From 490278a4c398ea90cd60d5913ad9d0c46f98f39b Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Thu, 1 Oct 2020 17:49:17 -0400
Subject: [PATCH] Add alert events filed

---
 salt/soc/files/soc/alerts.eventfields.default.json | 4 ++++
 salt/soc/files/soc/soc.json                        | 6 ++----
 2 files changed, 6 insertions(+), 4 deletions(-)
 create mode 100644 salt/soc/files/soc/alerts.eventfields.default.json

diff --git a/salt/soc/files/soc/alerts.eventfields.default.json b/salt/soc/files/soc/alerts.eventfields.default.json
new file mode 100644
index 000000000..36fb15afe
--- /dev/null
+++ b/salt/soc/files/soc/alerts.eventfields.default.json
@@ -0,0 +1,4 @@
+{
+  "default": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.gid", "rule.uuid", "rule.category", "rule.rev"],
+  ":ossec:": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location", "process.name" ]
+}
\ No newline at end of file
diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json
index 1f35dfbab..99b556cbe 100644
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -4,6 +4,7 @@
 {%- set FEATURES = salt['pillar.get']('elastic:features', False) %}
 {%- import_json "soc/files/soc/alerts.queries.default.json" as alerts_queries %}
 {%- import_json "soc/files/soc/alerts.actions.default.json" as alerts_actions %}
+{%- import_json "soc/files/soc/alerts.eventfields.default.json" as alerts_eventfields %}
 {%- import_json "soc/files/soc/hunt.queries.default.json" as hunt_queries %}
 {%- import_json "soc/files/soc/hunt.actions.default.json" as hunt_actions %}
 {%- import_json "soc/files/soc/hunt.eventfields.default.json" as hunt_eventfields %}
@@ -62,10 +63,7 @@
         "relativeTimeValue": 24,
         "relativeTimeUnit": 30,
         "mostRecentlyUsedLimit": 5,
-        "eventFields": {
-          "default": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.gid", "rule.uuid", "rule.category", "rule.rev"],
-          ":ossec:": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location", "process.name" ]
-        },
+        "eventFields": {{ alerts_eventfields }},
         "queryBaseFilter": "event.dataset:alert",
         "queryToggleFilters": [
           { "name": "acknowledged", "filter": "event.acknowledged:true", "enabled": false, "exclusive": true },