CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 18:22:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add new ICS/SCADA event fields to the dashboards section of the configuration and remove extra space in key names.

Browse Source
This commit is contained in:
weslambert
2022-12-06 13:11:55 -05:00
committed by GitHub
parent 1b5c1fecd4
commit a626acced0
1 changed files with 423 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

378
salt/soc/defaults.yaml
View File

@@ -1910,6 +1910,384 @@ soc:
- process.executable
- process.pid
- winlog.computer_name
'::bacnet':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.bclv.function
- bacnet.result.code
- log.id.uid
'::bacnet_discovery':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.vendor
- bacnet.pdu.service
- log.id.uid
'::bacnet_property':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bacnet.property
- bacnet.pdu.service
- log.id.uid
'::bsap_ip_header':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bsap.message.type
- bsap.number.messages
- log.id.uid
'::bsap_ip_rdb':
- soc_timestamp
- bsap.application.function
- bsap.application.sub.function
- bsap.vector.variables
- log.id.uid
'::bsap_serial_header':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- bsap.source.function
- bsap.destination.function
- bsap.message.type
- log.id.uid
'::bsap_serial_rdb':
- soc_timestamp
- bsap.rdb.function
- bsap.vector.variables
- log.id.uid
'::cip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.service
- cip.status_code
- log.id.uid
- event.dataset
'::cip_identity':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.device.type.name
- cip.vendor.name
- log.id.uid
'::cip_io':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cip.connection.id
- cip.io.data
- log.id.uid
'::cotp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- cotp.pdu.name
- log.id.uid
'::ecat_arp_info':
- soc_timestamp
- source.ip
- destination.ip
- source.mac
- destination.mac
- ecat.arp.type
'::ecat_aoe_info':
- soc_timestamp
- source.mac
- source.port
- destination.mac
- destination.port
- ecat.command
'::ecat_coe_info':
- soc_timestamp
- ecat.message.number
- ecat.message.type
- ecat.request.response.type
- ecat.index
- ecat.sub.index
'::ecat_dev_info':
- soc_timestamp
- ecat.device.type
- ecat.features
- ecat.ram.size
- ecat.revision
- ecat.slave.address
'::ecat_log_address':
- soc_timestamp
- source.mac
- destination.mac
- ecat.command
'::ecat_registers':
- soc_timestamp
- source.mac
- destination.mac
- ecat.command
- ecat.register.type
'::enip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- enip.command
- enip.status_code
- log.id.uid
- event.dataset
'::modbus_detailed':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- modbus.function
- log.id.uid
'::opcua_binary':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.identifier_string
- opcua.message_type
- log.id.uid
'::opcua_binary_activate_session':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.identifier_string
- opcua.user_name
- log.id.uid
'::opcua_binary_activate_session_diagnostic_info':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.activate_session_diag_info_link_id
- opcua.diag_info_link_id
- log.id.uid
'::opcua_binary_activate_session_locale_id':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.local_id
- opcua.locale_link_id
- log.id.uid
'::opcua_binary_browse':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.service_type
- log.id.uid
'::opcua_binary_browse_description':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.uid
'::opcua_binary_browse_response_references':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.node_class
- opcua.display_name_text
- log.id.uid
'::opcua_binary_browse_result':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.response_link_id
- log.id.uid
'::opcua_binary_create_session':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- log.id.uid
'::opcua_binary_create_session_endpoints':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_link_id
- opcua.endpoint_url
- log.id.uid
'::opcua_binary_create_session_user_token':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.user_token_link_id
- log.id.uid
'::opcua_binary_create_subscription':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- log.id.uid
'::opcua_binary_get_endpoints':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_url
- opcua.link_id
- log.id.uid
'::opcua_binary_get_endpoints_description':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.endpoint_description_link_id
- opcua.endpoint_uri
- log.id.uid
'::opcua_binary_get_endpoints_user_token':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.user_token_link_id
- opcua.user_token_type
- log.id.uid
'::opcua_binary_read':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.link_id
- opcua.read_results_link_id
- log.id.uid
'::opcua_binary_status_code_detail':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- opcua.info_type_string
- opcua.source_string
- log.id.uid
'::profinet':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- profinet.index
- profinet.operation_type
- log.id.uid
'::profinet_dce_rpc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- profinet.operation
- log.id.uid
'::s7comm':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.ros.control.name
- s7.function.name
- log.id.uid
'::s7comm_plus':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.opcode.name
- s7.version
- log.id.uid
'::s7comm_read_szl':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.szl_id_name
- s7.return_code_name
- log.id.uid
'::s7comm_upload_download':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- s7.ros.control.name
- s7.function_code
- log.id.uid
'::tds':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.command
- log.id.uid
- event.dataset
'::tds_rpc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.procedure_name
- log.id.uid
- event.dataset
'::tds_sql_batch':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tds.header_type
- log.id.uid
- event.dataset
queryBaseFilter: ''
queryToggleFilters:
- name: caseExcludeToggle