From f6151b3895739a98679b76e79d4d16d84d5cd9e8 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@gmail.com>
Date: Thu, 13 Oct 2022 09:03:10 -0400
Subject: [PATCH] Remove destination_geo.organization_name from Sysmon Network
 sankey diagram

---
 salt/soc/defaults.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index c97850cc4..278a02342 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1573,7 +1573,7 @@ soc:
             query: '(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable'
           - name: Sysmon Network
             description: Network activity captured by Sysmon
-            query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port destination_geo.organization_name | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
+            query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
           - name: Strelka
             description: Strelka logs
             query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source'