diff --git a/salt/elasticsearch/files/ingest/zeek.tds b/salt/elasticsearch/files/ingest/zeek.tds index f9922f52c..43c2cad18 100644 --- a/salt/elasticsearch/files/ingest/zeek.tds +++ b/salt/elasticsearch/files/ingest/zeek.tds @@ -1,9 +1,9 @@ { "description" : "zeek.tds", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.command", "target_field": "tds.command", "ignore_missing": true } }, - { "pipeline": { "name": "zeek.common" } } + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.command", "target_field": "tds.command", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.tds_rpc b/salt/elasticsearch/files/ingest/zeek.tds_rpc index 379a1efe5..75a73c6ba 100644 --- a/salt/elasticsearch/files/ingest/zeek.tds_rpc +++ b/salt/elasticsearch/files/ingest/zeek.tds_rpc @@ -1,10 +1,10 @@ { "description" : "zeek.tds_rpc", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.procedure_name", "target_field": "tds.procedure_name", "ignore_missing": true } }, - { "rename": { "field": "message2.parameters", "target_field": "tds.parameters", "ignore_missing": true } }, - { "pipeline": { "name": "zeek.common" } } + { "rename": { "field": "message2.procedure_name", "target_field": "tds.procedure_name", "ignore_missing": true } }, + { "rename": { "field": "message2.parameters", "target_field": "tds.parameters", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/elasticsearch/files/ingest/zeek.tds_sql_batch b/salt/elasticsearch/files/ingest/zeek.tds_sql_batch index 00174feb6..560cd1ef3 100644 --- a/salt/elasticsearch/files/ingest/zeek.tds_sql_batch +++ b/salt/elasticsearch/files/ingest/zeek.tds_sql_batch @@ -1,10 +1,10 @@ { "description" : "zeek.tds_sql_batch", "processors" : [ - { "remove": { "field": ["host"], "ignore_failure": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.header_type", "target_field": "tds.header_type", "ignore_missing": true } }, - { "rename": { "field": "message2.query", "target_field": "tds.query", "ignore_missing": true } }, - { "pipeline": { "name": "zeek.common" } } + { "rename": { "field": "message2.header_type", "target_field": "tds.header_type", "ignore_missing": true } }, + { "rename": { "field": "message2.query", "target_field": "tds.query", "ignore_missing": true } }, + { "pipeline": { "name": "zeek.common" } } ] } diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json index 5a6f490d0..6458d8806 100644 --- a/salt/soc/files/soc/dashboards.queries.json +++ b/salt/soc/files/soc/dashboards.queries.json @@ -43,7 +43,7 @@ { "name": "SSL", "description": "SSL/TLS network metadata", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "STUN", "description": "STUN (Session Traversal Utilities for NAT) network metadata", "query": "event.dataset:stun* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Syslog", "description": "Syslog logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "TDS", "description": "TDS (Tabular Data Stream) network metadata", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, + { "name": "TDS", "description": "TDS (Tabular Data Stream) network metadata", "query": "event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query"}, { "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, { "name": "WireGuard", "description": "WireGuard VPN network metadata", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"},