diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 65765c8b8..aefe6d00f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1,5 +1,52 @@ soc: logFilename: /opt/sensoroni/logs/sensoroni-server.log + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' server: bindAddress: 0.0.0.0:9822 baseUrl: / @@ -800,101 +847,661 @@ soc: - name: Firewall description: Firewall events grouped by action query: 'event.dataset:firewall | groupby rule.action' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' + dashboards: + advanced: true + groupItemsPerPage: 10 + groupFetchLimit: 10 + eventItemsPerPage: 10 + eventFetchLimit: 100 + relativeTimeValue: 24 + relativeTimeUnit: 30 + mostRecentlyUsedLimit: 0 + ackEnabled: false + escalateEnabled: true + escalateRelatedEventsEnabled: true + aggregationActionsEnabled: false + eventFields: + default: + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - network.community_id + - event.dataset + ':kratos:audit': + - soc_timestamp + - http_request.headers.x-real-ip + - identity_id + - http_request.headers.user-agent + '::conn': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.protocol + - log.id.uid + - network.community_id + '::dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dce_rpc.endpoint + - dce_rpc.named_pipe + - dce_rpc.operation + - log.id.uid + '::dhcp': + - soc_timestamp + - client.address + - server.address + - host.domain + - host.hostname + - dhcp.message_types + - log.id.uid + '::dnp3': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.fc_reply + - log.id.uid + '::dns': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - dns.query.name + - dns.query.type_name + - dns.response.code_name + - log.id.uid + - network.community_id + '::dpd': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.protocol + - observer.analyser + - error.reason + - log.id.uid + '::file': + - soc_timestamp + - source.ip + - destination.ip + - file.name + - file.mime_type + - file.source + - file.bytes.total + - log.id.fuid + - log.id.uid + '::ftp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ftp.user + - ftp.command + - ftp.argument + - ftp.reply_code + - file.size + - log.id.uid + '::http': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - http.method + - http.virtual_host + - http.status_code + - http.status_message + - http.request.body.length + - http.response.body.length + - log.id.uid + - network.community_id + '::intel': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - intel.indicator + - intel.indicator_type + - intel.seen_where + - log.id.uid + '::irc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - irc.username + - irc.nickname + - irc.command.type + - irc.command.value + - irc.command.info + - log.id.uid + '::kerberos': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - kerberos.client + - kerberos.service + - kerberos.request_type + - log.id.uid + '::modbus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + '::mysql': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - mysql.command + - mysql.argument + - mysql.success + - mysql.response + - log.id.uid + '::notice': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - notice.note + - notice.message + - log.id.fuid + - log.id.uid + - network.community_id + '::ntlm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ntlm.name + - ntlm.success + - ntlm.server.dns.name + - ntlm.server.nb.name + - ntlm.server.tree.name + - log.id.uid + '::pe': + - soc_timestamp + - file.is_64bit + - file.is_exe + - file.machine + - file.os + - file.subsystem + - log.id.fuid + '::radius': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - username + - radius.framed_address + - radius.reply_message + - radius.result + '::rdp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rdp.client_build + - client_name + - rdp.cookie + - rdp.encryption_level + - rdp.encryption_method + - rdp.keyboard_layout + - rdp.result + - rdp.security_protocol + - log.id.uid + '::rfb': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rfb.authentication.method + - rfb.authentication.success + - rfb.share_flag + - rfb.desktop.name + - log.id.uid + '::signatures': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - note + - signature_id + - event_message + - sub_message + - signature_count + - host.count + - log.id.uid + '::sip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - sip.method + - sip.uri + - sip.request.from + - sip.request.to + - sip.response.from + - sip.response.to + - sip.call_id + - sip.subject + - sip.user_agent + - sip.status_code + - log.id.uid + '::smb_files': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.fuid + - file.action + - file.path + - file.name + - file.size + - file.prev_name + - log.id.uid + '::smb_mapping': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smb.path + - smb.service + - smb.share_type + - log.id.uid + '::smtp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smtp.from + - smtp.recipient_to + - smtp.subject + - smtp.useragent + - log.id.uid + - network.community_id + '::snmp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - snmp.community + - snmp.version + - log.id.uid + '::socks': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - socks.name + - socks.request.host + - socks.request.port + - socks.status + - log.id.uid + '::software': + - soc_timestamp + - source.ip + - software.name + - software.type + '::ssh': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssh.version + - ssh.hassh_version + - ssh.direction + - ssh.client + - ssh.server + - log.id.uid + '::ssl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssl.server_name + - ssl.certificate.subject + - ssl.validation_status + - ssl.version + - log.id.uid + ':zeek:syslog': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - syslog.facility + - network.protocol + - syslog.severity + - log.id.uid + '::tunnels': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tunnel_type + - action + - log.id.uid + '::weird': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - weird.name + - log.id.uid + '::x509': + - soc_timestamp + - x509.certificate.subject + - x509.certificate.key.type + - x509.certificate.key.length + - x509.certificate.issuer + - log.id.fuid + '::firewall': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.direction + - interface.name + - rule.action + - rule.reason + - network.community_id + ':osquery:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':ossec:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + ':strelka:file': + - soc_timestamp + - file.name + - file.size + - hash.md5 + - file.source + - file.mime_type + - log.id.fuid + ':suricata:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.category + - event.severity_label + - log.id.uid + - network.community_id + ':sysmon:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':windows_eventlog:': + - soc_timestamp + - user.name + ':elasticsearch:': + - soc_timestamp + - agent.name + - message + - log.level + - metadata.version + - metadata.pipeline + - event.dataset + ':kibana:': + - soc_timestamp + - host.name + - message + - kibana.log.meta.req.headers.x-real-ip + - event.dataset + '::rootcheck': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::ossec': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::syscollector': + - soc_timestamp + - host.name + - metadata.ip_address + - wazuh.data.type + - log.full + - event.dataset + - event.module + ':syslog:syslog': + - soc_timestamp + - host.name + - metadata.ip_address + - real_message + - syslog.priority + - syslog.application + ':aws:': + - soc_timestamp + - aws.cloudtrail.event_category + - aws.cloudtrail.event_type + - event.provider + - event.action + - event.outcome + - cloud.region + - user.name + - source.ip + - source.geo.region_iso_code + ':squid:': + - soc_timestamp + - url.original + - destination.ip + - destination.geo.country_iso_code + - user.name + - source.ip + queryBaseFilter: + queryToggleFilters: + - name: caseExcludeToggle, + filter: 'NOT _index:"*:so-case*"' + enabled: true + queries: + - name: Overview + description: Overview of all events + query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SOC Auth + description: Show all SOC authentication logs + query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' + - name: Elastalerts + description: Elastalert logs + query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' + - name: Alerts + description: Show all alerts + query: 'event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: NIDS Alerts + description: NIDS alerts + query: 'event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Wazuh/OSSEC + description: Wazuh/OSSEC HIDS alerts and logs + query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full' + - name: Sysmon + description: Sysmon logs + query: 'event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line' + - name: Strelka + description: Strelka logs + query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source' + - name: Zeek Notice + description: Zeek Notice logs + query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Connections + description: Connection logs + query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes' + - name: DCE_RPC + description: DCE_RPC logs + query: 'event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: DHCP + description: Dynamic Host Configuration Protocol leases + query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address' + - name: DNP3 + description: DNP3 logs + query: 'event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: DNS + description: Domain Name System queries + query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: DPD + description: Dynamic Protocol Detection errors + query: 'event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol' + - name: Files + description: Files seen in network traffic + query: 'event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip' + - name: FTP + description: File Transfer Protocol logs + query: 'event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: HTTP + description: Hyper Text Transport Protocol logs + query: 'event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Intel + description: Zeek Intel framework hits + query: 'event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: IRC + description: Internet Relay Chat logs + query: 'event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Kerberos + description: Kerberos logs + query: 'event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: MODBUS + description: MODBUS logs + query: 'event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: MYSQL + description: MYSQL logs + query: 'event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: NOTICE + description: Zeek notice logs + query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: NTLM + description: NTLM logs + query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Osquery Live Queries + description: Osquery Live Query results + query: 'event.dataset:live_query | groupby host.hostname' + - name: PE + description: PE files list + query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit' + - name: RADIUS + description: RADIUS logs + query: 'event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: RDP + description: RDP logs + query: 'event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: RFB + description: RFB logs + query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Signatures + description: Zeek signatures + query: 'event.dataset:signatures | groupby signature_id' + - name: SIP + description: SIP logs + query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SMB_Files + description: SMB files + query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SMB_Mapping + description: SMB mapping logs + query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SMTP + description: SMTP logs + query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SNMP + description: SNMP logs + query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Software + description: List of software seen on the network by Zeek + query: 'event.dataset:software | groupby software.type | groupby software.name | groupby source.ip' + - name: SSH + description: SSH connections seen by Zeek + query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SSL + description: SSL logs + query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SYSLOG + description: SYSLOG logs + query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Tunnel + description: Tunnels seen by Zeek + query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Weird + description: Weird network traffic seen by Zeek + query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port ' + - name: x509 + description: x.509 certificates seen by Zeek + query: 'event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer' + - name: Firewall + description: Firewall logs + query: 'event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port' job: - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' alerts: advanced: false groupItemsPerPage: 50 @@ -935,18 +1542,18 @@ soc: - user.escalated - location - process.name - queryBaseFilter: event.dataset:alert - queryToggleFilters: - - name: acknowledged - filter: event.acknowledged:true - enabled: false - exclusive: true - - name: escalated - filter: event.escalated:true - enabled: false - exclusive: true - enablesToggles: - - acknowledged + queryBaseFilter: event.dataset:alert + queryToggleFilters: + - name: acknowledged + filter: event.acknowledged:true + enabled: false + exclusive: true + - name: escalated + filter: event.escalated:true + enabled: false + exclusive: true + enablesToggles: + - acknowledged queries: - name: 'Group By Name, Module' query: '* | groupby rule.name event.module event.severity_label' @@ -962,54 +1569,6 @@ soc: query: '* | groupby destination.port rule.name event.severity_label' - name: Ungroup query: '*' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' - cases: advanced: false groupItemsPerPage: 50 @@ -1045,53 +1604,6 @@ soc: query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' - name: Templates query: 'so_case.category:template' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' case: mostRecentlyUsedLimit: 5 renderAbbreviatedCount: 30 diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 93c7d0e01..878ea72e6 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -27,7 +27,7 @@ 'docsUrl': '/docs/', 'cheatsheetUrl': '/docs/cheatsheet.pdf', 'releaseNotesUrl': '/docs/#release-notes' - }) + }) %} {% endif %} @@ -41,16 +41,22 @@ {% do SOCMERGED.server.client.inactiveTools.append('toolGrafana') %} {% endif %} + +{% set standard_actions = SOCMERGED.pop('actions') %} {% if pillar.global.endgamehost is defined %} -{% set endgame_dict = { - "name": "Endgame", - "description": "Endgame Endpoint Investigation and Response", - "icon": "fa-external-link-alt", +{% set endgame_dict = { + "name": "Endgame", + "description": "Endgame Endpoint Investigation and Response", + "icon": "fa-external-link-alt", "target": "_blank", - "links": ["https://{{ pillar.global.endgamehost }}/endpoints/{:agent.id}"] + "links": ["https://" ~ pillar.global.endgamehost ~ "/endpoints/{:agent.id}"] } %} -{% for action in SOCMERGED.server.client.job.actions %} -{% do SOCMERGED.server.client.job.actions.update(action, endgame_dict)%} -{% endfor %} +{% do standard_actions.append(endgame_dict) %} {% endif %} + +{% do SOCMERGED.server.client.hunt.update({'actions': standard_actions}) %} +{% do SOCMERGED.server.client.dashboards.update({'actions': standard_actions}) %} +{% do SOCMERGED.server.client.update({'job': {'actions': standard_actions}}) %} +{% do SOCMERGED.server.client.alerts.update({'actions': standard_actions}) %} +{% do SOCMERGED.server.client.cases.update({'actions': standard_actions}) %}