From b8baca417bc6a50a5149b1f538dba6e9eb26ffb4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 14:03:04 -0500 Subject: [PATCH 01/11] add endpoint_x_events_x_process to defaults.yaml --- salt/soc/defaults.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 2c15fe996..d672d1dad 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -995,6 +995,14 @@ soc: - tds.header_type - log.id.uid - event.dataset + ':endpoint:endpoint_x_events_x_process': + - soc_timestamp + - event.dataset + - host.name + - user.name + - process.parent.name + - process.name + - process.working_directory server: bindAddress: 0.0.0.0:9822 baseUrl: / From 573d565976b267b304ce6c03b5ca8a9041b4ad70 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 23 Feb 2024 15:03:44 -0500 Subject: [PATCH 02/11] convert _x_ to . for soc ui to config --- salt/soc/merged.map.jinja | 2 ++ salt/soc/soc_soc.yaml | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 33c0070ad..55d8d2600 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -66,6 +66,8 @@ {% do SOCMERGED.config.server.client.alerts.update({'actions': standard_actions}) %} {% do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %} +{# replace the _x_ with . for soc ui to config conversion #} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.process': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_process') }) %} {% set standard_eventFields = SOCMERGED.config.pop('eventFields') %} {% do SOCMERGED.config.server.client.hunt.update({'eventFields': standard_eventFields}) %} {% do SOCMERGED.config.server.client.dashboards.update({'eventFields': standard_eventFields}) %} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fdfb09733..13e50a0cb 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -55,10 +55,11 @@ soc: global: True forcedType: "[]{}" eventFields: - default: - description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. This 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. + default: &eventFields + description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. global: True advanced: True + ':endpoint:endpoint_x_events_x_process': *eventFields server: srvKey: description: Unique key for protecting the integrity of user submitted data via the web browser. From 7da0ccf5a628d71e75eef7fda547004ca693fec4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 15:35:53 -0500 Subject: [PATCH 03/11] add more endpoint.events.x entries to merged.map.jinja --- salt/soc/merged.map.jinja | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 55d8d2600..c0ea836e5 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -67,7 +67,13 @@ {% do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %} {# replace the _x_ with . for soc ui to config conversion #} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.api': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_api') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.file': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_file') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.library': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_library') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.network': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_network') }) %} {% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.process': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_process') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.registry': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_registry') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.security': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_security') }) %} {% set standard_eventFields = SOCMERGED.config.pop('eventFields') %} {% do SOCMERGED.config.server.client.hunt.update({'eventFields': standard_eventFields}) %} {% do SOCMERGED.config.server.client.dashboards.update({'eventFields': standard_eventFields}) %} From b7ef1e8af121862174fd72b0a75125fbf1341ec1 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 15:38:53 -0500 Subject: [PATCH 04/11] add more endpoint.events.x fields to soc_soc.yaml --- salt/soc/soc_soc.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 13e50a0cb..f59d6117b 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -59,7 +59,13 @@ soc: description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. global: True advanced: True + ':endpoint:endpoint_x_events_x_api': *eventFields + ':endpoint:endpoint_x_events_x_file': *eventFields + ':endpoint:endpoint_x_events_x_library': *eventFields + ':endpoint:endpoint_x_events_x_network': *eventFields ':endpoint:endpoint_x_events_x_process': *eventFields + ':endpoint:endpoint_x_events_x_registry': *eventFields + ':endpoint:endpoint_x_events_x_security': *eventFields server: srvKey: description: Unique key for protecting the integrity of user submitted data via the web browser. From 58f4fb87d08813ab41eea5b24e6b2a4a2326d5ff Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 17:06:29 -0500 Subject: [PATCH 05/11] fix new eventFields in soc_soc.yaml --- salt/soc/soc_soc.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index f59d6117b..a9d36c70c 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -59,13 +59,13 @@ soc: description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. global: True advanced: True - ':endpoint:endpoint_x_events_x_api': *eventFields - ':endpoint:endpoint_x_events_x_file': *eventFields - ':endpoint:endpoint_x_events_x_library': *eventFields - ':endpoint:endpoint_x_events_x_network': *eventFields - ':endpoint:endpoint_x_events_x_process': *eventFields - ':endpoint:endpoint_x_events_x_registry': *eventFields - ':endpoint:endpoint_x_events_x_security': *eventFields + ':endpoint:events_x_api': *eventFields + ':endpoint:events_x_file': *eventFields + ':endpoint:events_x_library': *eventFields + ':endpoint:events_x_network': *eventFields + ':endpoint:events_x_process': *eventFields + ':endpoint:events_x_registry': *eventFields + ':endpoint:events_x_security': *eventFields server: srvKey: description: Unique key for protecting the integrity of user submitted data via the web browser. From daf96d79342959155d2fccb7313c8e5a9b393f60 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 17:07:48 -0500 Subject: [PATCH 06/11] fix new eventFields in merged.map.jinja --- salt/soc/merged.map.jinja | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index c0ea836e5..65091158e 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -67,13 +67,13 @@ {% do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %} {# replace the _x_ with . for soc ui to config conversion #} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.api': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_api') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.file': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_file') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.library': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_library') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.network': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_network') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.process': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_process') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.registry': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_registry') }) %} -{% do SOCMERGED.config.eventFields.update({':endpoint:endpoint.events.security': SOCMERGED.config.eventFields.pop(':endpoint:endpoint_x_events_x_security') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.api': SOCMERGED.config.eventFields.pop(':endpoint:events_x_api') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.file': SOCMERGED.config.eventFields.pop(':endpoint:events_x_file') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.library': SOCMERGED.config.eventFields.pop(':endpoint:events_x_library') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.network': SOCMERGED.config.eventFields.pop(':endpoint:events_x_network') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.process': SOCMERGED.config.eventFields.pop(':endpoint:events_x_process') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.registry': SOCMERGED.config.eventFields.pop(':endpoint:events_x_registry') }) %} +{% do SOCMERGED.config.eventFields.update({':endpoint:events.security': SOCMERGED.config.eventFields.pop(':endpoint:events_x_security') }) %} {% set standard_eventFields = SOCMERGED.config.pop('eventFields') %} {% do SOCMERGED.config.server.client.hunt.update({'eventFields': standard_eventFields}) %} {% do SOCMERGED.config.server.client.dashboards.update({'eventFields': standard_eventFields}) %} From d6cb8ab92823b95d0d35cee157549b52a91d2c97 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 23 Feb 2024 17:09:40 -0500 Subject: [PATCH 07/11] update events_x_process in defaults.yaml --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index d672d1dad..7204027fc 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -995,7 +995,7 @@ soc: - tds.header_type - log.id.uid - event.dataset - ':endpoint:endpoint_x_events_x_process': + ':endpoint:events_x_process': - soc_timestamp - event.dataset - host.name From ca249312baddc9c3d6b7321f104ccc58da447acb Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 26 Feb 2024 09:38:14 -0500 Subject: [PATCH 08/11] FEATURE: Add new SOC action for Process Info #12421 --- salt/soc/defaults.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 7204027fc..20f9c284f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -65,12 +65,18 @@ soc: target: _blank links: - 'https://{:sublime.url}/messages/{:sublime.message_group_id}' + - name: actionProcessInfo + description: actionProcessInfoHelp + icon: fa-person-running + target: '' + links: + - '/#/hunt?q=(process.entity_id:"{:process.entity_id}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path' - name: actionProcessAncestors description: actionProcessAncestorsHelp icon: fa-people-roof target: '' links: - - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby event.module event.dataset | table soc_timestamp event.dataset host.name user.name process.parent.name process.name process.working_directory' + - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path' eventFields: default: - soc_timestamp From 4df21148fc4b7117b6a69b2914d961855d3f12e7 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 26 Feb 2024 09:40:51 -0500 Subject: [PATCH 09/11] FEATURE: Add default columns for endpoint.events datasets #12425 --- salt/soc/defaults.yaml | 57 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 20f9c284f..b5fe0e626 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1001,14 +1001,69 @@ soc: - tds.header_type - log.id.uid - event.dataset + ':endpoint:events_x_api': + - soc_timestamp + - host.name + - user.name + - process.name + - process.Ext.api.name + - process.thread.Ext.call_stack_final_user_module.path + - event.dataset + ':endpoint:events_x_file': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - file.path + - event.dataset + ':endpoint:events_x_library': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - dll.path + - dll.code_signature.status + - dll.code_signature.subject_name + - event.dataset + ':endpoint:events_x_network': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - source.ip + - source.port + - destination.ip + - destination.port + - network.community_id + - event.dataset ':endpoint:events_x_process': - soc_timestamp - - event.dataset - host.name - user.name - process.parent.name - process.name + - event.action - process.working_directory + - event.dataset + ':endpoint:events_x_registry': + - soc_timestamp + - host.name + - user.name + - process.name + - event.action + - registry.path + - event.dataset + ':endpoint:events_x_security': + - soc_timestamp + - host.name + - user.name + - process.executable + - event.action + - event.outcome + - event.dataset server: bindAddress: 0.0.0.0:9822 baseUrl: / From c8a95a87069a996543672c50485280394e45226d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 26 Feb 2024 09:59:07 -0500 Subject: [PATCH 10/11] FEATURE: Add new endpoint dashboards #12428 --- salt/soc/defaults.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index b5fe0e626..c1b3ebabb 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1502,13 +1502,22 @@ soc: query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' - name: Host Process Activity description: Process activity captured on an endpoint - query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable | table soc_timestamp event.dataset host.name user.name process.parent.name process.name process.working_directory' + query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' - name: Host File Activity description: File activity captured on an endpoint query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset event.action event.type | groupby file.name | groupby process.executable' - name: Host Network & Process Mappings description: Network activity mapped to originating processes query: 'event.category: network AND _exists_:process.executable | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby event.dataset* event.type* event.action* | groupby host.name | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Host API Events + description: API (Application Programming Interface) events from endpoints + query: 'event.dataset:endpoint.events.api | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby process.name | groupby process.Ext.api.name' + - name: Host Library Events + description: Library events from endpoints + query: 'event.dataset:endpoint.events.library | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby process.name | groupby event.action | groupby dll.path | groupby dll.code_signature.status | groupby dll.code_signature.subject_name' + - name: Host Security Events + description: Security events from endpoints + query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby process.executable | groupby event.action | groupby event.outcome' - name: Strelka description: Strelka file analysis query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name' From f8424f3dad29bed27f0d02006cb3af14f5f76e39 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 26 Feb 2024 11:22:09 -0500 Subject: [PATCH 11/11] Update defaults.yaml --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index c1b3ebabb..d86262fe7 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1502,7 +1502,7 @@ soc: query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' - name: Host Process Activity description: Process activity captured on an endpoint - query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' + query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable | table soc_timestamp host.name user.name process.parent.name process.name event.action process.working_directory event.dataset' - name: Host File Activity description: File activity captured on an endpoint query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset event.action event.type | groupby file.name | groupby process.executable'