CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-05-03 01:48:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update default queries

Browse Source
This commit is contained in:
DefensiveDepth
2024-04-19 16:33:35 -04:00
parent 6c6647629c
commit a237ef5d96
2 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/soc/defaults.yaml
+2 -5
View File
@@ -2128,14 +2128,11 @@ soc:
query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity"
description: Show all disabled Detections
- name: "Detection Type - Suricata (NIDS)"
query: "so_detection.language:suricata | groupby so_detection.ruleset so_detection.isEnabled"
query: "so_detection.language:suricata | groupby so_detection.ruleset so_detection.isEnabled | groupby so_detection.category"
description: Show all NIDS Detections, which are run with Suricata
- name: "Detection Type - Sigma (Elastalert) - All"
query: "so_detection.language:sigma | groupby so_detection.ruleset so_detection.isEnabled"
query: "so_detection.language:sigma | groupby so_detection.ruleset so_detection.isEnabled | groupby so_detection.category | groupby so_detection.product"
description: Show all Sigma Detections, which are run with Elastalert
- name: "Detection Type - Sigma (Elastalert) - Windows"
query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*" | groupby so_detection.ruleset so_detection.isEnabled'
description: Show all Sigma Detections with a logsource of Windows
- name: "Detection Type - YARA (Strelka)"
query: "so_detection.language:yara | groupby so_detection.ruleset so_detection.isEnabled"
description: Show all YARA detections, which are used by Strelka