update sysmon dashboards

2025-12-06 17:22:49 +01:00 · 2023-03-08 16:49:34 -05:00
parent 9db6df0f14
commit a5c89bfaa1
1 changed files with 18 additions and 16 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1395,22 +1395,22 @@ soc:
            query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Sysmon Overview
            description: Overview of all Sysmon data types
-            query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.action | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port'
+            query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.category event.action  | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port'
-          - name: Sysmon Registry
+          - name: Host Data - Registry Changes
-            description: Registry changes captured by Sysmon
+            description: Windows Registry changes
-            query: '(event.dataset:windows.sysmon_operational AND event.action:Registry*) | groupby -sankey event.action host.name | groupby host.name | groupby event.action | groupby process.executable | groupby registry.path | groupby process.executable registry.path'
+            query: 'event.category: registry | groupby -sankey event.action host.name | groupby event.dataset event.action | groupby host.name | groupby process.executable | groupby registry.path | groupby process.executable registry.path'
-          - name: Sysmon DNS
+          - name: Host Data - DNS & Process Mappings 
-            description: DNS queries captured by Sysmon
+            description: DNS queries mapped to originating processes
-            query: 'event.dataset:windows.sysmon_operational AND event.action:"Dns query (rule: DnsQuery)" | groupby -sankey host.name dns.query.name | groupby host.name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name'
+            query: 'event.category: network AND _exists_:process.executable  AND (_exists_:dns.question.name OR _exists_:dns.answers.data)  | groupby -sankey host.name dns.question.name | groupby event.provider event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data'
-          - name: Sysmon Process
+          - name: Host Data - Process
-            description: Process activity captured by Sysmon
+            description: Process activity captured on an endpoint
-            query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey host.name user.name | groupby host.name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable'
+            query: 'event.category:process | groupby -sankey host.name user.name*  | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable'
-          - name: Sysmon File
+          - name: Host Data - File
-            description: File activity captured by Sysmon
+            description: File activity captured on an endpoint
-            query: 'event.module:sysmon AND event.dataset:file_* | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset | groupby file.target | groupby process.executable'
+            query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.provider event.action event.type | groupby file.name | groupby process.executable'
-          - name: Sysmon Network
+          - name: Host Data - Network & Process Mappings
-            description: Network activity captured by Sysmon
+            description: Network activity mapped to originating processes
-            query: 'event.dataset:network_connection | groupby -sankey host.name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
+            query: 'event.category: network AND _exists_:process.executable | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby event.provider* event.type* event.action* | groupby host.name | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.name | groupby source.ip | groupby destination.ip | groupby destination.port'
          - name: Strelka
            description: Strelka file analysis
            query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name'
@@ -1432,9 +1432,11 @@ soc:
          - name: DPD
            description: DPD (Dynamic Protocol Detection) errors
            query: 'event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Files
            description: Files seen in network traffic
            query: 'event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name'
          - name: FTP
            description: FTP (File Transfer Protocol) network metadata
            query: 'event.dataset:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'