From a626acced0f8aca92ea1ecb4b238c29f8368fbb8 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 6 Dec 2022 13:11:55 -0500 Subject: [PATCH] Add new ICS/SCADA event fields to the dashboards section of the configuration and remove extra space in key names. --- salt/soc/defaults.yaml | 468 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 423 insertions(+), 45 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index ba7100382..fd5c65e78 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -707,7 +707,7 @@ soc: - process.executable - process.pid - winlog.computer_name - ' ::bacnet': + '::bacnet': - soc_timestamp - source.ip - source.port @@ -716,7 +716,7 @@ soc: - bacnet.bclv.function - bacnet.result.code - log.id.uid - ' ::bacnet_discovery': + '::bacnet_discovery': - soc_timestamp - source.ip - source.port @@ -725,7 +725,7 @@ soc: - bacnet.vendor - bacnet.pdu.service - log.id.uid - ' ::bacnet_property': + '::bacnet_property': - soc_timestamp - source.ip - source.port @@ -734,7 +734,7 @@ soc: - bacnet.property - bacnet.pdu.service - log.id.uid - ' ::bsap_ip_header': + '::bsap_ip_header': - soc_timestamp - source.ip - source.port @@ -743,13 +743,13 @@ soc: - bsap.message.type - bsap.number.messages - log.id.uid - ' ::bsap_ip_rdb': + '::bsap_ip_rdb': - soc_timestamp - bsap.application.function - bsap.application.sub.function - bsap.vector.variables - log.id.uid - ' ::bsap_serial_header': + '::bsap_serial_header': - soc_timestamp - source.ip - source.port @@ -759,12 +759,12 @@ soc: - bsap.destination.function - bsap.message.type - log.id.uid - ' ::bsap_serial_rdb': + '::bsap_serial_rdb': - soc_timestamp - bsap.rdb.function - bsap.vector.variables - log.id.uid - ' ::cip': + '::cip': - soc_timestamp - source.ip - source.port @@ -774,7 +774,7 @@ soc: - cip.status_code - log.id.uid - event.dataset - ' ::cip_identity': + '::cip_identity': - soc_timestamp - source.ip - source.port @@ -783,7 +783,7 @@ soc: - cip.device.type.name - cip.vendor.name - log.id.uid - ' ::cip_io': + '::cip_io': - soc_timestamp - source.ip - source.port @@ -792,7 +792,7 @@ soc: - cip.connection.id - cip.io.data - log.id.uid - ' ::cotp': + '::cotp': - soc_timestamp - source.ip - source.port @@ -800,46 +800,46 @@ soc: - destination.port - cotp.pdu.name - log.id.uid - ' ::ecat_arp_info': + '::ecat_arp_info': - soc_timestamp - source.ip - destination.ip - source.mac - destination.mac - ecat.arp.type - ' ::ecat_aoe_info': + '::ecat_aoe_info': - soc_timestamp - source.mac - source.port - destination.mac - destination.port - ecat.command - ' ::ecat_coe_info': + '::ecat_coe_info': - soc_timestamp - ecat.message.number - ecat.message.type - ecat.request.response.type - ecat.index - ecat.sub.index - ' ::ecat_dev_info': + '::ecat_dev_info': - soc_timestamp - ecat.device.type - ecat.features - ecat.ram.size - ecat.revision - ecat.slave.address - ' ::ecat_log_address': + '::ecat_log_address': - soc_timestamp - source.mac - destination.mac - ecat.command - ' ::ecat_registers': + '::ecat_registers': - soc_timestamp - source.mac - destination.mac - ecat.command - ecat.register.type - ' ::enip': + '::enip': - soc_timestamp - source.ip - source.port @@ -849,7 +849,7 @@ soc: - enip.status_code - log.id.uid - event.dataset - ' ::modbus_detailed': + '::modbus_detailed': - soc_timestamp - source.ip - source.port @@ -857,7 +857,7 @@ soc: - destination.port - modbus.function - log.id.uid - ' ::opcua_binary': + '::opcua_binary': - soc_timestamp - source.ip - source.port @@ -866,7 +866,7 @@ soc: - opcua.identifier_string - opcua.message_type - log.id.uid - ' ::opcua_binary_activate_session': + '::opcua_binary_activate_session': - soc_timestamp - source.ip - source.port @@ -876,7 +876,7 @@ soc: - opcua.identifier_string - opcua.user_name - log.id.uid - ' ::opcua_binary_activate_session_diagnostic_info': + '::opcua_binary_activate_session_diagnostic_info': - soc_timestamp - source.ip - source.port @@ -885,7 +885,7 @@ soc: - opcua.activate_session_diag_info_link_id - opcua.diag_info_link_id - log.id.uid - ' ::opcua_binary_activate_session_locale_id': + '::opcua_binary_activate_session_locale_id': - soc_timestamp - source.ip - source.port @@ -894,7 +894,7 @@ soc: - opcua.local_id - opcua.locale_link_id - log.id.uid - ' ::opcua_binary_browse': + '::opcua_binary_browse': - soc_timestamp - source.ip - source.port @@ -903,14 +903,14 @@ soc: - opcua.link_id - opcua.service_type - log.id.uid - ' ::opcua_binary_browse_description': + '::opcua_binary_browse_description': - soc_timestamp - source.ip - source.port - destination.ip - destination.port - log.id.uid - ' ::opcua_binary_browse_response_references': + '::opcua_binary_browse_response_references': - soc_timestamp - source.ip - source.port @@ -919,7 +919,7 @@ soc: - opcua.node_class - opcua.display_name_text - log.id.uid - ' ::opcua_binary_browse_result': + '::opcua_binary_browse_result': - soc_timestamp - source.ip - source.port @@ -927,7 +927,7 @@ soc: - destination.port - opcua.response_link_id - log.id.uid - ' ::opcua_binary_create_session': + '::opcua_binary_create_session': - soc_timestamp - source.ip - source.port @@ -935,7 +935,7 @@ soc: - destination.port - opcua.link_id - log.id.uid - ' ::opcua_binary_create_session_endpoints': + '::opcua_binary_create_session_endpoints': - soc_timestamp - source.ip - source.port @@ -944,7 +944,7 @@ soc: - opcua.endpoint_link_id - opcua.endpoint_url - log.id.uid - ' ::opcua_binary_create_session_user_token': + '::opcua_binary_create_session_user_token': - soc_timestamp - source.ip - source.port @@ -952,7 +952,7 @@ soc: - destination.port - opcua.user_token_link_id - log.id.uid - ' ::opcua_binary_create_subscription': + '::opcua_binary_create_subscription': - soc_timestamp - source.ip - source.port @@ -960,7 +960,7 @@ soc: - destination.port - opcua.link_id - log.id.uid - ' ::opcua_binary_get_endpoints': + '::opcua_binary_get_endpoints': - soc_timestamp - source.ip - source.port @@ -969,7 +969,7 @@ soc: - opcua.endpoint_url - opcua.link_id - log.id.uid - ' ::opcua_binary_get_endpoints_description': + '::opcua_binary_get_endpoints_description': - soc_timestamp - source.ip - source.port @@ -978,7 +978,7 @@ soc: - opcua.endpoint_description_link_id - opcua.endpoint_uri - log.id.uid - ' ::opcua_binary_get_endpoints_user_token': + '::opcua_binary_get_endpoints_user_token': - soc_timestamp - source.ip - source.port @@ -987,7 +987,7 @@ soc: - opcua.user_token_link_id - opcua.user_token_type - log.id.uid - ' ::opcua_binary_read': + '::opcua_binary_read': - soc_timestamp - source.ip - source.port @@ -996,7 +996,7 @@ soc: - opcua.link_id - opcua.read_results_link_id - log.id.uid - ' ::opcua_binary_status_code_detail': + '::opcua_binary_status_code_detail': - soc_timestamp - source.ip - source.port @@ -1005,7 +1005,7 @@ soc: - opcua.info_type_string - opcua.source_string - log.id.uid - ' ::profinet': + '::profinet': - soc_timestamp - source.ip - source.port @@ -1014,7 +1014,7 @@ soc: - profinet.index - profinet.operation_type - log.id.uid - ' ::profinet_dce_rpc': + '::profinet_dce_rpc': - soc_timestamp - source.ip - source.port @@ -1022,7 +1022,7 @@ soc: - destination.port - profinet.operation - log.id.uid - ' ::s7comm': + '::s7comm': - soc_timestamp - source.ip - source.port @@ -1031,7 +1031,7 @@ soc: - s7.ros.control.name - s7.function.name - log.id.uid - ' ::s7comm_plus': + '::s7comm_plus': - soc_timestamp - source.ip - source.port @@ -1040,7 +1040,7 @@ soc: - s7.opcode.name - s7.version - log.id.uid - ' ::s7comm_read_szl': + '::s7comm_read_szl': - soc_timestamp - source.ip - source.port @@ -1049,7 +1049,7 @@ soc: - s7.szl_id_name - s7.return_code_name - log.id.uid - ' ::s7comm_upload_download': + '::s7comm_upload_download': - soc_timestamp - source.ip - source.port @@ -1058,7 +1058,7 @@ soc: - s7.ros.control.name - s7.function_code - log.id.uid - ' ::tds': + '::tds': - soc_timestamp - source.ip - source.port @@ -1067,7 +1067,7 @@ soc: - tds.command - log.id.uid - event.dataset - ' ::tds_rpc': + '::tds_rpc': - soc_timestamp - source.ip - source.port @@ -1076,7 +1076,7 @@ soc: - tds.procedure_name - log.id.uid - event.dataset - ' ::tds_sql_batch': + '::tds_sql_batch': - soc_timestamp - source.ip - source.port @@ -1910,6 +1910,384 @@ soc: - process.executable - process.pid - winlog.computer_name + '::bacnet': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.bclv.function + - bacnet.result.code + - log.id.uid + '::bacnet_discovery': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.vendor + - bacnet.pdu.service + - log.id.uid + '::bacnet_property': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bacnet.property + - bacnet.pdu.service + - log.id.uid + '::bsap_ip_header': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bsap.message.type + - bsap.number.messages + - log.id.uid + '::bsap_ip_rdb': + - soc_timestamp + - bsap.application.function + - bsap.application.sub.function + - bsap.vector.variables + - log.id.uid + '::bsap_serial_header': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - bsap.source.function + - bsap.destination.function + - bsap.message.type + - log.id.uid + '::bsap_serial_rdb': + - soc_timestamp + - bsap.rdb.function + - bsap.vector.variables + - log.id.uid + '::cip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.service + - cip.status_code + - log.id.uid + - event.dataset + '::cip_identity': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.device.type.name + - cip.vendor.name + - log.id.uid + '::cip_io': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cip.connection.id + - cip.io.data + - log.id.uid + '::cotp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - cotp.pdu.name + - log.id.uid + '::ecat_arp_info': + - soc_timestamp + - source.ip + - destination.ip + - source.mac + - destination.mac + - ecat.arp.type + '::ecat_aoe_info': + - soc_timestamp + - source.mac + - source.port + - destination.mac + - destination.port + - ecat.command + '::ecat_coe_info': + - soc_timestamp + - ecat.message.number + - ecat.message.type + - ecat.request.response.type + - ecat.index + - ecat.sub.index + '::ecat_dev_info': + - soc_timestamp + - ecat.device.type + - ecat.features + - ecat.ram.size + - ecat.revision + - ecat.slave.address + '::ecat_log_address': + - soc_timestamp + - source.mac + - destination.mac + - ecat.command + '::ecat_registers': + - soc_timestamp + - source.mac + - destination.mac + - ecat.command + - ecat.register.type + '::enip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - enip.command + - enip.status_code + - log.id.uid + - event.dataset + '::modbus_detailed': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + '::opcua_binary': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.identifier_string + - opcua.message_type + - log.id.uid + '::opcua_binary_activate_session': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.identifier_string + - opcua.user_name + - log.id.uid + '::opcua_binary_activate_session_diagnostic_info': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.activate_session_diag_info_link_id + - opcua.diag_info_link_id + - log.id.uid + '::opcua_binary_activate_session_locale_id': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.local_id + - opcua.locale_link_id + - log.id.uid + '::opcua_binary_browse': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.service_type + - log.id.uid + '::opcua_binary_browse_description': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + '::opcua_binary_browse_response_references': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.node_class + - opcua.display_name_text + - log.id.uid + '::opcua_binary_browse_result': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.response_link_id + - log.id.uid + '::opcua_binary_create_session': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - log.id.uid + '::opcua_binary_create_session_endpoints': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_link_id + - opcua.endpoint_url + - log.id.uid + '::opcua_binary_create_session_user_token': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.user_token_link_id + - log.id.uid + '::opcua_binary_create_subscription': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - log.id.uid + '::opcua_binary_get_endpoints': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_url + - opcua.link_id + - log.id.uid + '::opcua_binary_get_endpoints_description': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.endpoint_description_link_id + - opcua.endpoint_uri + - log.id.uid + '::opcua_binary_get_endpoints_user_token': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.user_token_link_id + - opcua.user_token_type + - log.id.uid + '::opcua_binary_read': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.link_id + - opcua.read_results_link_id + - log.id.uid + '::opcua_binary_status_code_detail': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - opcua.info_type_string + - opcua.source_string + - log.id.uid + '::profinet': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - profinet.index + - profinet.operation_type + - log.id.uid + '::profinet_dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - profinet.operation + - log.id.uid + '::s7comm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.ros.control.name + - s7.function.name + - log.id.uid + '::s7comm_plus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.opcode.name + - s7.version + - log.id.uid + '::s7comm_read_szl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.szl_id_name + - s7.return_code_name + - log.id.uid + '::s7comm_upload_download': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - s7.ros.control.name + - s7.function_code + - log.id.uid + '::tds': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.command + - log.id.uid + - event.dataset + '::tds_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.procedure_name + - log.id.uid + - event.dataset + '::tds_sql_batch': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tds.header_type + - log.id.uid + - event.dataset queryBaseFilter: '' queryToggleFilters: - name: caseExcludeToggle