diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 69808c709..16dcdf729 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -97,6 +97,8 @@ echo "$IP" >> $local_salt_dir/hostgroups/$ROLE if [ "$APPLY" = "true" ]; then echo "Applying the firewall rules" salt-call state.apply firewall queue=True + echo "Firewall rules have been applied... Review logs further if there were errors." + echo "" else echo "Firewall rules will be applied next salt run" fi diff --git a/salt/common/tools/sbin/so-firewall-minion b/salt/common/tools/sbin/so-firewall-minion index e796035f9..19ea26864 100755 --- a/salt/common/tools/sbin/so-firewall-minion +++ b/salt/common/tools/sbin/so-firewall-minion @@ -54,25 +54,25 @@ fi 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') so-firewall --role=manager --ip="$IP" so-firewall --role=sensors --ip="$IP" - so-firewall --apply --role=searchnodes --ip="$IP" + so-firewall --apply=true --role=searchnodes --ip="$IP" ;; 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER') case "$ROLE" in 'SENSOR') - so-firewall --apply --role=sensors --ip="$IP" + so-firewall --apply=true --role=sensors --ip="$IP" ;; 'SEARCHNODE') - so-firewall --apply --role=searchnodes --ip="$IP" + so-firewall --apply=true --role=searchnodes --ip="$IP" ;; 'HEAVYNODE') so-firewall --role=sensors --ip="$IP" - so-firewall --apply --role=heavynodes --ip="$IP" + so-firewall --apply=true --role=heavynodes --ip="$IP" ;; 'IDH') - so-firewall --apply --role=sensors --ip="$IP" + so-firewall --apply=true --role=sensors --ip="$IP" ;; 'RECEIVER') - so-firewall --apply --role=receivers --ip="$IP" + so-firewall --apply=true --role=receivers --ip="$IP" ;; esac ;; diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml index 237a50c81..e1333c3a6 100644 --- a/salt/curator/defaults.yaml +++ b/salt/curator/defaults.yaml @@ -15,6 +15,42 @@ elasticsearch: logs-zeek-so: close: 30 delete: 365 + logs-elastic_agent-metricbeat-default: + close: 30 + delete: 365 + logs-elastic_agent-osquerybeat-default: + close: 30 + delete: 365 + logs-elastic_agent-fleet_server-default: + close: 30 + delete: 365 + logs-elastic_agent-filebeat-default: + close: 30 + delete: 365 + logs-elastic_agent-default: + close: 30 + delete: 365 + logs-system-auth-default: + close: 30 + delete: 365 + logs-system-application-default: + close: 30 + delete: 365 + logs-system-security-default: + close: 30 + delete: 365 + logs-system-system-default: + close: 30 + delete: 365 + logs-system-syslog-default: + close: 30 + delete: 365 + logs-windows-powershell-default: + close: 30 + delete: 365 + logs-windows-sysmon_operational-default: + close: 30 + delete: 365 so-beats: close: 30 delete: 365 diff --git a/salt/curator/files/action/logs-elastic_agent-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-default-close.yaml new file mode 100644 index 000000000..ef03e4ba2 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent default indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-default-delete.yaml new file mode 100644 index 000000000..dee51c758 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent default indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml new file mode 100644 index 000000000..1157f94b2 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-filebeat-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Filebeat indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.filebeat-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml new file mode 100644 index 000000000..dfa51f260 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-filebeat-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent Filebeat indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.filebeat-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml new file mode 100644 index 000000000..6bc2026b9 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-fleet_server-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Fleet Server indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml new file mode 100644 index 000000000..6fa775ba8 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-fleet_server-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete import indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml new file mode 100644 index 000000000..a4e38cd8e --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-metricbeat-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Metricbeat indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.metricbeat-default-.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml new file mode 100644 index 000000000..c69e1130a --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-metricbeat-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent Metricbeat indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.metricbeat-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml new file mode 100644 index 000000000..9243d8cfb --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Osquerybeat indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml new file mode 100644 index 000000000..bce3b7e63 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent Osquerybeat indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml b/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml new file mode 100644 index 000000000..b46a5fc73 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete import indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-import-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-system-application-default-close.yaml b/salt/curator/files/action/logs-system-application-default-close.yaml new file mode 100644 index 000000000..76d01ecb4 --- /dev/null +++ b/salt/curator/files/action/logs-system-application-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-system-application-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent system application indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.application-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-system-application-default-delete.yaml b/salt/curator/files/action/logs-system-application-default-delete.yaml new file mode 100644 index 000000000..b15c06fcb --- /dev/null +++ b/salt/curator/files/action/logs-system-application-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-system-application-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent system application indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.application-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-system-auth-default-close.yaml b/salt/curator/files/action/logs-system-auth-default-close.yaml new file mode 100644 index 000000000..af9843b35 --- /dev/null +++ b/salt/curator/files/action/logs-system-auth-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent system auth indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.auth-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-system-auth-default-delete.yaml b/salt/curator/files/action/logs-system-auth-default-delete.yaml new file mode 100644 index 000000000..9a1cc6a9a --- /dev/null +++ b/salt/curator/files/action/logs-system-auth-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.auth-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-system-security-default-close.yaml b/salt/curator/files/action/logs-system-security-default-close.yaml new file mode 100644 index 000000000..9a8cab35c --- /dev/null +++ b/salt/curator/files/action/logs-system-security-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-system-security-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent system security indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.security-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-system-security-default-delete.yaml b/salt/curator/files/action/logs-system-security-default-delete.yaml new file mode 100644 index 000000000..0bac45aeb --- /dev/null +++ b/salt/curator/files/action/logs-system-security-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-system-security-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent system security indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.security-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-system-syslog-default-close.yaml b/salt/curator/files/action/logs-system-syslog-default-close.yaml new file mode 100644 index 000000000..3c9482b40 --- /dev/null +++ b/salt/curator/files/action/logs-system-syslog-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-system-syslog-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent system syslog indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.syslog-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-system-syslog-default-delete.yaml b/salt/curator/files/action/logs-system-syslog-default-delete.yaml new file mode 100644 index 000000000..1a7d217e9 --- /dev/null +++ b/salt/curator/files/action/logs-system-syslog-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-system-syslog-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent system syslog indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.syslog-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-system-system-default-close.yaml b/salt/curator/files/action/logs-system-system-default-close.yaml new file mode 100644 index 000000000..284d6e219 --- /dev/null +++ b/salt/curator/files/action/logs-system-system-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-system-system-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent system system indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.system-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-system-system-default-delete.yaml b/salt/curator/files/action/logs-system-system-default-delete.yaml new file mode 100644 index 000000000..4701d0492 --- /dev/null +++ b/salt/curator/files/action/logs-system-system-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-system-system-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent system system indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.system-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-windows-powershell-default-close.yaml b/salt/curator/files/action/logs-windows-powershell-default-close.yaml new file mode 100644 index 000000000..7c3cebab3 --- /dev/null +++ b/salt/curator/files/action/logs-windows-powershell-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-windows-powershell-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Windows Powershell indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-windows.powershell-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-windows-powershell-default-delete.yaml b/salt/curator/files/action/logs-windows-powershell-default-delete.yaml new file mode 100644 index 000000000..447f8102b --- /dev/null +++ b/salt/curator/files/action/logs-windows-powershell-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-windows-powershell-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent Windows Powershell indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-windows.powershell-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml new file mode 100644 index 000000000..ae98b8939 --- /dev/null +++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-windows-sysmon_operational-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Windows Sysmon operational indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-windows.sysmon_operational-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml new file mode 100644 index 000000000..a1413bc1c --- /dev/null +++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-windows-sysmon_operational-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent Windows Sysmon operational indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-windows.sysmon_operational-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index a0c431881..d47125972 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -84,14 +84,33 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.auditbeat: index_sorting: False index_template: @@ -119,14 +138,33 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.cloudbeat: index_sorting: False index_template: @@ -154,14 +192,30 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.endpoint_security: index_sorting: False index_template: @@ -189,14 +243,33 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.filebeat: index_sorting: False index_template: @@ -224,14 +297,30 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.fleet_server: index_sorting: False index_template: @@ -259,14 +348,33 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.heartbeat: index_sorting: False index_template: @@ -294,14 +402,30 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent: index_sorting: False index_template: @@ -329,14 +453,33 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.metricbeat: index_sorting: False index_template: @@ -364,14 +507,33 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.osquerybeat: index_sorting: False index_template: @@ -399,14 +561,33 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.packetbeat: index_sorting: False index_template: @@ -434,14 +615,33 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-aws: warm: 7 close: 30 diff --git a/salt/elasticsearch/files/ingest/common.nids b/salt/elasticsearch/files/ingest/common.nids index df6af7a85..53a3f7b79 100644 --- a/salt/elasticsearch/files/ingest/common.nids +++ b/salt/elasticsearch/files/ingest/common.nids @@ -11,7 +11,7 @@ { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, - { "remove": { "field": ["rule_type", "rest_of_rulename"], "ignore_failure": true } }, + { "remove": { "field": ["rule_type", "rest_of_rulename", "host"], "ignore_failure": true } }, { "pipeline": { "name": "common" } } ] } diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 3fe2f4567..196828b77 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -7,19 +7,19 @@ soc: icon: fa-crosshairs target: links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - '/#/hunt?q="{value|escape}" | groupby event.module* event.dataset' - name: actionCorrelate description: actionCorrelateHelp icon: fab fa-searchengin target: '' links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module* event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module* event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module* event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module* event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module* event.dataset' - name: actionPcap description: actionPcapHelp icon: fa-stream @@ -560,13 +560,13 @@ soc: - destination.geo.country_iso_code - user.name - source.ip - ':sysmon:': + ':windows.sysmon_operational:': - soc_timestamp - - event.dataset + - event.action - process.executable - user.name - file.target - - dns.query.name + - dns.question.name - winlog.event_data.TargetObject '::network_connection': - soc_timestamp @@ -1116,12 +1116,12 @@ soc: enabled: true queries: - name: Default Query - description: Show all events grouped by the origin host + description: Show all events grouped by the observer host query: '* | groupby observer.name' showSubtitle: true - name: Log Type description: Show all events grouped by module and dataset - query: '* | groupby event.module event.dataset' + query: '* | groupby event.module* event.dataset' showSubtitle: true - name: SOC Auth description: Users authenticated to SOC grouped by IP address and identity @@ -1145,11 +1145,11 @@ soc: showSubtitle: true - name: Sysmon Events description: Show all Sysmon logs grouped by event type - query: 'event.module:sysmon | groupby event.dataset' + query: 'event.dataset: windows.sysmon_operational | groupby event.action' showSubtitle: true - name: Sysmon Usernames description: Show all Sysmon logs grouped by username - query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' + query: 'event.dataset: windows.sysmon_operational | groupby event.action, user.name.keyword' showSubtitle: true - name: Strelka description: Show all Strelka logs grouped by file type @@ -1380,7 +1380,7 @@ soc: queries: - name: Overview description: Overview of all events - query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SOC Auth description: SOC (Security Onion Console) authentication logs query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' @@ -1389,28 +1389,31 @@ soc: query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' - name: Alerts description: Overview of all alerts - query: 'event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.dataset:alert | groupby event.module* | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: NIDS Alerts description: NIDS (Network Intrusion Detection System) alerts query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Sysmon Overview description: Overview of all Sysmon data types - query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port' - - name: Sysmon Registry - description: Registry changes captured by Sysmon - query: '(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject' - - name: Sysmon DNS - description: DNS queries captured by Sysmon - query: 'event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name' - - name: Sysmon Process - description: Process activity captured by Sysmon - query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' - - name: Sysmon File - description: File activity captured by Sysmon - query: 'event.module:sysmon AND event.dataset:file_* | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable' - - name: Sysmon Network - description: Network activity captured by Sysmon - query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.category event.action | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Host Overview + description: Overview of all host data types + query: '((event.category:registry OR event.category:host OR event.category:process OR event.category:driver OR event.category:configuration) OR (event.category:file AND _exists_:process.executable) OR (event.category:network AND _exists_:host.name)) | groupby event.dataset* event.category* event.action* | groupby event.type | groupby host.name | groupby user.name | groupby file.name | groupby process.executable' + - name: Host Registry Changes + description: Windows Registry changes + query: 'event.category: registry | groupby -sankey event.action host.name | groupby event.dataset event.action | groupby host.name | groupby process.executable | groupby registry.path | groupby process.executable registry.path' + - name: Host DNS & Process Mappings + description: DNS queries mapped to originating processes + query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' + - name: Host Process Activity + description: Process activity captured on an endpoint + query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' + - name: Host File Activity + description: File activity captured on an endpoint + query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset event.action event.type | groupby file.name | groupby process.executable' + - name: Host Network & Process Mappings + description: Network activity mapped to originating processes + query: 'event.category: network AND _exists_:process.executable | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby event.dataset* event.type* event.action* | groupby host.name | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Strelka description: Strelka file analysis query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name' @@ -1614,7 +1617,7 @@ soc: - acknowledged queries: - name: 'Group By Name, Module' - query: '* | groupby rule.name event.module event.severity_label' + query: '* | groupby rule.name event.module* event.severity_label' - name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name' query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label' - name: 'Group By Source IP, Name'