mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
fix soc dashboards and things
This commit is contained in:
m0duspwnens
@@ -1,5 +1,52 @@
|
||||
soc:
|
||||
logFilename: /opt/sensoroni/logs/sensoroni-server.log
|
||||
actions:
|
||||
- name: actionHunt
|
||||
description: actionHuntHelp
|
||||
icon: fa-crosshairs
|
||||
target:
|
||||
links:
|
||||
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
|
||||
- name: actionCorrelate
|
||||
description: actionCorrelateHelp
|
||||
icon: fab fa-searchengin
|
||||
target:
|
||||
links:
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
|
||||
- name: actionPcap
|
||||
description: actionPcapHelp
|
||||
icon: fa-stream
|
||||
target:
|
||||
links:
|
||||
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
|
||||
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
|
||||
categories:
|
||||
- hunt
|
||||
- alerts
|
||||
- name: actionCyberChef
|
||||
description: actionCyberChefHelp
|
||||
icon: fas fa-bread-slice
|
||||
target: _blank
|
||||
links:
|
||||
- '/cyberchef/#input={value|base64}'
|
||||
- name: actionGoogle
|
||||
description: actionGoogleHelp
|
||||
icon: fab fa-google
|
||||
target: _blank
|
||||
links:
|
||||
- 'https://www.google.com/search?q={value}'
|
||||
- name: actionVirusTotal
|
||||
description: actionVirusTotalHelp
|
||||
icon: fa-external-link-alt
|
||||
target: _blank
|
||||
links:
|
||||
- 'https://www.virustotal.com/gui/search/{value}'
|
||||
server:
|
||||
bindAddress: 0.0.0.0:9822
|
||||
baseUrl: /
|
||||
@@ -800,101 +847,661 @@ soc:
|
||||
- name: Firewall
|
||||
description: Firewall events grouped by action
|
||||
query: 'event.dataset:firewall | groupby rule.action'
|
||||
actions:
|
||||
- name: actionHunt
|
||||
description: actionHuntHelp
|
||||
icon: fa-crosshairs
|
||||
target:
|
||||
links:
|
||||
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
|
||||
- name: actionCorrelate
|
||||
description: actionCorrelateHelp
|
||||
icon: fab fa-searchengin
|
||||
target:
|
||||
links:
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
|
||||
- name: actionPcap
|
||||
description: actionPcapHelp
|
||||
icon: fa-stream
|
||||
target:
|
||||
links:
|
||||
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
|
||||
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
|
||||
categories:
|
||||
- hunt
|
||||
- alerts
|
||||
- name: actionCyberChef
|
||||
description: actionCyberChefHelp
|
||||
icon: fas fa-bread-slice
|
||||
target: _blank
|
||||
links:
|
||||
- '/cyberchef/#input={value|base64}'
|
||||
- name: actionGoogle
|
||||
description: actionGoogleHelp
|
||||
icon: fab fa-google
|
||||
target: _blank
|
||||
links:
|
||||
- 'https://www.google.com/search?q={value}'
|
||||
- name: actionVirusTotal
|
||||
description: actionVirusTotalHelp
|
||||
icon: fa-external-link-alt
|
||||
target: _blank
|
||||
links:
|
||||
- 'https://www.virustotal.com/gui/search/{value}'
|
||||
dashboards:
|
||||
advanced: true
|
||||
groupItemsPerPage: 10
|
||||
groupFetchLimit: 10
|
||||
eventItemsPerPage: 10
|
||||
eventFetchLimit: 100
|
||||
relativeTimeValue: 24
|
||||
relativeTimeUnit: 30
|
||||
mostRecentlyUsedLimit: 0
|
||||
ackEnabled: false
|
||||
escalateEnabled: true
|
||||
escalateRelatedEventsEnabled: true
|
||||
aggregationActionsEnabled: false
|
||||
eventFields:
|
||||
default:
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- log.id.uid
|
||||
- network.community_id
|
||||
- event.dataset
|
||||
':kratos:audit':
|
||||
- soc_timestamp
|
||||
- http_request.headers.x-real-ip
|
||||
- identity_id
|
||||
- http_request.headers.user-agent
|
||||
'::conn':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- network.transport
|
||||
- network.protocol
|
||||
- log.id.uid
|
||||
- network.community_id
|
||||
'::dce_rpc':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- dce_rpc.endpoint
|
||||
- dce_rpc.named_pipe
|
||||
- dce_rpc.operation
|
||||
- log.id.uid
|
||||
'::dhcp':
|
||||
- soc_timestamp
|
||||
- client.address
|
||||
- server.address
|
||||
- host.domain
|
||||
- host.hostname
|
||||
- dhcp.message_types
|
||||
- log.id.uid
|
||||
'::dnp3':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- dnp3.fc_reply
|
||||
- log.id.uid
|
||||
'::dns':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- network.transport
|
||||
- dns.query.name
|
||||
- dns.query.type_name
|
||||
- dns.response.code_name
|
||||
- log.id.uid
|
||||
- network.community_id
|
||||
'::dpd':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- network.protocol
|
||||
- observer.analyser
|
||||
- error.reason
|
||||
- log.id.uid
|
||||
'::file':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- destination.ip
|
||||
- file.name
|
||||
- file.mime_type
|
||||
- file.source
|
||||
- file.bytes.total
|
||||
- log.id.fuid
|
||||
- log.id.uid
|
||||
'::ftp':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- ftp.user
|
||||
- ftp.command
|
||||
- ftp.argument
|
||||
- ftp.reply_code
|
||||
- file.size
|
||||
- log.id.uid
|
||||
'::http':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- http.method
|
||||
- http.virtual_host
|
||||
- http.status_code
|
||||
- http.status_message
|
||||
- http.request.body.length
|
||||
- http.response.body.length
|
||||
- log.id.uid
|
||||
- network.community_id
|
||||
'::intel':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- intel.indicator
|
||||
- intel.indicator_type
|
||||
- intel.seen_where
|
||||
- log.id.uid
|
||||
'::irc':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- irc.username
|
||||
- irc.nickname
|
||||
- irc.command.type
|
||||
- irc.command.value
|
||||
- irc.command.info
|
||||
- log.id.uid
|
||||
'::kerberos':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- kerberos.client
|
||||
- kerberos.service
|
||||
- kerberos.request_type
|
||||
- log.id.uid
|
||||
'::modbus':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- modbus.function
|
||||
- log.id.uid
|
||||
'::mysql':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- mysql.command
|
||||
- mysql.argument
|
||||
- mysql.success
|
||||
- mysql.response
|
||||
- log.id.uid
|
||||
'::notice':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- notice.note
|
||||
- notice.message
|
||||
- log.id.fuid
|
||||
- log.id.uid
|
||||
- network.community_id
|
||||
'::ntlm':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- ntlm.name
|
||||
- ntlm.success
|
||||
- ntlm.server.dns.name
|
||||
- ntlm.server.nb.name
|
||||
- ntlm.server.tree.name
|
||||
- log.id.uid
|
||||
'::pe':
|
||||
- soc_timestamp
|
||||
- file.is_64bit
|
||||
- file.is_exe
|
||||
- file.machine
|
||||
- file.os
|
||||
- file.subsystem
|
||||
- log.id.fuid
|
||||
'::radius':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- log.id.uid
|
||||
- username
|
||||
- radius.framed_address
|
||||
- radius.reply_message
|
||||
- radius.result
|
||||
'::rdp':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- rdp.client_build
|
||||
- client_name
|
||||
- rdp.cookie
|
||||
- rdp.encryption_level
|
||||
- rdp.encryption_method
|
||||
- rdp.keyboard_layout
|
||||
- rdp.result
|
||||
- rdp.security_protocol
|
||||
- log.id.uid
|
||||
'::rfb':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- rfb.authentication.method
|
||||
- rfb.authentication.success
|
||||
- rfb.share_flag
|
||||
- rfb.desktop.name
|
||||
- log.id.uid
|
||||
'::signatures':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- note
|
||||
- signature_id
|
||||
- event_message
|
||||
- sub_message
|
||||
- signature_count
|
||||
- host.count
|
||||
- log.id.uid
|
||||
'::sip':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- sip.method
|
||||
- sip.uri
|
||||
- sip.request.from
|
||||
- sip.request.to
|
||||
- sip.response.from
|
||||
- sip.response.to
|
||||
- sip.call_id
|
||||
- sip.subject
|
||||
- sip.user_agent
|
||||
- sip.status_code
|
||||
- log.id.uid
|
||||
'::smb_files':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- log.id.fuid
|
||||
- file.action
|
||||
- file.path
|
||||
- file.name
|
||||
- file.size
|
||||
- file.prev_name
|
||||
- log.id.uid
|
||||
'::smb_mapping':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- smb.path
|
||||
- smb.service
|
||||
- smb.share_type
|
||||
- log.id.uid
|
||||
'::smtp':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- smtp.from
|
||||
- smtp.recipient_to
|
||||
- smtp.subject
|
||||
- smtp.useragent
|
||||
- log.id.uid
|
||||
- network.community_id
|
||||
'::snmp':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- snmp.community
|
||||
- snmp.version
|
||||
- log.id.uid
|
||||
'::socks':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- socks.name
|
||||
- socks.request.host
|
||||
- socks.request.port
|
||||
- socks.status
|
||||
- log.id.uid
|
||||
'::software':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- software.name
|
||||
- software.type
|
||||
'::ssh':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- ssh.version
|
||||
- ssh.hassh_version
|
||||
- ssh.direction
|
||||
- ssh.client
|
||||
- ssh.server
|
||||
- log.id.uid
|
||||
'::ssl':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- ssl.server_name
|
||||
- ssl.certificate.subject
|
||||
- ssl.validation_status
|
||||
- ssl.version
|
||||
- log.id.uid
|
||||
':zeek:syslog':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- syslog.facility
|
||||
- network.protocol
|
||||
- syslog.severity
|
||||
- log.id.uid
|
||||
'::tunnels':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- tunnel_type
|
||||
- action
|
||||
- log.id.uid
|
||||
'::weird':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- weird.name
|
||||
- log.id.uid
|
||||
'::x509':
|
||||
- soc_timestamp
|
||||
- x509.certificate.subject
|
||||
- x509.certificate.key.type
|
||||
- x509.certificate.key.length
|
||||
- x509.certificate.issuer
|
||||
- log.id.fuid
|
||||
'::firewall':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- network.transport
|
||||
- network.direction
|
||||
- interface.name
|
||||
- rule.action
|
||||
- rule.reason
|
||||
- network.community_id
|
||||
':osquery:':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- source.hostname
|
||||
- event.dataset
|
||||
- process.executable
|
||||
- user.name
|
||||
':ossec:':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- rule.name
|
||||
- rule.level
|
||||
- rule.category
|
||||
- process.name
|
||||
- user.name
|
||||
- user.escalated
|
||||
- location
|
||||
':strelka:file':
|
||||
- soc_timestamp
|
||||
- file.name
|
||||
- file.size
|
||||
- hash.md5
|
||||
- file.source
|
||||
- file.mime_type
|
||||
- log.id.fuid
|
||||
':suricata:':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- rule.name
|
||||
- rule.category
|
||||
- event.severity_label
|
||||
- log.id.uid
|
||||
- network.community_id
|
||||
':sysmon:':
|
||||
- soc_timestamp
|
||||
- source.ip
|
||||
- source.port
|
||||
- destination.ip
|
||||
- destination.port
|
||||
- source.hostname
|
||||
- event.dataset
|
||||
- process.executable
|
||||
- user.name
|
||||
':windows_eventlog:':
|
||||
- soc_timestamp
|
||||
- user.name
|
||||
':elasticsearch:':
|
||||
- soc_timestamp
|
||||
- agent.name
|
||||
- message
|
||||
- log.level
|
||||
- metadata.version
|
||||
- metadata.pipeline
|
||||
- event.dataset
|
||||
':kibana:':
|
||||
- soc_timestamp
|
||||
- host.name
|
||||
- message
|
||||
- kibana.log.meta.req.headers.x-real-ip
|
||||
- event.dataset
|
||||
'::rootcheck':
|
||||
- soc_timestamp
|
||||
- host.name
|
||||
- metadata.ip_address
|
||||
- log.full
|
||||
- event.dataset
|
||||
- event.module
|
||||
'::ossec':
|
||||
- soc_timestamp
|
||||
- host.name
|
||||
- metadata.ip_address
|
||||
- log.full
|
||||
- event.dataset
|
||||
- event.module
|
||||
'::syscollector':
|
||||
- soc_timestamp
|
||||
- host.name
|
||||
- metadata.ip_address
|
||||
- wazuh.data.type
|
||||
- log.full
|
||||
- event.dataset
|
||||
- event.module
|
||||
':syslog:syslog':
|
||||
- soc_timestamp
|
||||
- host.name
|
||||
- metadata.ip_address
|
||||
- real_message
|
||||
- syslog.priority
|
||||
- syslog.application
|
||||
':aws:':
|
||||
- soc_timestamp
|
||||
- aws.cloudtrail.event_category
|
||||
- aws.cloudtrail.event_type
|
||||
- event.provider
|
||||
- event.action
|
||||
- event.outcome
|
||||
- cloud.region
|
||||
- user.name
|
||||
- source.ip
|
||||
- source.geo.region_iso_code
|
||||
':squid:':
|
||||
- soc_timestamp
|
||||
- url.original
|
||||
- destination.ip
|
||||
- destination.geo.country_iso_code
|
||||
- user.name
|
||||
- source.ip
|
||||
queryBaseFilter:
|
||||
queryToggleFilters:
|
||||
- name: caseExcludeToggle,
|
||||
filter: 'NOT _index:"*:so-case*"'
|
||||
enabled: true
|
||||
queries:
|
||||
- name: Overview
|
||||
description: Overview of all events
|
||||
query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: SOC Auth
|
||||
description: Show all SOC authentication logs
|
||||
query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
|
||||
- name: Elastalerts
|
||||
description: Elastalert logs
|
||||
query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'
|
||||
- name: Alerts
|
||||
description: Show all alerts
|
||||
query: 'event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: NIDS Alerts
|
||||
description: NIDS alerts
|
||||
query: 'event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: Wazuh/OSSEC
|
||||
description: Wazuh/OSSEC HIDS alerts and logs
|
||||
query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full'
|
||||
- name: Sysmon
|
||||
description: Sysmon logs
|
||||
query: 'event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line'
|
||||
- name: Strelka
|
||||
description: Strelka logs
|
||||
query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source'
|
||||
- name: Zeek Notice
|
||||
description: Zeek Notice logs
|
||||
query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: Connections
|
||||
description: Connection logs
|
||||
query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes'
|
||||
- name: DCE_RPC
|
||||
description: DCE_RPC logs
|
||||
query: 'event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: DHCP
|
||||
description: Dynamic Host Configuration Protocol leases
|
||||
query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address'
|
||||
- name: DNP3
|
||||
description: DNP3 logs
|
||||
query: 'event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: DNS
|
||||
description: Domain Name System queries
|
||||
query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: DPD
|
||||
description: Dynamic Protocol Detection errors
|
||||
query: 'event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol'
|
||||
- name: Files
|
||||
description: Files seen in network traffic
|
||||
query: 'event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip'
|
||||
- name: FTP
|
||||
description: File Transfer Protocol logs
|
||||
query: 'event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: HTTP
|
||||
description: Hyper Text Transport Protocol logs
|
||||
query: 'event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: Intel
|
||||
description: Zeek Intel framework hits
|
||||
query: 'event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: IRC
|
||||
description: Internet Relay Chat logs
|
||||
query: 'event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: Kerberos
|
||||
description: Kerberos logs
|
||||
query: 'event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: MODBUS
|
||||
description: MODBUS logs
|
||||
query: 'event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: MYSQL
|
||||
description: MYSQL logs
|
||||
query: 'event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: NOTICE
|
||||
description: Zeek notice logs
|
||||
query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: NTLM
|
||||
description: NTLM logs
|
||||
query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: Osquery Live Queries
|
||||
description: Osquery Live Query results
|
||||
query: 'event.dataset:live_query | groupby host.hostname'
|
||||
- name: PE
|
||||
description: PE files list
|
||||
query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
|
||||
- name: RADIUS
|
||||
description: RADIUS logs
|
||||
query: 'event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: RDP
|
||||
description: RDP logs
|
||||
query: 'event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: RFB
|
||||
description: RFB logs
|
||||
query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: Signatures
|
||||
description: Zeek signatures
|
||||
query: 'event.dataset:signatures | groupby signature_id'
|
||||
- name: SIP
|
||||
description: SIP logs
|
||||
query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: SMB_Files
|
||||
description: SMB files
|
||||
query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: SMB_Mapping
|
||||
description: SMB mapping logs
|
||||
query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: SMTP
|
||||
description: SMTP logs
|
||||
query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: SNMP
|
||||
description: SNMP logs
|
||||
query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: Software
|
||||
description: List of software seen on the network by Zeek
|
||||
query: 'event.dataset:software | groupby software.type | groupby software.name | groupby source.ip'
|
||||
- name: SSH
|
||||
description: SSH connections seen by Zeek
|
||||
query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: SSL
|
||||
description: SSL logs
|
||||
query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: SYSLOG
|
||||
description: SYSLOG logs
|
||||
query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: Tunnel
|
||||
description: Tunnels seen by Zeek
|
||||
query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
- name: Weird
|
||||
description: Weird network traffic seen by Zeek
|
||||
query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port '
|
||||
- name: x509
|
||||
description: x.509 certificates seen by Zeek
|
||||
query: 'event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer'
|
||||
- name: Firewall
|
||||
description: Firewall logs
|
||||
query: 'event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
|
||||
job:
|
||||
actions:
|
||||
- name: actionHunt
|
||||
description: actionHuntHelp
|
||||
icon: fa-crosshairs
|
||||
target:
|
||||
links:
|
||||
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
|
||||
- name: actionCorrelate
|
||||
description: actionCorrelateHelp
|
||||
icon: fab fa-searchengin
|
||||
target:
|
||||
links:
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
|
||||
- name: actionPcap
|
||||
description: actionPcapHelp
|
||||
icon: fa-stream
|
||||
target:
|
||||
links:
|
||||
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
|
||||
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
|
||||
categories:
|
||||
- hunt
|
||||
- alerts
|
||||
- name: actionCyberChef
|
||||
description: actionCyberChefHelp
|
||||
icon: fas fa-bread-slice
|
||||
target: _blank
|
||||
links:
|
||||
- '/cyberchef/#input={value|base64}'
|
||||
- name: actionGoogle
|
||||
description: actionGoogleHelp
|
||||
icon: fab fa-google
|
||||
target: _blank
|
||||
links:
|
||||
- 'https://www.google.com/search?q={value}'
|
||||
- name: actionVirusTotal
|
||||
description: actionVirusTotalHelp
|
||||
icon: fa-external-link-alt
|
||||
target: _blank
|
||||
links:
|
||||
- 'https://www.virustotal.com/gui/search/{value}'
|
||||
alerts:
|
||||
advanced: false
|
||||
groupItemsPerPage: 50
|
||||
@@ -962,54 +1569,6 @@ soc:
|
||||
query: '* | groupby destination.port rule.name event.severity_label'
|
||||
- name: Ungroup
|
||||
query: '*'
|
||||
actions:
|
||||
- name: actionHunt
|
||||
description: actionHuntHelp
|
||||
icon: fa-crosshairs
|
||||
target:
|
||||
links:
|
||||
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
|
||||
- name: actionCorrelate
|
||||
description: actionCorrelateHelp
|
||||
icon: fab fa-searchengin
|
||||
target:
|
||||
links:
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
|
||||
- name: actionPcap
|
||||
description: actionPcapHelp
|
||||
icon: fa-stream
|
||||
target:
|
||||
links:
|
||||
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
|
||||
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
|
||||
categories:
|
||||
- hunt
|
||||
- alerts
|
||||
- name: actionCyberChef
|
||||
description: actionCyberChefHelp
|
||||
icon: fas fa-bread-slice
|
||||
target: _blank
|
||||
links:
|
||||
- '/cyberchef/#input={value|base64}'
|
||||
- name: actionGoogle
|
||||
description: actionGoogleHelp
|
||||
icon: fab fa-google
|
||||
target: _blank
|
||||
links:
|
||||
- 'https://www.google.com/search?q={value}'
|
||||
- name: actionVirusTotal
|
||||
description: actionVirusTotalHelp
|
||||
icon: fa-external-link-alt
|
||||
target: _blank
|
||||
links:
|
||||
- 'https://www.virustotal.com/gui/search/{value}'
|
||||
|
||||
cases:
|
||||
advanced: false
|
||||
groupItemsPerPage: 50
|
||||
@@ -1045,53 +1604,6 @@ soc:
|
||||
query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}'
|
||||
- name: Templates
|
||||
query: 'so_case.category:template'
|
||||
actions:
|
||||
- name: actionHunt
|
||||
description: actionHuntHelp
|
||||
icon: fa-crosshairs
|
||||
target:
|
||||
links:
|
||||
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
|
||||
- name: actionCorrelate
|
||||
description: actionCorrelateHelp
|
||||
icon: fab fa-searchengin
|
||||
target:
|
||||
links:
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
|
||||
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
|
||||
- name: actionPcap
|
||||
description: actionPcapHelp
|
||||
icon: fa-stream
|
||||
target:
|
||||
links:
|
||||
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
|
||||
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
|
||||
categories:
|
||||
- hunt
|
||||
- alerts
|
||||
- name: actionCyberChef
|
||||
description: actionCyberChefHelp
|
||||
icon: fas fa-bread-slice
|
||||
target: _blank
|
||||
links:
|
||||
- '/cyberchef/#input={value|base64}'
|
||||
- name: actionGoogle
|
||||
description: actionGoogleHelp
|
||||
icon: fab fa-google
|
||||
target: _blank
|
||||
links:
|
||||
- 'https://www.google.com/search?q={value}'
|
||||
- name: actionVirusTotal
|
||||
description: actionVirusTotalHelp
|
||||
icon: fa-external-link-alt
|
||||
target: _blank
|
||||
links:
|
||||
- 'https://www.virustotal.com/gui/search/{value}'
|
||||
case:
|
||||
mostRecentlyUsedLimit: 5
|
||||
renderAbbreviatedCount: 30
|
||||
|
||||
@@ -41,16 +41,22 @@
|
||||
{% do SOCMERGED.server.client.inactiveTools.append('toolGrafana') %}
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% set standard_actions = SOCMERGED.pop('actions') %}
|
||||
{% if pillar.global.endgamehost is defined %}
|
||||
{% set endgame_dict = {
|
||||
"name": "Endgame",
|
||||
"description": "Endgame Endpoint Investigation and Response",
|
||||
"icon": "fa-external-link-alt",
|
||||
"target": "_blank",
|
||||
"links": ["https://{{ pillar.global.endgamehost }}/endpoints/{:agent.id}"]
|
||||
"links": ["https://" ~ pillar.global.endgamehost ~ "/endpoints/{:agent.id}"]
|
||||
}
|
||||
%}
|
||||
{% for action in SOCMERGED.server.client.job.actions %}
|
||||
{% do SOCMERGED.server.client.job.actions.update(action, endgame_dict)%}
|
||||
{% endfor %}
|
||||
{% do standard_actions.append(endgame_dict) %}
|
||||
{% endif %}
|
||||
|
||||
{% do SOCMERGED.server.client.hunt.update({'actions': standard_actions}) %}
|
||||
{% do SOCMERGED.server.client.dashboards.update({'actions': standard_actions}) %}
|
||||
{% do SOCMERGED.server.client.update({'job': {'actions': standard_actions}}) %}
|
||||
{% do SOCMERGED.server.client.alerts.update({'actions': standard_actions}) %}
|
||||
{% do SOCMERGED.server.client.cases.update({'actions': standard_actions}) %}
|
||||
|
||||
Reference in New Issue
Block a user