CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 17:52:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add new ICS/SCADA event fields to the dashboards section of the configuration and remove extra space in key names.

Browse Source
This commit is contained in:
weslambert
2022-12-06 13:11:55 -05:00
committed by GitHub
parent 1b5c1fecd4
commit a626acced0
1 changed files with 423 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

468
salt/soc/defaults.yaml
View File

@@ -707,7 +707,7 @@ soc:
- process.executable
- process.pid
- winlog.computer_name
' ::bacnet':
'::bacnet':
- soc_timestamp
- source.ip
- source.port
@@ -716,7 +716,7 @@ soc:
- bacnet.bclv.function
- bacnet.result.code
- log.id.uid
' ::bacnet_discovery':
'::bacnet_discovery':
- soc_timestamp
- source.ip
- source.port
@@ -725,7 +725,7 @@ soc:
- bacnet.vendor
- bacnet.pdu.service
- log.id.uid
' ::bacnet_property':
'::bacnet_property':
- soc_timestamp
- source.ip
- source.port
@@ -734,7 +734,7 @@ soc:
- bacnet.property
- bacnet.pdu.service
- log.id.uid
' ::bsap_ip_header':
'::bsap_ip_header':
- soc_timestamp
- source.ip
- source.port
@@ -743,13 +743,13 @@ soc:
- bsap.message.type
- bsap.number.messages
- log.id.uid
' ::bsap_ip_rdb':
'::bsap_ip_rdb':
- soc_timestamp
- bsap.application.function
- bsap.application.sub.function
- bsap.vector.variables
- log.id.uid
' ::bsap_serial_header':
'::bsap_serial_header':
- soc_timestamp
- source.ip
- source.port
@@ -759,12 +759,12 @@ soc:
- bsap.destination.function
- bsap.message.type
- log.id.uid
' ::bsap_serial_rdb':
'::bsap_serial_rdb':
- soc_timestamp
- bsap.rdb.function
- bsap.vector.variables
- log.id.uid
' ::cip':
'::cip':
- soc_timestamp
- source.ip
- source.port
@@ -774,7 +774,7 @@ soc:
- cip.status_code
- log.id.uid
- event.dataset
' ::cip_identity':
'::cip_identity':
- soc_timestamp
- source.ip
- source.port
@@ -783,7 +783,7 @@ soc:
- cip.device.type.name
- cip.vendor.name
- log.id.uid
' ::cip_io':
'::cip_io':
- soc_timestamp
- source.ip
- source.port
@@ -792,7 +792,7 @@ soc:
- cip.connection.id
- cip.io.data
- log.id.uid
' ::cotp':
'::cotp':
- soc_timestamp
- source.ip
- source.port
@@ -800,46 +800,46 @@ soc:
- destination.port
- cotp.pdu.name
- log.id.uid
' ::ecat_arp_info':
'::ecat_arp_info':
- soc_timestamp
- source.ip
- destination.ip
- source.mac
- destination.mac
- ecat.arp.type
' ::ecat_aoe_info':
'::ecat_aoe_info':
- soc_timestamp
- source.mac
- source.port
- destination.mac
- destination.port
- ecat.command
' ::ecat_coe_info':
'::ecat_coe_info':
- soc_timestamp
- ecat.message.number
- ecat.message.type
- ecat.request.response.type
- ecat.index
- ecat.sub.index
' ::ecat_dev_info':
'::ecat_dev_info':
- soc_timestamp
- ecat.device.type
- ecat.features
- ecat.ram.size
- ecat.revision
- ecat.slave.address
' ::ecat_log_address':
'::ecat_log_address':
- soc_timestamp
- source.mac
- destination.mac
- ecat.command
' ::ecat_registers':
'::ecat_registers':
- soc_timestamp
- source.mac
- destination.mac
- ecat.command
- ecat.register.type
' ::enip':
'::enip':
- soc_timestamp
- source.ip
- source.port
@@ -849,7 +849,7 @@ soc:
- enip.status_code
- log.id.uid
- event.dataset
' ::modbus_detailed':
'::modbus_detailed':
- soc_timestamp
- source.ip
- source.port
@@ -857,7 +857,7 @@ soc:
- destination.port
- modbus.function
- log.id.uid
' ::opcua_binary':
'::opcua_binary':
- soc_timestamp
- source.ip
- source.port
@@ -866,7 +866,7 @@ soc:
- opcua.identifier_string
- opcua.message_type
- log.id.uid
' ::opcua_binary_activate_session':
'::opcua_binary_activate_session':
- soc_timestamp
- source.ip
- source.port
@@ -876,7 +876,7 @@ soc:
- opcua.identifier_string
- opcua.user_name
- log.id.uid
' ::opcua_binary_activate_session_diagnostic_info':
'::opcua_binary_activate_session_diagnostic_info':
- soc_timestamp
- source.ip
- source.port
@@ -885,7 +885,7 @@ soc:
- opcua.activate_session_diag_info_link_id
- opcua.diag_info_link_id
- log.id.uid
' ::opcua_binary_activate_session_locale_id':
'::opcua_binary_activate_session_locale_id':
- soc_timestamp
- source.ip
- source.port
@@ -894,7 +894,7 @@ soc:
- opcua.local_id
- opcua.locale_link_id
- log.id.uid
' ::opcua_binary_browse':
'::opcua_binary_browse':
- soc_timestamp
- source.ip
- source.port
@@ -903,14 +903,14 @@ soc:
- opcua.link_id
- opcua.service_type
- log.id.uid
' ::opcua_binary_browse_description':
'::opcua_binary_browse_description':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.uid
' ::opcua_binary_browse_response_references':
'::opcua_binary_browse_response_references':
- soc_timestamp
- source.ip
- source.port
@@ -919,7 +919,7 @@ soc:
- opcua.node_class
- opcua.display_name_text
- log.id.uid
' ::opcua_binary_browse_result':
'::opcua_binary_browse_result':
- soc_timestamp
- source.ip
- source.port
@@ -927,7 +927,7 @@ soc:
- destination.port
- opcua.response_link_id
- log.id.uid
' ::opcua_binary_create_session':
'::opcua_binary_create_session':
- soc_timestamp
- source.ip
- source.port
@@ -935,7 +935,7 @@ soc:
- destination.port
- opcua.link_id
- log.id.uid
' ::opcua_binary_create_session_endpoints':
'::opcua_binary_create_session_endpoints':
- soc_timestamp
- source.ip
- source.port
@@ -944,7 +944,7 @@ soc:
- opcua.endpoint_link_id
- opcua.endpoint_url
- log.id.uid
' ::opcua_binary_create_session_user_token':
'::opcua_binary_create_session_user_token':
- soc_timestamp
- source.ip
- source.port
@@ -952,7 +952,7 @@ soc:
- destination.port
- opcua.user_token_link_id
- log.id.uid
' ::opcua_binary_create_subscription':
'::opcua_binary_create_subscription':
- soc_timestamp
- source.ip
- source.port
@@ -960,7 +960,7 @@ soc:
- destination.port
- opcua.link_id
- log.id.uid
' ::opcua_binary_get_endpoints':
'::opcua_binary_get_endpoints':
- soc_timestamp
- source.ip
- source.port
@@ -969,7 +969,7 @@ soc:
- opcua.endpoint_url
- opcua.link_id
- log.id.uid
' ::opcua_binary_get_endpoints_description':
'::opcua_binary_get_endpoints_description':
- soc_timestamp
- source.ip
- source.port
@@ -978,7 +978,7 @@ soc:
- opcua.endpoint_description_link_id
- opcua.endpoint_uri
- log.id.uid
' ::opcua_binary_get_endpoints_user_token':
'::opcua_binary_get_endpoints_user_token':
- soc_timestamp
- source.ip
- source.port
@@ -987,7 +987,7 @@ soc:
- opcua.user_token_link_id
- opcua.user_token_type
- log.id.uid
' ::opcua_binary_read':
'::opcua_binary_read':
- soc_timestamp
- source.ip
- source.port
@@ -996,7 +996,7 @@ soc:
- opcua.link_id
- opcua.read_results_link_id
- log.id.uid
' ::opcua_binary_status_code_detail':
'::opcua_binary_status_code_detail':
- soc_timestamp
- source.ip
- source.port
@@ -1005,7 +1005,7 @@ soc:
- opcua.info_type_string
- opcua.source_string
- log.id.uid
' ::profinet':
'::profinet':
- soc_timestamp
- source.ip
- source.port
@@ -1014,7 +1014,7 @@ soc:
- profinet.index
- profinet.operation_type
- log.id.uid
' ::profinet_dce_rpc':
'::profinet_dce_rpc':
- soc_timestamp
- source.ip
- source.port
@@ -1022,7 +1022,7 @@ soc:
- destination.port
- profinet.operation
- log.id.uid
' ::s7comm':
'::s7comm':
- soc_timestamp
- source.ip
- source.port
@@ -1031,7 +1031,7 @@ soc:
- s7.ros.control.name
- s7.function.name
- log.id.uid
' ::s7comm_plus':
'::s7comm_plus':
- soc_timestamp
- source.ip
- source.port
@@ -1040,7 +1040,7 @@ soc:
- s7.opcode.name
- s7.version
- log.id.uid
' ::s7comm_read_szl':
'::s7comm_read_szl':
- soc_timestamp
- source.ip
- source.port
@@ -1049,7 +1049,7 @@ soc:
- s7.szl_id_name
- s7.return_code_name
- log.id.uid
' ::s7comm_upload_download':
'::s7comm_upload_download':
- soc_timestamp
- source.ip
- source.port
@@ -1058,7 +1058,7 @@ soc:
- s7.ros.control.name
- s7.function_code
- log.id.uid
' ::tds':
'::tds':
- soc_timestamp
- source.ip
- source.port
@@ -1067,7 +1067,7 @@ soc:
- tds.command
- log.id.uid
- event.dataset
' ::tds_rpc':
'::tds_rpc':
- soc_timestamp
- source.ip
- source.port
@@ -1076,7 +1076,7 @@ soc:
- tds.procedure_name
- log.id.uid
- event.dataset
' ::tds_sql_batch':
'::tds_sql_batch':
- soc_timestamp
- source.ip
- source.port
@@ -1910,6 +1910,384 @@ soc:
- process.executable
- process.pid
- winlog.computer_name
'::bacnet':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.bclv.function
- bacnet.result.code
- log.id.uid
'::bacnet_discovery':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.vendor
- bacnet.pdu.service
- log.id.uid
'::bacnet_property':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.property
- bacnet.pdu.service
- log.id.uid
'::bsap_ip_header':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bsap.message.type
- bsap.number.messages
- log.id.uid
'::bsap_ip_rdb':
- soc_timestamp
- bsap.application.function
- bsap.application.sub.function
- bsap.vector.variables
- log.id.uid
'::bsap_serial_header':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bsap.source.function
- bsap.destination.function
- bsap.message.type
- log.id.uid
'::bsap_serial_rdb':
- soc_timestamp
- bsap.rdb.function
- bsap.vector.variables
- log.id.uid
'::cip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.service
- cip.status_code
- log.id.uid
- event.dataset
'::cip_identity':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.device.type.name
- cip.vendor.name
- log.id.uid
'::cip_io':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.connection.id
- cip.io.data
- log.id.uid
'::cotp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cotp.pdu.name
- log.id.uid
'::ecat_arp_info':
- soc_timestamp
- source.ip
- destination.ip
- source.mac
- destination.mac
- ecat.arp.type
'::ecat_aoe_info':
- soc_timestamp
- source.mac
- source.port
- destination.mac
- destination.port
- ecat.command
'::ecat_coe_info':
- soc_timestamp
- ecat.message.number
- ecat.message.type
- ecat.request.response.type
- ecat.index
- ecat.sub.index
'::ecat_dev_info':
- soc_timestamp
- ecat.device.type
- ecat.features
- ecat.ram.size
- ecat.revision
- ecat.slave.address
'::ecat_log_address':
- soc_timestamp
- source.mac
- destination.mac
- ecat.command
'::ecat_registers':
- soc_timestamp
- source.mac
- destination.mac
- ecat.command
- ecat.register.type
'::enip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- enip.command
- enip.status_code
- log.id.uid
- event.dataset
'::modbus_detailed':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- modbus.function
- log.id.uid
'::opcua_binary':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.identifier_string
- opcua.message_type
- log.id.uid
'::opcua_binary_activate_session':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.identifier_string
- opcua.user_name
- log.id.uid
'::opcua_binary_activate_session_diagnostic_info':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.activate_session_diag_info_link_id
- opcua.diag_info_link_id
- log.id.uid
'::opcua_binary_activate_session_locale_id':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.local_id
- opcua.locale_link_id
- log.id.uid
'::opcua_binary_browse':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.service_type
- log.id.uid
'::opcua_binary_browse_description':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.uid
'::opcua_binary_browse_response_references':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.node_class
- opcua.display_name_text
- log.id.uid
'::opcua_binary_browse_result':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.response_link_id
- log.id.uid
'::opcua_binary_create_session':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- log.id.uid
'::opcua_binary_create_session_endpoints':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_link_id
- opcua.endpoint_url
- log.id.uid
'::opcua_binary_create_session_user_token':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.user_token_link_id
- log.id.uid
'::opcua_binary_create_subscription':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- log.id.uid
'::opcua_binary_get_endpoints':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_url
- opcua.link_id
- log.id.uid
'::opcua_binary_get_endpoints_description':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_description_link_id
- opcua.endpoint_uri
- log.id.uid
'::opcua_binary_get_endpoints_user_token':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.user_token_link_id
- opcua.user_token_type
- log.id.uid
'::opcua_binary_read':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.read_results_link_id
- log.id.uid
'::opcua_binary_status_code_detail':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.info_type_string
- opcua.source_string
- log.id.uid
'::profinet':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- profinet.index
- profinet.operation_type
- log.id.uid
'::profinet_dce_rpc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- profinet.operation
- log.id.uid
'::s7comm':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.ros.control.name
- s7.function.name
- log.id.uid
'::s7comm_plus':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.opcode.name
- s7.version
- log.id.uid
'::s7comm_read_szl':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.szl_id_name
- s7.return_code_name
- log.id.uid
'::s7comm_upload_download':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.ros.control.name
- s7.function_code
- log.id.uid
'::tds':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.command
- log.id.uid
- event.dataset
'::tds_rpc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.procedure_name
- log.id.uid
- event.dataset
'::tds_sql_batch':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.header_type
- log.id.uid
- event.dataset
queryBaseFilter: ''
queryToggleFilters:
- name: caseExcludeToggle