diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 7e8e76094..ff8a504ac 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1771,13 +1771,13 @@ soc: enabled: true queries: - name: Default Query - description: Show all events grouped by the observer host - query: '* | groupby observer.name' - showSubtitle: true - - name: Log Type description: Show all events grouped by module and dataset query: '* | groupby event.module* event.dataset' showSubtitle: true + - name: Observer + description: Show all events grouped by the observer host + query: '* | groupby observer.name' + showSubtitle: true - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http.request.headers.x-real-ip user.name'