CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial updates for 2.4 fieldnames

Browse Source
This commit is contained in:
Josh Brower
2023-03-04 15:19:19 -05:00
parent 26dbaeb7ac
commit 9db6df0f14
1 changed files with 21 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
salt/soc/defaults.yaml
View File

@@ -7,19 +7,19 @@ soc:
icon: fa-crosshairs icon: fa-crosshairs
target: target:
links: links:
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - '/#/hunt?q="{value|escape}" | groupby event.module* event.dataset'
- name: actionCorrelate - name: actionCorrelate
description: actionCorrelateHelp description: actionCorrelateHelp
icon: fab fa-searchengin icon: fab fa-searchengin
target: '' target: ''
links: links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module* event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module* event.dataset'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* event.dataset'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - '/#/hunt?q="{:log.id.fuid}" | groupby event.module* event.dataset'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - '/#/hunt?q="{:log.id.uid}" | groupby event.module* event.dataset'
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - '/#/hunt?q="{:network.community_id}" | groupby event.module* event.dataset'
- name: actionPcap - name: actionPcap
description: actionPcapHelp description: actionPcapHelp
icon: fa-stream icon: fa-stream
@@ -560,7 +560,7 @@ soc:
- destination.geo.country_iso_code - destination.geo.country_iso_code
- user.name - user.name
- source.ip - source.ip
':sysmon:': ':windows.sysmon_operational:':
- soc_timestamp - soc_timestamp
- event.dataset - event.dataset
- process.executable - process.executable
@@ -1121,7 +1121,7 @@ soc:
showSubtitle: true showSubtitle: true
- name: Log Type - name: Log Type
description: Show all events grouped by module and dataset description: Show all events grouped by module and dataset
query: '* | groupby event.module event.dataset' query: '* | groupby event.module* event.dataset'
showSubtitle: true showSubtitle: true
- name: SOC Auth - name: SOC Auth
description: Users authenticated to SOC grouped by IP address and identity description: Users authenticated to SOC grouped by IP address and identity
@@ -1145,11 +1145,11 @@ soc:
showSubtitle: true showSubtitle: true
- name: Sysmon Events - name: Sysmon Events
description: Show all Sysmon logs grouped by event type description: Show all Sysmon logs grouped by event type
query: 'event.module:sysmon | groupby event.dataset' query: 'event.dataset: windows.sysmon_operational | groupby event.action'
showSubtitle: true showSubtitle: true
- name: Sysmon Usernames - name: Sysmon Usernames
description: Show all Sysmon logs grouped by username description: Show all Sysmon logs grouped by username
query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' query: 'event.dataset: windows.sysmon_operational | groupby event.action, user.name.keyword'
showSubtitle: true showSubtitle: true
- name: Strelka - name: Strelka
description: Show all Strelka logs grouped by file type description: Show all Strelka logs grouped by file type
@@ -1380,7 +1380,7 @@ soc:
queries: queries:
- name: Overview - name: Overview
description: Overview of all events description: Overview of all events
query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: SOC Auth - name: SOC Auth
description: SOC (Security Onion Console) authentication logs description: SOC (Security Onion Console) authentication logs
query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
@@ -1389,28 +1389,28 @@ soc:
query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'
- name: Alerts - name: Alerts
description: Overview of all alerts description: Overview of all alerts
query: 'event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: 'event.dataset:alert | groupby event.module* | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: NIDS Alerts - name: NIDS Alerts
description: NIDS (Network Intrusion Detection System) alerts description: NIDS (Network Intrusion Detection System) alerts
query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Sysmon Overview - name: Sysmon Overview
description: Overview of all Sysmon data types description: Overview of all Sysmon data types
query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port' query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.action | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Sysmon Registry - name: Sysmon Registry
description: Registry changes captured by Sysmon description: Registry changes captured by Sysmon
query: '(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject' query: '(event.dataset:windows.sysmon_operational AND event.action:Registry*) | groupby -sankey event.action host.name | groupby host.name | groupby event.action | groupby process.executable | groupby registry.path | groupby process.executable registry.path'
- name: Sysmon DNS - name: Sysmon DNS
description: DNS queries captured by Sysmon description: DNS queries captured by Sysmon
query: 'event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name' query: 'event.dataset:windows.sysmon_operational AND event.action:"Dns query (rule: DnsQuery)" | groupby -sankey host.name dns.query.name | groupby host.name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name'
- name: Sysmon Process - name: Sysmon Process
description: Process activity captured by Sysmon description: Process activity captured by Sysmon
query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey host.name user.name | groupby host.name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable'
- name: Sysmon File - name: Sysmon File
description: File activity captured by Sysmon description: File activity captured by Sysmon
query: 'event.module:sysmon AND event.dataset:file_* | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable' query: 'event.module:sysmon AND event.dataset:file_* | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset | groupby file.target | groupby process.executable'
- name: Sysmon Network - name: Sysmon Network
description: Network activity captured by Sysmon description: Network activity captured by Sysmon
query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: 'event.dataset:network_connection | groupby -sankey host.name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: Strelka - name: Strelka
description: Strelka file analysis description: Strelka file analysis
query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name' query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name'
@@ -1611,7 +1611,7 @@ soc:
- acknowledged - acknowledged
queries: queries:
- name: 'Group By Name, Module' - name: 'Group By Name, Module'
query: '* | groupby rule.name event.module event.severity_label' query: '* | groupby rule.name event.module* event.severity_label'
- name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name' - name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name'
query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label' query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label'
- name: 'Group By Source IP, Name' - name: 'Group By Source IP, Name'