From 6c2437f8ef2f9edadf2d2d774b7b8c717bc8b90e Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Tue, 2 Apr 2024 09:55:56 -0400
Subject: [PATCH] FEATURE: Add Events table columns for event.module playbook
 #12703

---
 salt/soc/defaults.yaml | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 2d5881ffa..a78ea88e1 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1200,6 +1200,17 @@ soc:
         -  soc_timestamp
         -  event.dataset
         -  message
+      ':playbook:':
+        - soc_timestamp
+        - rule.name
+        - event.severity_label
+        - event_data.event.dataset
+        - event_data.source.ip
+        - event_data.source.port
+        - event_data.destination.host
+        - event_data.destination.port
+        - event_data.process.executable
+        - event_data.process.pid
     server:
       bindAddress: 0.0.0.0:9822
       baseUrl: /
@@ -1876,11 +1887,13 @@ soc:
               - soc_timestamp
               - rule.name
               - event.severity_label
-              - event_data.event.module
-              - event_data.event.category
+              - event_data.event.dataset
+              - event_data.source.ip
+              - event_data.source.port
+              - event_data.destination.host
+              - event_data.destination.port
               - event_data.process.executable
               - event_data.process.pid
-              - event_data.winlog.computer_name
           queryBaseFilter: tags:alert
           queryToggleFilters:
             - name: acknowledged