent - - log.id.uid - - network.community_id - ' ::snmp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - snmp.community - - snmp.version - - log.id.uid - ' ::socks': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - socks.name - - socks.request.host - - socks.request.port - - socks.status - - log.id.uid - ' ::software': - - soc_timestamp - - source.ip - - software.name - - software.type - ' ::ssh': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ssh.version - - ssh.hassh_version - - ssh.direction - - ssh.client - - ssh.server - - log.id.uid - ' ::ssl': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ssl.server_name - - ssl.certificate.subject - - ssl.validation_status - - ssl.version - - log.id.uid - ' :zeek:syslog': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - syslog.facility - - network.protocol - - syslog.severity - - log.id.uid - ' ::tunnels': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tunnel_type - - action - - log.id.uid - ' ::weird': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - weird.name - - log.id.uid - ' ::x509': - - soc_timestamp - - x509.certificate.subject - - x509.certificate.key.type - - x509.certificate.key.length - - x509.certificate.issuer - - log.id.fuid - ' ::firewall': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - network.direction - - interface.name - - rule.action - - rule.reason - - network.community_id - ' :osquery:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - source.hostname - - event.dataset - - process.executable - - user.name - ' :ossec:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location - ' :strelka:file': - - soc_timestamp - - file.name - - file.size - - hash.md5 - - file.source - - file.mime_type - - log.id.fuid - ' :suricata:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.category - - event.severity_label - - log.id.uid - - network.community_id - ' :sysmon:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - source.hostname - - event.dataset - - process.executable - - user.name - ' :windows_eventlog:': - - soc_timestamp - - user.name - ' :elasticsearch:': - - soc_timestamp - - agent.name - - message - - log.level - - metadata.version - - metadata.pipeline - - event.dataset - ' :kibana:': - - soc_timestamp - - host.name - - message - - kibana.log.meta.req.headers.x-real-ip - - event.dataset - ' ::rootcheck': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - ' ::ossec': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - ' ::syscollector': - - soc_timestamp - - host.name - - metadata.ip_address - - wazuh.data.type - - log.full - - event.dataset - - event.module - ' :syslog:syslog': - - soc_timestamp - - host.name - - metadata.ip_address - - real_message - - syslog.priority - - syslog.application - ' :aws:': - - soc_timestamp - - aws.cloudtrail.event_category - - aws.cloudtrail.event_type - - event.provider - - event.action - - event.outcome - - cloud.region - - user.name - - source.ip - - source.geo.region_iso_code - ' :squid:': - - soc_timestamp - - url.original - - destination.ip - - destination.geo.country_iso_code - - user.name - - source.ip - ' ::process_terminated': - - soc_timestamp - - process.executable - - process.pid - - winlog.computer_name - ' ::file_create': - - soc_timestamp - - file.target - - process.executable - - process.pid - - winlog.computer_name - ' ::registry_value_set': - - soc_timestamp - - winlog.event_data.TargetObject - - process.executable - - process.pid - - winlog.computer_name - ' ::process_creation': - - soc_timestamp - - process.command_line - - process.pid - - process.parent.executable - - process.working_directory - ' ::registry_create_delete': - - soc_timestamp - - winlog.event_data.TargetObject - - process.executable - - process.pid - - winlog.computer_name - ' ::dns_query': - - soc_timestamp - - dns.query.name - - dns.answers.name - - process.executable - - winlog.computer_name - ' ::file_create_stream_hash': - - soc_timestamp - - file.target - - hash.md5 - - hash.sha256 - - process.executable - - process.pid - - winlog.computer_name - ' ::bacnet': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bacnet.bclv.function - - bacnet.result.code - - log.id.uid - ' ::bacnet_discovery': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bacnet.vendor - - bacnet.pdu.service - - log.id.uid - ' ::bacnet_property': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bacnet.property - - bacnet.pdu.service - - log.id.uid - ' ::bsap_ip_header': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bsap.message.type - - bsap.number.messages - - log.id.uid - ' ::bsap_ip_rdb': - - soc_timestamp - - bsap.application.function - - bsap.application.sub.function - - bsap.vector.variables - - log.id.uid - ' ::bsap_serial_header': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - bsap.source.function - - bsap.destination.function - - bsap.message.type - - log.id.uid - ' ::bsap_serial_rdb': - - soc_timestamp - - bsap.rdb.function - - bsap.vector.variables - - log.id.uid - ' ::cip': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cip.service - - cip.status_code - - log.id.uid - - event.dataset - ' ::cip_identity': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cip.device.type.name - - cip.vendor.name - - log.id.uid - ' ::cip_io': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cip.connection.id - - cip.io.data - - log.id.uid - ' ::cotp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - cotp.pdu.name - - log.id.uid - ' ::ecat_arp_info': - - soc_timestamp - - source.ip - - destination.ip - - source.mac - - destination.mac - - ecat.arp.type - ' ::ecat_aoe_info': - - soc_timestamp - - source.mac - - source.port - - destination.mac - - destination.port - - ecat.command - ' ::ecat_coe_info': - - soc_timestamp - - ecat.message.number - - ecat.message.type - - ecat.request.response.type - - ecat.index - - ecat.sub.index - ' ::ecat_dev_info': - - soc_timestamp - - ecat.device.type - - ecat.features - - ecat.ram.size - - ecat.revision - - ecat.slave.address - ' ::ecat_log_address': - - soc_timestamp - - source.mac - - destination.mac - - ecat.command - ' ::ecat_registers': - - soc_timestamp - - source.mac - - destination.mac - - ecat.command - - ecat.register.type - ' ::enip': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - enip.command - - enip.status_code - - log.id.uid - - event.dataset - ' ::modbus_detailed': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - modbus.function - - log.id.uid - ' ::opcua_binary': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.identifier_string - - opcua.message_type - - log.id.uid - ' ::opcua_binary_activate_session': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - opcua.identifier_string - - opcua.user_name - - log.id.uid - ' ::opcua_binary_activate_session_diagnostic_info': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.activate_session_diag_info_link_id - - opcua.diag_info_link_id - - log.id.uid - ' ::opcua_binary_activate_session_locale_id': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.local_id - - opcua.locale_link_id - - log.id.uid - ' ::opcua_binary_browse': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - opcua.service_type - - log.id.uid - ' ::opcua_binary_browse_description': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - ' ::opcua_binary_browse_response_references': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.node_class - - opcua.display_name_text - - log.id.uid - ' ::opcua_binary_browse_result': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.response_link_id - - log.id.uid - ' ::opcua_binary_create_session': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - log.id.uid - ' ::opcua_binary_create_session_endpoints': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.endpoint_link_id - - opcua.endpoint_url - - log.id.uid - ' ::opcua_binary_create_session_user_token': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.user_token_link_id - - log.id.uid - ' ::opcua_binary_create_subscription': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - log.id.uid - ' ::opcua_binary_get_endpoints': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.endpoint_url - - opcua.link_id - - log.id.uid - ' ::opcua_binary_get_endpoints_description': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.endpoint_description_link_id - - opcua.endpoint_uri - - log.id.uid - ' ::opcua_binary_get_endpoints_user_token': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.user_token_link_id - - opcua.user_token_type - - log.id.uid - ' ::opcua_binary_read': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.link_id - - opcua.read_results_link_id - - log.id.uid - ' ::opcua_binary_status_code_detail': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - opcua.info_type_string - - opcua.source_string - - log.id.uid - ' ::profinet': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - profinet.index - - profinet.operation_type - - log.id.uid - ' ::profinet_dce_rpc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - profinet.operation - - log.id.uid - ' ::s7comm': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.ros.control.name - - s7.function.name - - log.id.uid - ' ::s7comm_plus': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.opcode.name - - s7.version - - log.id.uid - ' ::s7comm_read_szl': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.szl_id_name - - s7.return_code_name - - log.id.uid - ' ::s7comm_upload_download': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - s7.ros.control.name - - s7.function_code - - log.id.uid - ' ::tds': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tds.command - - log.id.uid - - event.dataset - ' ::tds_rpc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tds.procedure_name - - log.id.uid - - event.dataset - ' ::tds_sql_batch': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tds.header_type - - log.id.uid - - event.dataset + - soc_timestamp + - rule.name + - event.severity_label + - source.ip + - source.port + - destination.ip + - destination.port + - rule.gid + - rule.uuid + - rule.category + - rule.rev + ':ossec:': + - soc_timestamp + - rule.name + - event.severity_label + - source.ip + - source.port + - destination.ip + - destination.port + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + - process.name queryBaseFilter: event.dataset:alert queryToggleFilters: - name: acknowledged