From 4df21148fc4b7117b6a69b2914d961855d3f12e7 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 26 Feb 2024 09:40:51 -0500 Subject: [PATCH] FEATURE: Add default columns for endpoint.events datasets #12425 --- salt/soc/defaults.yaml | 57 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 20f9c284f..b5fe0e626 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1001,14 +1001,69 @@ soc: - tds.header_type - log.id.uid - event.dataset + ':endpoint:events_x_api': + - soc_timestamp + - host.name + - user.name + - process.name + - process.Ext.api.name + - process.thread.Ext.call_stack_final_user_module.path + - event.dataset + ':endpoint:events_x_file': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - file.path + - event.dataset + ':endpoint:events_x_library': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - dll.path + - dll.code_signature.status + - dll.code_signature.subject_name + - event.dataset + ':endpoint:events_x_network': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - source.ip + - source.port + - destination.ip + - destination.port + - network.community_id + - event.dataset ':endpoint:events_x_process': - soc_timestamp - - event.dataset - host.name - user.name - process.parent.name - process.name + - event.action - process.working_directory + - event.dataset + ':endpoint:events_x_registry': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - registry.path + - event.dataset + ':endpoint:events_x_security': + - soc_timestamp + - host.name + - user.name + - process.executable + - event.action + - event.outcome + - event.dataset server: bindAddress: 0.0.0.0:9822 baseUrl: /