From 9c9bcac61ba6899f1eb0afa3248c2d0269d6f5a4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Jun 2021 15:01:14 -0400 Subject: [PATCH] Update DNS queries --- salt/soc/files/soc/hunt.queries.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json index 9d4cd85bd..c220060dd 100644 --- a/salt/soc/files/soc/hunt.queries.json +++ b/salt/soc/files/soc/hunt.queries.json @@ -20,11 +20,11 @@ { "name": "DHCP", "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"}, { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"}, { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"}, - { "name": "DNS", "description": "DNS queries grouped by port", "query": "event.dataset:dns | groupby dns.query.name destination.port"}, - { "name": "DNS", "description": "DNS queries grouped by type", "query": "event.dataset:dns | groupby dns.query.type_name destination.port"}, - { "name": "DNS", "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"}, - { "name": "DNS", "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"}, - { "name": "DNS", "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by port", "query": "_exists_:dns.id | groupby dns.question.name destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by type", "query": "_exists_:dns.id | groupby dns.question.type destination.port"}, + { "name": "DNS", "description": "DNS queries grouped by response code", "query": "_exists_:dns.id | groupby dns.response_code destination.port"}, + { "name": "DNS", "description": "DNS highest registered domain", "query": "_exists_:dns.id | groupby dns.question.top_level_domain destination.port"}, + { "name": "DNS", "description": "DNS grouped by parent domain", "query": "_exists_:dns.id | groupby dns.question.registered_domain destination.port"}, { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason"}, { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"}, { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"},