From f8108e93d5a9a99c16c471d9132d1a225a9f4f2c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 14 Jul 2025 12:04:46 -0400 Subject: [PATCH 1/4] FEATURE: Add SOC default fields for iptables logs #14836 --- salt/soc/defaults.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index cb12671f8..35eb22ab0 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1336,6 +1336,13 @@ soc: - soc.fields.statusCode - event.action - soc.fields.error + ':iptables:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - message server: bindAddress: 0.0.0.0:9822 baseUrl: / From 10bf3e8fab0681d0f9f2f11fa7a23666f7fc5fe9 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 14 Jul 2025 12:07:02 -0400 Subject: [PATCH 2/4] FEATURE: Add SOC default fields for CEF logs #14837 --- salt/soc/defaults.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 35eb22ab0..e84a5b017 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1343,6 +1343,14 @@ soc: - destination.ip - destination.port - message + ':cef:': + - soc_timestamp + - cef.device.event_class_id + - cef.device.vendor + - cef.device.product + - cef.device.version + - log.source.address + - message server: bindAddress: 0.0.0.0:9822 baseUrl: / From ab9d03bc2e7cd4b38f08e596ab14e4ad205007d2 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 14 Jul 2025 12:21:08 -0400 Subject: [PATCH 3/4] FEATURE: Add SOC Dashboards for UniFi logs #14838 --- salt/soc/defaults.yaml | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index e84a5b017..23c966bb4 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2142,15 +2142,6 @@ soc: - name: ICS S7 description: S7 (Siemens) network metadata query: 'tags:s7* | groupby event.dataset | groupby -sankey event.dataset source.ip | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port' - - name: NetFlow - description: NetFlow records - query: 'event.module:netflow | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby network.type | groupby network.transport | groupby network.direction | groupby netflow.type | groupby netflow.exporter.version | groupby observer.ip | groupby source.as.organization.name | groupby source.geo.country_name | groupby destination.as.organization.name | groupby destination.geo.country_name' - - name: Firewall - description: Firewall logs - query: 'observer.type:firewall | groupby event.action | groupby -sankey event.action observer.ingress.interface.name | groupby observer.ingress.interface.name | groupby network.type | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port' - - name: Firewall Auth - description: Firewall authentication logs - query: 'observer.type:firewall AND event.category:authentication | groupby user.name | groupby -sankey user.name source.ip | groupby source.ip | table soc_timestamp user.name source.ip message' - name: VLAN description: VLAN (Virtual Local Area Network) tagged logs query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby -sankey network.vlan.id source.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name' @@ -2166,6 +2157,27 @@ soc: - name: GeoIP - Source Organizations description: GeoIP tagged logs visualized by source organizations query: '* AND _exists_:source_geo.organization_name | groupby source_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.country_name | groupby event.dataset | groupby event.module' + - name: NetFlow + description: NetFlow records + query: 'event.module:netflow | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby network.type | groupby network.transport | groupby network.direction | groupby netflow.type | groupby netflow.exporter.version | groupby observer.ip | groupby source.as.organization.name | groupby source.geo.country_name | groupby destination.as.organization.name | groupby destination.geo.country_name' + - name: Firewall - pfSense/OPNsense + description: pfSense/OPNsense firewall logs + query: 'observer.type:firewall | groupby event.action | groupby -sankey event.action observer.ingress.interface.name | groupby observer.ingress.interface.name | groupby network.type | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Firewall - pfSense/OPNsense Auth + description: pfSense/OPNsense firewall authentication logs + query: 'observer.type:firewall AND event.category:authentication | groupby user.name | groupby -sankey user.name source.ip | groupby source.ip | table soc_timestamp user.name source.ip message' + - name: Firewall - UniFi Firewall Overview + description: All network traffic logged by UniFi firewall + query: 'event.module:iptables AND event.type:connection | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby -sankey destination.ip destination.port | groupby destination.port' + - name: Firewall - UniFi Firewall Blocks + description: Network traffic blocked by UniFi firewall + query: 'event.module:iptables AND event.type:connection AND (message:iptables-dropped OR message:block) | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby -sankey destination.ip destination.port | groupby destination.port' + - name: Firewall - UniFi Firewall Allows + description: Network traffic allowed by UniFi firewall + query: 'event.module:iptables AND event.type:connection AND NOT (message:iptables-dropped OR message:block) | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby -sankey destination.ip destination.port | groupby destination.port' + - name: Firewall - UniFi Auth + description: UniFi authentication logs + query: 'event.module:cef | groupby cef.device.event_class_id | groupby -sankey cef.device.event_class_id cef.device.vendor | groupby cef.device.vendor | groupby cef.device.product | groupby cef.device.version | groupby log.source.address' - name: Kismet - WiFi Devices description: WiFi devices seen by Kismet sensors query: 'event.module: kismet | groupby network.wireless.ssid | groupby device.manufacturer | groupby -pie device.manufacturer | groupby event.dataset' From 4f8bd16910050c973d2dfc8e65fb1c599516e3fa Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 14 Jul 2025 15:37:10 -0400 Subject: [PATCH 4/4] FEATURE: Add SOC Dashboards for CEF, iptables, and UniFi logs #14838 --- salt/soc/defaults.yaml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 23c966bb4..0c5967753 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2166,6 +2166,9 @@ soc: - name: Firewall - pfSense/OPNsense Auth description: pfSense/OPNsense firewall authentication logs query: 'observer.type:firewall AND event.category:authentication | groupby user.name | groupby -sankey user.name source.ip | groupby source.ip | table soc_timestamp user.name source.ip message' + - name: Firewall - iptables + description: All network traffic logged by Elastic integration for iptables + query: 'event.module:iptables AND event.type:connection | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby -sankey destination.ip destination.port | groupby destination.port' - name: Firewall - UniFi Firewall Overview description: All network traffic logged by UniFi firewall query: 'event.module:iptables AND event.type:connection | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby -sankey destination.ip destination.port | groupby destination.port' @@ -2175,8 +2178,11 @@ soc: - name: Firewall - UniFi Firewall Allows description: Network traffic allowed by UniFi firewall query: 'event.module:iptables AND event.type:connection AND NOT (message:iptables-dropped OR message:block) | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby -sankey destination.ip destination.port | groupby destination.port' - - name: Firewall - UniFi Auth - description: UniFi authentication logs + - name: Firewall - UniFi System + description: UniFi system logs + query: 'event.module:cef | groupby cef.device.event_class_id | groupby -sankey cef.device.event_class_id cef.device.vendor | groupby cef.device.vendor | groupby cef.device.product | groupby cef.device.version | groupby log.source.address' + - name: CEF + description: Logs handled by the Elastic integration for CEF query: 'event.module:cef | groupby cef.device.event_class_id | groupby -sankey cef.device.event_class_id cef.device.vendor | groupby cef.device.vendor | groupby cef.device.product | groupby cef.device.version | groupby log.source.address' - name: Kismet - WiFi Devices description: WiFi devices seen by Kismet sensors @@ -2184,9 +2190,6 @@ soc: - name: SOC Detections - Runtime Status description: Runtime Status of Detections query: 'event.dataset:soc.detections | groupby soc.detection_type soc.error_type | groupby soc.error_analysis | groupby soc.rule.name | groupby soc.error_message' - - - job: alerts: advanced: false