CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10600 from Security-Onion-Solutions/fix/dataset_tags

Browse Source 
Change format of event dataset and assign dataset to tags
This commit is contained in:
Josh Brower
2023-06-21 09:22:40 -04:00
committed by GitHub
parent b02c38175c 3a34da354f
commit 6ba9e057a9
4 changed files with 112 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/elasticsearch/files/ingest-dynamic/common
View File

@@ -57,8 +57,11 @@
{ "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } },
{ "convert": { "field": "agent.id", "type": "string", "ignore_failure": true, "ignore_missing": true } },
{ "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } },
{ "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from":"event.dataset_temp" }},
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
{ "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from": "event.dataset_temp" }},
{ "set": { "if": "ctx.event?.dataset != null && !ctx.event.dataset.contains('.')", "field": "event.dataset", "value": "{{event.module}}.{{event.dataset}}" } },
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } },
{ "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" }},
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
{%- endraw %}
{%- if HIGHLANDER %}
,

6
salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
View File

@@ -71,8 +71,10 @@
},
{ "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } },
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } },
{ "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" }},
{ "remove": { "field": [ "module_temp" ], "ignore_missing": true, "ignore_failure": true } }
{ "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } },
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } },
{ "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } },
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } }
],
"on_failure": [
{

204
salt/soc/defaults.yaml
View File

@@ -1139,11 +1139,11 @@ soc:
showSubtitle: true
- name: Alerts
description: Show all alerts grouped by alert source
query: 'event.dataset: alert | groupby event.module'
query: 'tags:alert | groupby event.module'
showSubtitle: true
- name: NIDS Alerts
description: Show all NIDS alerts grouped by alert
query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name'
query: 'event.category: network AND tags: alert | groupby rule.category rule.gid rule.uuid rule.name'
showSubtitle: true
- name: Osquery - Live Query
description: Show all Osquery Live Query results
@@ -1163,207 +1163,207 @@ soc:
showSubtitle: true
- name: Zeek Notice
description: Show notices from Zeek
query: 'event.dataset:notice | groupby notice.note notice.message'
query: 'event.dataset:zeek.notice | groupby notice.note notice.message'
showSubtitle: true
- name: Connections
description: Connections grouped by IP and Port
query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port'
query: 'tags:conn | groupby source.ip destination.ip network.protocol destination.port'
showSubtitle: true
- name: Connections
description: Connections grouped by Service
query: 'event.dataset:conn | groupby network.protocol destination.port'
query: 'tags:conn | groupby network.protocol destination.port'
showSubtitle: true
- name: Connections
description: Connections grouped by destination country
query: 'event.dataset:conn | groupby destination.geo.country_name'
query: 'tags:conn | groupby destination.geo.country_name'
showSubtitle: true
- name: Connections
description: Connections grouped by source country
query: 'event.dataset:conn | groupby source.geo.country_name'
query: 'tags:conn | groupby source.geo.country_name'
showSubtitle: true
- name: DCE_RPC
description: DCE_RPC grouped by operation
query: 'event.dataset:dce_rpc | groupby dce_rpc.operation'
query: 'tags:dce_rpc | groupby dce_rpc.operation'
showSubtitle: true
- name: DHCP
description: DHCP leases
query: 'event.dataset:dhcp | groupby host.hostname client.address'
query: 'tags:dhcp | groupby host.hostname client.address'
showSubtitle: true
- name: DHCP
description: DHCP grouped by message type
query: 'event.dataset:dhcp | groupby dhcp.message_types'
query: 'tags:dhcp | groupby dhcp.message_types'
showSubtitle: true
- name: DNP3
description: DNP3 grouped by reply
query: 'event.dataset:dnp3 | groupby dnp3.fc_reply'
query: 'tags:dnp3 | groupby dnp3.fc_reply'
showSubtitle: true
- name: DNS
description: DNS queries grouped by port
query: 'event.dataset:dns | groupby dns.query.name destination.port'
query: 'tags:dns | groupby dns.query.name destination.port'
showSubtitle: true
- name: DNS
description: DNS queries grouped by type
query: 'event.dataset:dns | groupby dns.query.type_name destination.port'
query: 'tags:dns | groupby dns.query.type_name destination.port'
showSubtitle: true
- name: DNS
description: DNS queries grouped by response code
query: 'event.dataset:dns | groupby dns.response.code_name destination.port'
query: 'tags:dns | groupby dns.response.code_name destination.port'
showSubtitle: true
- name: DNS
description: DNS highest registered domain
query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port'
query: 'tags:dns | groupby dns.highest_registered_domain.keyword destination.port'
showSubtitle: true
- name: DNS
description: DNS grouped by parent domain
query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port'
query: 'tags:dns | groupby dns.parent_domain.keyword destination.port'
showSubtitle: true
- name: DPD
description: Dynamic Protocol Detection errors
query: 'event.dataset:dpd | groupby error.reason'
query: 'tags:dpd | groupby error.reason'
showSubtitle: true
- name: Files
description: Files grouped by mimetype
query: 'event.dataset:file | groupby file.mime_type source.ip'
query: 'tags:file | groupby file.mime_type source.ip'
showSubtitle: true
- name: Files
description: Files grouped by source
query: 'event.dataset:file | groupby file.source source.ip'
query: 'tags:file | groupby file.source source.ip'
showSubtitle: true
- name: FTP
description: FTP grouped by command and argument
query: 'event.dataset:ftp | groupby ftp.command ftp.argument'
query: 'tags:ftp | groupby ftp.command ftp.argument'
showSubtitle: true
- name: FTP
description: FTP grouped by username and argument
query: 'event.dataset:ftp | groupby ftp.user ftp.argument'
query: 'tags:ftp | groupby ftp.user ftp.argument'
showSubtitle: true
- name: HTTP
description: HTTP grouped by destination port
query: 'event.dataset:http | groupby destination.port'
query: 'tags:http | groupby destination.port'
showSubtitle: true
- name: HTTP
description: HTTP grouped by status code and message
query: 'event.dataset:http | groupby http.status_code http.status_message'
query: 'tags:http | groupby http.status_code http.status_message'
showSubtitle: true
- name: HTTP
description: HTTP grouped by method and user agent
query: 'event.dataset:http | groupby http.method http.useragent'
query: 'tags:http | groupby http.method http.useragent'
showSubtitle: true
- name: HTTP
description: HTTP grouped by virtual host
query: 'event.dataset:http | groupby http.virtual_host'
query: 'tags:http | groupby http.virtual_host'
showSubtitle: true
- name: HTTP
description: HTTP with exe downloads
query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host'
query: 'tags:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host'
showSubtitle: true
- name: Intel
description: Intel framework hits grouped by indicator
query: 'event.dataset:intel | groupby intel.indicator.keyword'
query: 'tags:intel | groupby intel.indicator.keyword'
showSubtitle: true
- name: IRC
description: IRC grouped by command
query: 'event.dataset:irc | groupby irc.command.type'
query: 'tags:irc | groupby irc.command.type'
showSubtitle: true
- name: KERBEROS
description: KERBEROS grouped by service
query: 'event.dataset:kerberos | groupby kerberos.service'
query: 'tags:kerberos | groupby kerberos.service'
showSubtitle: true
- name: MODBUS
description: MODBUS grouped by function
query: 'event.dataset:modbus | groupby modbus.function'
query: 'tags:modbus | groupby modbus.function'
showSubtitle: true
- name: MYSQL
description: MYSQL grouped by command
query: 'event.dataset:mysql | groupby mysql.command'
query: 'tags:mysql | groupby mysql.command'
showSubtitle: true
- name: NOTICE
description: Zeek notice logs grouped by note and message
query: 'event.dataset:notice | groupby notice.note notice.message'
query: 'event.dataset:zeek.notice | groupby notice.note notice.message'
showSubtitle: true
- name: NTLM
description: NTLM grouped by computer name
query: 'event.dataset:ntlm | groupby ntlm.server.dns.name'
query: 'tags:ntlm | groupby ntlm.server.dns.name'
showSubtitle: true
- name: PE
description: PE files list
query: 'event.dataset:pe | groupby file.machine file.os file.subsystem'
query: 'tags:pe | groupby file.machine file.os file.subsystem'
showSubtitle: true
- name: RADIUS
description: RADIUS grouped by username
query: 'event.dataset:radius | groupby user.name.keyword'
query: 'tags:radius | groupby user.name.keyword'
showSubtitle: true
- name: RDP
description: RDP grouped by client name
query: 'event.dataset:rdp | groupby client.name'
query: 'tags:rdp | groupby client.name'
showSubtitle: true
- name: RFB
description: RFB grouped by desktop name
query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword'
query: 'tags:rfb | groupby rfb.desktop.name.keyword'
showSubtitle: true
- name: Signatures
description: Zeek signatures grouped by signature id
query: 'event.dataset:signatures | groupby signature_id'
query: 'event.dataset:zeek.signatures | groupby signature_id'
showSubtitle: true
- name: SIP
description: SIP grouped by user agent
query: 'event.dataset:sip | groupby client.user_agent'
query: 'tags:sip | groupby client.user_agent'
showSubtitle: true
- name: SMB_Files
description: SMB files grouped by action
query: 'event.dataset:smb_files | groupby file.action'
query: 'tags:smb_files | groupby file.action'
showSubtitle: true
- name: SMB_Mapping
description: SMB mapping grouped by path
query: 'event.dataset:smb_mapping | groupby smb.path'
query: 'tags:smb_mapping | groupby smb.path'
showSubtitle: true
- name: SMTP
description: SMTP grouped by subject
query: 'event.dataset:smtp | groupby smtp.subject'
query: 'tags:smtp | groupby smtp.subject'
showSubtitle: true
- name: SNMP
description: SNMP grouped by version and string
query: 'event.dataset:snmp | groupby snmp.community snmp.version'
query: 'tags:snmp | groupby snmp.community snmp.version'
showSubtitle: true
- name: Software
description: List of software seen on the network
query: 'event.dataset:software | groupby software.type software.name'
query: 'tags:software | groupby software.type software.name'
showSubtitle: true
- name: SSH
description: SSH grouped by version and client
query: 'event.dataset:ssh | groupby ssh.version ssh.client'
query: 'tags:ssh | groupby ssh.version ssh.client'
showSubtitle: true
- name: SSL
description: SSL grouped by version and server name
query: 'event.dataset:ssl | groupby ssl.version ssl.server_name'
query: 'tags:ssl | groupby ssl.version ssl.server_name'
showSubtitle: true
- name: SYSLOG
description: 'SYSLOG grouped by severity and facility '
query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label'
query: 'tags:syslog | groupby syslog.severity_label syslog.facility_label'
showSubtitle: true
- name: Tunnel
description: Tunnels grouped by type and action
query: 'event.dataset:tunnel | groupby tunnel.type event.action'
query: 'tags:tunnel | groupby tunnel.type event.action'
showSubtitle: true
- name: Weird
description: Zeek weird log grouped by name
query: 'event.dataset:weird | groupby weird.name'
query: 'event.dataset:zeek.weird | groupby weird.name'
showSubtitle: true
- name: x509
description: x.509 grouped by key length and name
query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns'
query: 'tags:x509 | groupby x509.certificate.key.length x509.san_dns'
showSubtitle: true
- name: x509
description: x.509 grouped by name and issuer
query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer'
query: 'tags:x509 | groupby x509.san_dns x509.certificate.issuer'
showSubtitle: true
- name: x509
description: x.509 grouped by name and subject
query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject'
query: 'tags:x509 | groupby x509.san_dns x509.certificate.subject'
showSubtitle: true
- name: Firewall
description: Firewall events grouped by action
query: 'event.dataset:firewall | groupby rule.action'
query: 'tags:firewall | groupby rule.action'
showSubtitle: true
dashboards:
advanced: true
@@ -1395,10 +1395,10 @@ soc:
query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'
- name: Alerts
description: Overview of all alerts
query: 'event.dataset:alert | groupby event.module* | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:alert | groupby event.module* | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: NIDS Alerts
description: NIDS (Network Intrusion Detection System) alerts
query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'event.category:network AND tags:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Sysmon Overview
description: Overview of all Sysmon data types
query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.category event.action | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port'
@@ -1425,145 +1425,145 @@ soc:
query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name'
- name: Zeek Notice
description: Zeek notice logs
query: 'event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'event.dataset:zeek.notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Connections
description: Network connection metadata
query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui'
query: 'tags:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui'
- name: DCE_RPC
description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata
query: 'event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: DHCP
description: DHCP (Dynamic Host Configuration Protocol) leases
query: 'event.dataset:dhcp | groupby host.hostname | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address | groupby host.domain'
query: 'tags:dhcp | groupby host.hostname | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address | groupby host.domain'
- name: DNS
description: DNS (Domain Name System) queries
query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: DPD
description: DPD (Dynamic Protocol Detection) errors
query: 'event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Files
description: Files seen in network traffic
query: 'event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name'
query: 'tags:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name'
- name: FTP
description: FTP (File Transfer Protocol) network metadata
query: 'event.dataset:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: HTTP
description: HTTP (Hyper Text Transport Protocol) network metadata
query: 'event.dataset:http | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:http | groupby http.method | groupby -sankey http.method http.virtual_host | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Intel
description: Zeek Intel framework hits
query: 'event.dataset:intel | groupby intel.indicator | groupby -sankey source.ip intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:intel | groupby intel.indicator | groupby -sankey source.ip intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: IRC
description: IRC (Internet Relay Chat) network metadata
query: 'event.dataset:irc | groupby irc.command.type | groupby -sankey irc.command.type irc.username | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:irc | groupby irc.command.type | groupby -sankey irc.command.type irc.username | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Kerberos
description: Kerberos network metadata
query: 'event.dataset:kerberos | groupby kerberos.service | groupby -sankey kerberos.service destination.ip | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:kerberos | groupby kerberos.service | groupby -sankey kerberos.service destination.ip | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: MySQL
description: MySQL network metadata
query: 'event.dataset:mysql | groupby mysql.command | groupby -sankey mysql.command destination.ip | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:mysql | groupby mysql.command | groupby -sankey mysql.command destination.ip | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: NTLM
description: NTLM (New Technology LAN Manager) network metadata
query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby -sankey source.ip destination.ip | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby -sankey source.ip destination.ip | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: PE
description: PE (Portable Executable) files transferred via network traffic
query: 'event.dataset:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
query: 'tags:pe | groupby file.machine | groupby -sankey file.machine file.os | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
- name: RADIUS
description: RADIUS (Remote Authentication Dial-In User Service) network metadata
query: 'event.dataset:radius | groupby -sankey user.name.keyword destination.ip | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:radius | groupby -sankey user.name.keyword destination.ip | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: RDP
description: RDP (Remote Desktop Protocol) network metadata
query: 'event.dataset:rdp | groupby client.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:rdp | groupby client.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: RFB
description: RFB (Remote Frame Buffer) network metadata
query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:rfb | groupby rfb.desktop.name.keyword | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Signatures
description: Zeek signatures
query: 'event.dataset:signatures | groupby signature_id'
query: 'event.dataset:zeek.signatures | groupby signature_id'
- name: SIP
description: SIP (Session Initiation Protocol) network metadata
query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: SMB_Files
description: Files transferred via SMB (Server Message Block)
query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SMB_Mapping
description: SMB (Server Message Block) mapping network metadata
query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SMTP
description: SMTP (Simple Mail Transfer Protocol) network metadata
query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby -sankey source.ip destination.ip | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby -sankey source.ip destination.ip | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: SNMP
description: SNMP (Simple Network Management Protocol) network metadat
query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:snmp | groupby snmp.community | groupby snmp.version | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Software
description: Software seen by Zeek via network traffic
query: 'event.dataset:software | groupby -sankey software.type source.ip | groupby software.type | groupby software.name | groupby source.ip'
query: 'tags:software | groupby -sankey software.type source.ip | groupby software.type | groupby software.name | groupby source.ip'
- name: SSH
description: SSH (Secure Shell) connections seen by Zeek
query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby -sankey source.ip destination.ip | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'tags:ssh | groupby ssh.client | groupby ssh.server | groupby -sankey source.ip destination.ip | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: SSL
description: SSL/TLS network metadata
query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey source.ip ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject'
query: 'tags:ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey source.ip ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject'
- name: STUN
description: STUN (Session Traversal Utilities for NAT) network metadata
query: 'event.dataset:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset'
query: 'tags:stun* | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby event.dataset'
- name: Syslog
description: Syslog logs
query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol'
query: 'tags:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol'
- name: TDS
description: TDS (Tabular Data Stream) network metadata
query: 'event.dataset:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
query: 'tags:tds* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby tds.command | groupby tds.header_type | groupby tds.procedure_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby tds.query'
- name: Tunnel
description: Tunnels seen by Zeek
query: 'event.dataset:tunnel | groupby -sankey source.ip destination.ip | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name'
query: 'tags:tunnel | groupby -sankey source.ip destination.ip | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name'
- name: Weird
description: Weird network traffic seen by Zeek
query: 'event.dataset:weird | groupby -sankey weird.name destination.ip | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
query: 'event.dataset:zeek.weird | groupby -sankey weird.name destination.ip | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: WireGuard
description: WireGuard VPN network metadata
query: 'event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:wireguard | groupby -sankey source.ip destination.ip | groupby destination.geo.country_name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: x509
description: x.509 certificates seen by Zeek
query: 'event.dataset:x509 | groupby -sankey x509.certificate.key.length x509.san_dns | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer'
query: 'tags:x509 | groupby -sankey x509.certificate.key.length x509.san_dns | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer'
- name: ICS Overview
description: Overview of ICS (Industrial Control Systems) network metadata
query: 'tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac'
- name: ICS BACnet
description: BACnet (Building Automation and Control Networks) network metadata
query: 'event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: ICS BSAP
description: BSAP (Bristol Standard Asynchronous Protocol) network metadata
query: 'event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: ICS CIP
description: CIP (Common Industrial Protocol) network metadata
query: 'event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: ICS COTP
description: COTP (Connection Oriented Transport Protocol) network metadata
query: 'event.dataset:cotp* | groupby -sankey source.ip destination.ip | groupby cotp.pdu.name | groupby cotp.pdu.code | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:cotp* | groupby -sankey source.ip destination.ip | groupby cotp.pdu.name | groupby cotp.pdu.code | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: ICS DNP3
description: DNP3 (Distributed Network Protocol) network metadata
query: 'event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: ICS ECAT
description: ECAT (Ethernet for Control Automation Technology) network metadata
query: 'event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type'
query: 'tags:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type'
- name: ICS ENIP
description: ENIP (Ethernet Industrial Protocol) network metadata
query: 'event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: ICS Modbus
description: Modbus network metadata
query: 'event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: ICS OPC UA
description: OPC UA (Unified Architecture) network metadata
query: 'event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: ICS Profinet
description: Profinet (Process Field Network) network metadata
query: 'event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: ICS S7
description: S7 (Siemens) network metadata
query: 'event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Firewall
description: Firewall logs
query: 'event.dataset:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
query: 'tags:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: VLAN
description: VLAN (Virtual Local Area Network) tagged logs
query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name'
@@ -1621,7 +1621,7 @@ soc:
- user.escalated
- location
- process.name
queryBaseFilter: event.dataset:alert
queryBaseFilter: tags:alert
queryToggleFilters:
- name: acknowledged
filter: event.acknowledged:true

2
salt/soctopus/files/templates/generic.template
View File

@@ -5,7 +5,7 @@ elasticsearch_host: "{{ GLOBALS.url_base }}:9200"
play_title: ""
play_id: ""
event.module: "playbook"
event.dataset: "alert"
event.dataset: "playbook.alert"
event.severity:
rule.category:
play_url: "https://{{ GLOBALS.url_base }}/playbook/issues/6000"