CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

add missing soc things

Browse Source
This commit is contained in:
m0duspwnens
2022-09-27 09:53:48 -04:00
parent e032a9f449
commit 42b03ca6df
2 changed files with 79 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/soc/defaults.map.jinja
View File

@@ -20,4 +20,6 @@
{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': GLOBALS.docker_range, 'apiKey': pillar.sensoroni.sensoronikey}) %} {% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': GLOBALS.docker_range, 'apiKey': pillar.sensoroni.sensoronikey}) %}
{% do SOCDEFAULTS.soc.client.case.update({'analyzerNodeId': GLOBALS.minion_id}) %}
{% set SOCDEFAULTS = SOCDEFAULTS.soc %} {% set SOCDEFAULTS = SOCDEFAULTS.soc %}

83
salt/soc/defaults.yaml
View File

@@ -10,7 +10,7 @@ soc:
- name: actionCorrelate - name: actionCorrelate
description: actionCorrelateHelp description: actionCorrelateHelp
icon: fab fa-searchengin icon: fab fa-searchengin
target: target: ''
links: links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
@@ -22,13 +22,14 @@ soc:
- name: actionPcap - name: actionPcap
description: actionPcapHelp description: actionPcapHelp
icon: fa-stream icon: fa-stream
target: target: ''
links: links:
- '/joblookup?esid={:soc_id}&time={:@timestamp}' - '/joblookup?esid={:soc_id}&time={:@timestamp}'
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
categories: categories:
- hunt - hunt
- alerts - alerts
- dashboards
- name: actionCyberChef - name: actionCyberChef
description: actionCyberChefHelp description: actionCyberChefHelp
icon: fas fa-bread-slice icon: fas fa-bread-slice
@@ -143,6 +144,7 @@ soc:
link: /navigator/ link: /navigator/
hunt: hunt:
advanced: true advanced: true
aggregationActionsEnabled: true
groupItemsPerPage: 10 groupItemsPerPage: 10
groupFetchLimit: 10 groupFetchLimit: 10
eventItemsPerPage: 10 eventItemsPerPage: 10
@@ -699,7 +701,7 @@ soc:
- process.executable - process.executable
- process.pid - process.pid
- winlog.computer_name - winlog.computer_name
queryBaseFilter: queryBaseFilter: ''
queryToggleFilters: queryToggleFilters:
- name: caseExcludeToggle - name: caseExcludeToggle
filter: 'NOT _index:"*:so-case*"' filter: 'NOT _index:"*:so-case*"'
@@ -708,198 +710,263 @@ soc:
- name: Default Query - name: Default Query
description: Show all events grouped by the origin host description: Show all events grouped by the origin host
query: '* | groupby observer.name' query: '* | groupby observer.name'
showSubtitle: true
- name: Log Type - name: Log Type
description: Show all events grouped by module and dataset description: Show all events grouped by module and dataset
query: '* | groupby event.module event.dataset' query: '* | groupby event.module event.dataset'
showSubtitle: true
- name: SOC Auth - name: SOC Auth
description: Users authenticated to SOC grouped by IP address and identity description: Users authenticated to SOC grouped by IP address and identity
query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id'
showSubtitle: true
- name: Elastalerts - name: Elastalerts
description: '' description: ''
query: '_type:elastalert | groupby rule.name' query: '_type:elastalert | groupby rule.name'
showSubtitle: true
- name: Alerts - name: Alerts
description: Show all alerts grouped by alert source description: Show all alerts grouped by alert source
query: 'event.dataset: alert | groupby event.module' query: 'event.dataset: alert | groupby event.module'
showSubtitle: true
- name: NIDS Alerts - name: NIDS Alerts
description: Show all NIDS alerts grouped by alert description: Show all NIDS alerts grouped by alert
query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name'
showSubtitle: true
- name: Osquery - Live Query - name: Osquery - Live Query
description: Show all Osquery Live Query results description: Show all Osquery Live Query results
query: 'event.dataset: osquery_manager.result | groupby action_data.id action_data.query | groupby host.hostname' query: 'event.dataset: osquery_manager.result | groupby action_data.id action_data.query | groupby host.hostname'
showSubtitle: true
- name: Wazuh/OSSEC Alerts - name: Wazuh/OSSEC Alerts
description: Show all Wazuh alerts at Level 5 or higher grouped by category description: Show all Wazuh alerts at Level 5 or higher grouped by category
query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name' query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name'
showSubtitle: true
- name: Wazuh/OSSEC Alerts - name: Wazuh/OSSEC Alerts
description: Show all Wazuh alerts at Level 4 or lower grouped by category description: Show all Wazuh alerts at Level 4 or lower grouped by category
query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name' query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name'
showSubtitle: true
- name: Wazuh/OSSEC Users and Commands - name: Wazuh/OSSEC Users and Commands
description: Show all Wazuh alerts grouped by username and command line description: Show all Wazuh alerts grouped by username and command line
query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line' query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line'
showSubtitle: true
- name: Wazuh/OSSEC Processes - name: Wazuh/OSSEC Processes
description: Show all Wazuh alerts grouped by process name description: Show all Wazuh alerts grouped by process name
query: 'event.module:ossec AND event.dataset:alert | groupby process.name' query: 'event.module:ossec AND event.dataset:alert | groupby process.name'
showSubtitle: true
- name: Sysmon Events - name: Sysmon Events
description: Show all Sysmon logs grouped by event type description: Show all Sysmon logs grouped by event type
query: 'event.module:sysmon | groupby event.dataset' query: 'event.module:sysmon | groupby event.dataset'
showSubtitle: true
- name: Sysmon Usernames - name: Sysmon Usernames
description: Show all Sysmon logs grouped by username description: Show all Sysmon logs grouped by username
query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' query: 'event.module:sysmon | groupby event.dataset, user.name.keyword'
showSubtitle: true
- name: Strelka - name: Strelka
description: Show all Strelka logs grouped by file type description: Show all Strelka logs grouped by file type
query: 'event.module:strelka | groupby file.mime_type' query: 'event.module:strelka | groupby file.mime_type'
showSubtitle: true
- name: Zeek Notice - name: Zeek Notice
description: Show notices from Zeek description: Show notices from Zeek
query: 'event.dataset:notice | groupby notice.note notice.message' query: 'event.dataset:notice | groupby notice.note notice.message'
showSubtitle: true
- name: Connections - name: Connections
description: Connections grouped by IP and Port description: Connections grouped by IP and Port
query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port' query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port'
showSubtitle: true
- name: Connections - name: Connections
description: Connections grouped by Service description: Connections grouped by Service
query: 'event.dataset:conn | groupby network.protocol destination.port' query: 'event.dataset:conn | groupby network.protocol destination.port'
showSubtitle: true
- name: Connections - name: Connections
description: Connections grouped by destination country description: Connections grouped by destination country
query: 'event.dataset:conn | groupby destination.geo.country_name' query: 'event.dataset:conn | groupby destination.geo.country_name'
showSubtitle: true
- name: Connections - name: Connections
description: Connections grouped by source country description: Connections grouped by source country
query: 'event.dataset:conn | groupby source.geo.country_name' query: 'event.dataset:conn | groupby source.geo.country_name'
showSubtitle: true
- name: DCE_RPC - name: DCE_RPC
description: DCE_RPC grouped by operation description: DCE_RPC grouped by operation
query: 'event.dataset:dce_rpc | groupby dce_rpc.operation' query: 'event.dataset:dce_rpc | groupby dce_rpc.operation'
showSubtitle: true
- name: DHCP - name: DHCP
description: DHCP leases description: DHCP leases
query: 'event.dataset:dhcp | groupby host.hostname client.address' query: 'event.dataset:dhcp | groupby host.hostname client.address'
showSubtitle: true
- name: DHCP - name: DHCP
description: DHCP grouped by message type description: DHCP grouped by message type
query: 'event.dataset:dhcp | groupby dhcp.message_types' query: 'event.dataset:dhcp | groupby dhcp.message_types'
showSubtitle: true
- name: DNP3 - name: DNP3
description: DNP3 grouped by reply description: DNP3 grouped by reply
query: 'event.dataset:dnp3 | groupby dnp3.fc_reply' query: 'event.dataset:dnp3 | groupby dnp3.fc_reply'
showSubtitle: true
- name: DNS - name: DNS
description: DNS queries grouped by port description: DNS queries grouped by port
query: 'event.dataset:dns | groupby dns.query.name destination.port' query: 'event.dataset:dns | groupby dns.query.name destination.port'
showSubtitle: true
- name: DNS - name: DNS
description: DNS queries grouped by type description: DNS queries grouped by type
query: 'event.dataset:dns | groupby dns.query.type_name destination.port' query: 'event.dataset:dns | groupby dns.query.type_name destination.port'
showSubtitle: true
- name: DNS - name: DNS
description: DNS queries grouped by response code description: DNS queries grouped by response code
query: 'event.dataset:dns | groupby dns.response.code_name destination.port' query: 'event.dataset:dns | groupby dns.response.code_name destination.port'
showSubtitle: true
- name: DNS - name: DNS
description: DNS highest registered domain description: DNS highest registered domain
query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port' query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port'
showSubtitle: true
- name: DNS - name: DNS
description: DNS grouped by parent domain description: DNS grouped by parent domain
query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port' query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port'
showSubtitle: true
- name: DPD - name: DPD
description: Dynamic Protocol Detection errors description: Dynamic Protocol Detection errors
query: 'event.dataset:dpd | groupby error.reason' query: 'event.dataset:dpd | groupby error.reason'
showSubtitle: true
- name: Files - name: Files
description: Files grouped by mimetype description: Files grouped by mimetype
query: 'event.dataset:file | groupby file.mime_type source.ip' query: 'event.dataset:file | groupby file.mime_type source.ip'
showSubtitle: true
- name: Files - name: Files
description: Files grouped by source description: Files grouped by source
query: 'event.dataset:file | groupby file.source source.ip' query: 'event.dataset:file | groupby file.source source.ip'
showSubtitle: true
- name: FTP - name: FTP
description: FTP grouped by command and argument description: FTP grouped by command and argument
query: 'event.dataset:ftp | groupby ftp.command ftp.argument' query: 'event.dataset:ftp | groupby ftp.command ftp.argument'
showSubtitle: true
- name: FTP - name: FTP
description: FTP grouped by username and argument description: FTP grouped by username and argument
query: 'event.dataset:ftp | groupby ftp.user ftp.argument' query: 'event.dataset:ftp | groupby ftp.user ftp.argument'
showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by destination port description: HTTP grouped by destination port
query: 'event.dataset:http | groupby destination.port' query: 'event.dataset:http | groupby destination.port'
showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by status code and message description: HTTP grouped by status code and message
query: 'event.dataset:http | groupby http.status_code http.status_message' query: 'event.dataset:http | groupby http.status_code http.status_message'
showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by method and user agent description: HTTP grouped by method and user agent
query: 'event.dataset:http | groupby http.method http.useragent' query: 'event.dataset:http | groupby http.method http.useragent'
showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP grouped by virtual host description: HTTP grouped by virtual host
query: 'event.dataset:http | groupby http.virtual_host' query: 'event.dataset:http | groupby http.virtual_host'
showSubtitle: true
- name: HTTP - name: HTTP
description: HTTP with exe downloads description: HTTP with exe downloads
query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host'
showSubtitle: true
- name: Intel - name: Intel
description: Intel framework hits grouped by indicator description: Intel framework hits grouped by indicator
query: 'event.dataset:intel | groupby intel.indicator.keyword' query: 'event.dataset:intel | groupby intel.indicator.keyword'
showSubtitle: true
- name: IRC - name: IRC
description: IRC grouped by command description: IRC grouped by command
query: 'event.dataset:irc | groupby irc.command.type' query: 'event.dataset:irc | groupby irc.command.type'
showSubtitle: true
- name: KERBEROS - name: KERBEROS
description: KERBEROS grouped by service description: KERBEROS grouped by service
query: 'event.dataset:kerberos | groupby kerberos.service' query: 'event.dataset:kerberos | groupby kerberos.service'
showSubtitle: true
- name: MODBUS - name: MODBUS
description: MODBUS grouped by function description: MODBUS grouped by function
query: 'event.dataset:modbus | groupby modbus.function' query: 'event.dataset:modbus | groupby modbus.function'
showSubtitle: true
- name: MYSQL - name: MYSQL
description: MYSQL grouped by command description: MYSQL grouped by command
query: 'event.dataset:mysql | groupby mysql.command' query: 'event.dataset:mysql | groupby mysql.command'
showSubtitle: true
- name: NOTICE - name: NOTICE
description: Zeek notice logs grouped by note and message description: Zeek notice logs grouped by note and message
query: 'event.dataset:notice | groupby notice.note notice.message' query: 'event.dataset:notice | groupby notice.note notice.message'
showSubtitle: true
- name: NTLM - name: NTLM
description: NTLM grouped by computer name description: NTLM grouped by computer name
query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' query: 'event.dataset:ntlm | groupby ntlm.server.dns.name'
showSubtitle: true
- name: PE - name: PE
description: PE files list description: PE files list
query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' query: 'event.dataset:pe | groupby file.machine file.os file.subsystem'
showSubtitle: true
- name: RADIUS - name: RADIUS
description: RADIUS grouped by username description: RADIUS grouped by username
query: 'event.dataset:radius | groupby user.name.keyword' query: 'event.dataset:radius | groupby user.name.keyword'
showSubtitle: true
- name: RDP - name: RDP
description: RDP grouped by client name description: RDP grouped by client name
query: 'event.dataset:rdp | groupby client.name' query: 'event.dataset:rdp | groupby client.name'
showSubtitle: true
- name: RFB - name: RFB
description: RFB grouped by desktop name description: RFB grouped by desktop name
query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword' query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword'
showSubtitle: true
- name: Signatures - name: Signatures
description: Zeek signatures grouped by signature id description: Zeek signatures grouped by signature id
query: 'event.dataset:signatures | groupby signature_id' query: 'event.dataset:signatures | groupby signature_id'
showSubtitle: true
- name: SIP - name: SIP
description: SIP grouped by user agent description: SIP grouped by user agent
query: 'event.dataset:sip | groupby client.user_agent' query: 'event.dataset:sip | groupby client.user_agent'
showSubtitle: true
- name: SMB_Files - name: SMB_Files
description: SMB files grouped by action description: SMB files grouped by action
query: 'event.dataset:smb_files | groupby file.action' query: 'event.dataset:smb_files | groupby file.action'
showSubtitle: true
- name: SMB_Mapping - name: SMB_Mapping
description: SMB mapping grouped by path description: SMB mapping grouped by path
query: 'event.dataset:smb_mapping | groupby smb.path' query: 'event.dataset:smb_mapping | groupby smb.path'
showSubtitle: true
- name: SMTP - name: SMTP
description: SMTP grouped by subject description: SMTP grouped by subject
query: 'event.dataset:smtp | groupby smtp.subject' query: 'event.dataset:smtp | groupby smtp.subject'
showSubtitle: true
- name: SNMP - name: SNMP
description: SNMP grouped by version and string description: SNMP grouped by version and string
query: 'event.dataset:snmp | groupby snmp.community snmp.version' query: 'event.dataset:snmp | groupby snmp.community snmp.version'
showSubtitle: true
- name: Software - name: Software
description: List of software seen on the network description: List of software seen on the network
query: 'event.dataset:software | groupby software.type software.name' query: 'event.dataset:software | groupby software.type software.name'
showSubtitle: true
- name: SSH - name: SSH
description: SSH grouped by version and client description: SSH grouped by version and client
query: 'event.dataset:ssh | groupby ssh.version ssh.client' query: 'event.dataset:ssh | groupby ssh.version ssh.client'
showSubtitle: true
- name: SSL - name: SSL
description: SSL grouped by version and server name description: SSL grouped by version and server name
query: 'event.dataset:ssl | groupby ssl.version ssl.server_name' query: 'event.dataset:ssl | groupby ssl.version ssl.server_name'
showSubtitle: true
- name: SYSLOG - name: SYSLOG
description: 'SYSLOG grouped by severity and facility ' description: 'SYSLOG grouped by severity and facility '
query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label' query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label'
showSubtitle: true
- name: Tunnel - name: Tunnel
description: Tunnels grouped by type and action description: Tunnels grouped by type and action
query: 'event.dataset:tunnel | groupby tunnel.type event.action' query: 'event.dataset:tunnel | groupby tunnel.type event.action'
showSubtitle: true
- name: Weird - name: Weird
description: Zeek weird log grouped by name description: Zeek weird log grouped by name
query: 'event.dataset:weird | groupby weird.name' query: 'event.dataset:weird | groupby weird.name'
showSubtitle: true
- name: x509 - name: x509
description: x.509 grouped by key length and name description: x.509 grouped by key length and name
query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns' query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns'
showSubtitle: true
- name: x509 - name: x509
description: x.509 grouped by name and issuer description: x.509 grouped by name and issuer
query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer' query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer'
showSubtitle: true
- name: x509 - name: x509
description: x.509 grouped by name and subject description: x.509 grouped by name and subject
query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject' query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject'
showSubtitle: true
- name: Firewall - name: Firewall
description: Firewall events grouped by action description: Firewall events grouped by action
query: 'event.dataset:firewall | groupby rule.action' query: 'event.dataset:firewall | groupby rule.action'
showSubtitle: true
dashboards: dashboards:
advanced: true advanced: true
groupItemsPerPage: 10 groupItemsPerPage: 10
@@ -1459,7 +1526,7 @@ soc:
- process.executable - process.executable
- process.pid - process.pid
- winlog.computer_name - winlog.computer_name
queryBaseFilter: queryBaseFilter: ''
queryToggleFilters: queryToggleFilters:
- name: caseExcludeToggle - name: caseExcludeToggle
filter: 'NOT _index:"*:so-case*"' filter: 'NOT _index:"*:so-case*"'
@@ -1607,7 +1674,8 @@ soc:
ackEnabled: true ackEnabled: true
escalateEnabled: true escalateEnabled: true
escalateRelatedEventsEnabled: true escalateRelatedEventsEnabled: true
eventfields: aggregationActionsEnabled: true
eventFields:
default: default:
- soc_timestamp - soc_timestamp
- rule.name - rule.name
@@ -1664,6 +1732,7 @@ soc:
query: '*' query: '*'
cases: cases:
advanced: false advanced: false
aggregationActionsEnabled: false
groupItemsPerPage: 50 groupItemsPerPage: 50
groupFetchLimit: 100 groupFetchLimit: 100
eventItemsPerPage: 50 eventItemsPerPage: 50
@@ -1698,6 +1767,7 @@ soc:
- name: Templates - name: Templates
query: 'so_case.category:template' query: 'so_case.category:template'
case: case:
analyzerNodeId:
mostRecentlyUsedLimit: 5 mostRecentlyUsedLimit: 5
renderAbbreviatedCount: 30 renderAbbreviatedCount: 30
presets: presets:
@@ -1752,8 +1822,9 @@ soc:
customEnabled: true customEnabled: true
tlp: tlp:
labels: labels:
- white - clear
- green - green
- amber - amber
- amber+strict
- red - red
customEnabled: false customEnabled: false