CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/2.4/dev' into 2.4/strelka

Browse Source
This commit is contained in:
m0duspwnens
2023-03-14 13:26:15 -04:00
parent b38d5df684 4e0390963b
commit 5f7256c826
31 changed files with 990 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/common/tools/sbin/so-firewall
View File

@@ -97,6 +97,8 @@ echo "$IP" >> $local_salt_dir/hostgroups/$ROLE
if [ "$APPLY" = "true" ]; then if [ "$APPLY" = "true" ]; then
echo "Applying the firewall rules" echo "Applying the firewall rules"
salt-call state.apply firewall queue=True salt-call state.apply firewall queue=True
echo "Firewall rules have been applied... Review logs further if there were errors."
echo ""
else else
echo "Firewall rules will be applied next salt run" echo "Firewall rules will be applied next salt run"
fi fi

12
salt/common/tools/sbin/so-firewall-minion
View File

@@ -54,25 +54,25 @@ fi
'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
so-firewall --role=manager --ip="$IP" so-firewall --role=manager --ip="$IP"
so-firewall --role=sensors --ip="$IP" so-firewall --role=sensors --ip="$IP"
so-firewall --apply --role=searchnodes --ip="$IP" so-firewall --apply=true --role=searchnodes --ip="$IP"
;; ;;
'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER') 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER')
case "$ROLE" in case "$ROLE" in
'SENSOR') 'SENSOR')
so-firewall --apply --role=sensors --ip="$IP" so-firewall --apply=true --role=sensors --ip="$IP"
;; ;;
'SEARCHNODE') 'SEARCHNODE')
so-firewall --apply --role=searchnodes --ip="$IP" so-firewall --apply=true --role=searchnodes --ip="$IP"
;; ;;
'HEAVYNODE') 'HEAVYNODE')
so-firewall --role=sensors --ip="$IP" so-firewall --role=sensors --ip="$IP"
so-firewall --apply --role=heavynodes --ip="$IP" so-firewall --apply=true --role=heavynodes --ip="$IP"
;; ;;
'IDH') 'IDH')
so-firewall --apply --role=sensors --ip="$IP" so-firewall --apply=true --role=sensors --ip="$IP"
;; ;;
'RECEIVER') 'RECEIVER')
so-firewall --apply --role=receivers --ip="$IP" so-firewall --apply=true --role=receivers --ip="$IP"
;; ;;
esac esac
;; ;;

36
salt/curator/defaults.yaml
View File

@@ -15,6 +15,42 @@ elasticsearch:
logs-zeek-so: logs-zeek-so:
close: 30 close: 30
delete: 365 delete: 365
logs-elastic_agent-metricbeat-default:
close: 30
delete: 365
logs-elastic_agent-osquerybeat-default:
close: 30
delete: 365
logs-elastic_agent-fleet_server-default:
close: 30
delete: 365
logs-elastic_agent-filebeat-default:
close: 30
delete: 365
logs-elastic_agent-default:
close: 30
delete: 365
logs-system-auth-default:
close: 30
delete: 365
logs-system-application-default:
close: 30
delete: 365
logs-system-security-default:
close: 30
delete: 365
logs-system-system-default:
close: 30
delete: 365
logs-system-syslog-default:
close: 30
delete: 365
logs-windows-powershell-default:
close: 30
delete: 365
logs-windows-sysmon_operational-default:
close: 30
delete: 365
so-beats: so-beats:
close: 30 close: 30
delete: 365 delete: 365

27
salt/curator/files/action/logs-elastic_agent-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent default indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-elastic_agent-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent default indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-filebeat-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Filebeat indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-filebeat-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent Filebeat indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-fleet_server-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Fleet Server indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-fleet_server-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete import indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-metricbeat-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Metricbeat indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.metricbeat-default-.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-metricbeat-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent Metricbeat indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.metricbeat-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Osquerybeat indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent Osquerybeat indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete import indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-import-so.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-system-application-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-system-application-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent system application indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.application-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-system-application-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-system-application-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent system application indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.application-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-system-auth-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent system auth indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.auth-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-system-auth-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.auth-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-system-security-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-system-security-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent system security indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.security-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-system-security-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-system-security-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent system security indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.security-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-system-syslog-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-system-syslog-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent system syslog indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.syslog-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-system-syslog-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-system-syslog-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent system syslog indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.syslog-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-system-system-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-system-system-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent system system indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.system-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-system-system-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-system-system-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent system system indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.system-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-windows-powershell-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-windows-powershell-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Windows Powershell indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-windows.powershell-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-windows-powershell-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-windows-powershell-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent Windows Powershell indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-windows.powershell-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-windows-sysmon_operational-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Windows Sysmon operational indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-windows-sysmon_operational-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent Windows Sysmon operational indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

266
salt/elasticsearch/defaults.yaml
View File

@@ -84,14 +84,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.auditbeat: so-logs-elastic_agent.auditbeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -119,14 +138,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.cloudbeat: so-logs-elastic_agent.cloudbeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -154,14 +192,30 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.endpoint_security: so-logs-elastic_agent.endpoint_security:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -189,14 +243,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.filebeat: so-logs-elastic_agent.filebeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -224,14 +297,30 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.fleet_server: so-logs-elastic_agent.fleet_server:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -259,14 +348,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.heartbeat: so-logs-elastic_agent.heartbeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -294,14 +402,30 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent: so-logs-elastic_agent:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -329,14 +453,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.metricbeat: so-logs-elastic_agent.metricbeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -364,14 +507,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.osquerybeat: so-logs-elastic_agent.osquerybeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -399,14 +561,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.packetbeat: so-logs-elastic_agent.packetbeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -434,14 +615,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-aws: so-aws:
warm: 7 warm: 7
close: 30 close: 30

2
salt/elasticsearch/files/ingest/common.nids
View File

@@ -11,7 +11,7 @@
{ "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } },
{ "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } },
{ "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } },
{ "remove": { "field": ["rule_type", "rest_of_rulename"], "ignore_failure": true } }, { "remove": { "field": ["rule_type", "rest_of_rulename", "host"], "ignore_failure": true } },
{ "pipeline": { "name": "common" } } { "pipeline": { "name": "common" } }
] ]
} }

71
salt/soc/defaults.yaml
View File

@@ -7,19 +7,19 @@ soc:
icon: fa-crosshairs icon: fa-crosshairs
target: target:
links: links:
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - '/#/hunt?q="{value|escape}" | groupby event.module* event.dataset'
- name: actionCorrelate - name: actionCorrelate
description: actionCorrelateHelp description: actionCorrelateHelp
icon: fab fa-searchengin icon: fab fa-searchengin
target: '' target: ''
links: links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module* event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module* event.dataset'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* event.dataset'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - '/#/hunt?q="{:log.id.fuid}" | groupby event.module* event.dataset'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - '/#/hunt?q="{:log.id.uid}" | groupby event.module* event.dataset'
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - '/#/hunt?q="{:network.community_id}" | groupby event.module* event.dataset'
- name: actionPcap - name: actionPcap
description: actionPcapHelp description: actionPcapHelp
icon: fa-stream icon: fa-stream
@@ -560,13 +560,13 @@ soc:
- destination.geo.country_iso_code - destination.geo.country_iso_code
- user.name - user.name
- source.ip - source.ip
':sysmon:': ':windows.sysmon_operational:':
- soc_timestamp - soc_timestamp
- event.dataset - event.action
- process.executable - process.executable
- user.name - user.name
- file.target - file.target
- dns.query.name - dns.question.name
- winlog.event_data.TargetObject - winlog.event_data.TargetObject
'::network_connection': '::network_connection':
- soc_timestamp - soc_timestamp
@@ -1116,12 +1116,12 @@ soc:
enabled: true enabled: true
queries: queries:
- name: Default Query - name: Default Query
description: Show all events grouped by the origin host description: Show all events grouped by the observer host
query: '* | groupby observer.name' query: '* | groupby observer.name'
showSubtitle: true showSubtitle: true
- name: Log Type - name: Log Type
description: Show all events grouped by module and dataset description: Show all events grouped by module and dataset
query: '* | groupby event.module event.dataset' query: '* | groupby event.module* event.dataset'
showSubtitle: true showSubtitle: true
- name: SOC Auth - name: SOC Auth
description: Users authenticated to SOC grouped by IP address and identity description: Users authenticated to SOC grouped by IP address and identity
@@ -1145,11 +1145,11 @@ soc:
showSubtitle: true showSubtitle: true
- name: Sysmon Events - name: Sysmon Events
description: Show all Sysmon logs grouped by event type description: Show all Sysmon logs grouped by event type
query: 'event.module:sysmon | groupby event.dataset' query: 'event.dataset: windows.sysmon_operational | groupby event.action'
showSubtitle: true showSubtitle: true
- name: Sysmon Usernames - name: Sysmon Usernames
description: Show all Sysmon logs grouped by username description: Show all Sysmon logs grouped by username
query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' query: 'event.dataset: windows.sysmon_operational | groupby event.action, user.name.keyword'
showSubtitle: true showSubtitle: true
- name: Strelka - name: Strelka
description: Show all Strelka logs grouped by file type description: Show all Strelka logs grouped by file type
@@ -1380,7 +1380,7 @@ soc:
queries: queries:
- name: Overview - name: Overview
description: Overview of all events description: Overview of all events
query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: SOC Auth - name: SOC Auth
description: SOC (Security Onion Console) authentication logs description: SOC (Security Onion Console) authentication logs
query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
@@ -1389,28 +1389,31 @@ soc:
query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'
- name: Alerts - name: Alerts
description: Overview of all alerts description: Overview of all alerts
query: 'event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: 'event.dataset:alert | groupby event.module* | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: NIDS Alerts - name: NIDS Alerts
description: NIDS (Network Intrusion Detection System) alerts description: NIDS (Network Intrusion Detection System) alerts
query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Sysmon Overview - name: Sysmon Overview
description: Overview of all Sysmon data types description: Overview of all Sysmon data types
query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port' query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.category event.action | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Sysmon Registry - name: Host Overview
description: Registry changes captured by Sysmon description: Overview of all host data types
query: '(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject' query: '((event.category:registry OR event.category:host OR event.category:process OR event.category:driver OR event.category:configuration) OR (event.category:file AND _exists_:process.executable) OR (event.category:network AND _exists_:host.name)) | groupby event.dataset* event.category* event.action* | groupby event.type | groupby host.name | groupby user.name | groupby file.name | groupby process.executable'
- name: Sysmon DNS - name: Host Registry Changes
description: DNS queries captured by Sysmon description: Windows Registry changes
query: 'event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name' query: 'event.category: registry | groupby -sankey event.action host.name | groupby event.dataset event.action | groupby host.name | groupby process.executable | groupby registry.path | groupby process.executable registry.path'
- name: Sysmon Process - name: Host DNS & Process Mappings
description: Process activity captured by Sysmon description: DNS queries mapped to originating processes
query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data'
- name: Sysmon File - name: Host Process Activity
description: File activity captured by Sysmon description: Process activity captured on an endpoint
query: 'event.module:sysmon AND event.dataset:file_* | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable' query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable'
- name: Sysmon Network - name: Host File Activity
description: Network activity captured by Sysmon description: File activity captured on an endpoint
query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset event.action event.type | groupby file.name | groupby process.executable'
- name: Host Network & Process Mappings
description: Network activity mapped to originating processes
query: 'event.category: network AND _exists_:process.executable | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby event.dataset* event.type* event.action* | groupby host.name | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Strelka - name: Strelka
description: Strelka file analysis description: Strelka file analysis
query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name' query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name'
@@ -1614,7 +1617,7 @@ soc:
- acknowledged - acknowledged
queries: queries:
- name: 'Group By Name, Module' - name: 'Group By Name, Module'
query: '* | groupby rule.name event.module event.severity_label' query: '* | groupby rule.name event.module* event.severity_label'
- name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name' - name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name'
query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label' query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label'
- name: 'Group By Source IP, Name' - name: 'Group By Source IP, Name'