diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 593b55b07..b6a52fd75 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -81,22 +81,23 @@ soc: eventFields: default: - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - log.id.uid - network.community_id - - event.dataset ':kratos:': - soc_timestamp + - event.dataset - http_request.headers.x-real-ip - identity_id - http_request.headers.user-agent - - event.dataset - msg '::conn': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -105,9 +106,9 @@ soc: - network.protocol - log.id.uid - network.community_id - - event.dataset '::dce_rpc': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -116,27 +117,27 @@ soc: - dce_rpc.named_pipe - dce_rpc.operation - log.id.uid - - event.dataset '::dhcp': - soc_timestamp + - event.dataset - client.address - server.address - host.domain - host.hostname - dhcp.message_types - log.id.uid - - event.dataset '::dnp3': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - dnp3.fc_reply - log.id.uid - - event.dataset '::dnp3_control': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -144,9 +145,9 @@ soc: - dnp3.function_code - dnp3.block_type - log.id.uid - - event.dataset '::dnp3_objects': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -154,9 +155,9 @@ soc: - dnp3.function_code - dnp3.object_type - log.id.uid - - event.dataset '::dns': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -167,9 +168,9 @@ soc: - dns.response.code_name - log.id.uid - network.community_id - - event.dataset '::dpd': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -178,9 +179,9 @@ soc: - observer.analyser - error.reason - log.id.uid - - event.dataset '::file': - soc_timestamp + - event.dataset - source.ip - destination.ip - file.name @@ -189,9 +190,9 @@ soc: - file.bytes.total - log.id.fuid - log.id.uid - - event.dataset '::ftp': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -202,9 +203,9 @@ soc: - ftp.reply_code - file.size - log.id.uid - - event.dataset '::http': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -217,9 +218,9 @@ soc: - http.response.body.length - log.id.uid - network.community_id - - event.dataset '::intel': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -228,9 +229,9 @@ soc: - intel.indicator_type - intel.seen_where - log.id.uid - - event.dataset '::irc': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -241,9 +242,9 @@ soc: - irc.command.value - irc.command.info - log.id.uid - - event.dataset '::kerberos': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -252,18 +253,18 @@ soc: - kerberos.service - kerberos.request_type - log.id.uid - - event.dataset '::modbus': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - modbus.function - log.id.uid - - event.dataset '::mysql': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -273,9 +274,9 @@ soc: - mysql.success - mysql.response - log.id.uid - - event.dataset '::notice': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -285,9 +286,9 @@ soc: - log.id.fuid - log.id.uid - network.community_id - - event.dataset '::ntlm': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -298,18 +299,18 @@ soc: - ntlm.server.nb.name - ntlm.server.tree.name - log.id.uid - - event.dataset '::pe': - soc_timestamp + - event.dataset - file.is_64bit - file.is_exe - file.machine - file.os - file.subsystem - log.id.fuid - - event.dataset '::radius': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -319,9 +320,9 @@ soc: - radius.framed_address - radius.reply_message - radius.result - - event.dataset '::rdp': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -335,9 +336,9 @@ soc: - rdp.result - rdp.security_protocol - log.id.uid - - event.dataset '::rfb': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -347,9 +348,9 @@ soc: - rfb.share_flag - rfb.desktop.name - log.id.uid - - event.dataset '::signatures': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -361,9 +362,9 @@ soc: - signature_count - host.count - log.id.uid - - event.dataset '::sip': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -379,9 +380,9 @@ soc: - sip.user_agent - sip.status_code - log.id.uid - - event.dataset '::smb_files': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -393,9 +394,9 @@ soc: - file.size - file.prev_name - log.id.uid - - event.dataset '::smb_mapping': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -404,9 +405,9 @@ soc: - smb.service - smb.share_type - log.id.uid - - event.dataset '::smtp': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -417,9 +418,9 @@ soc: - smtp.useragent - log.id.uid - network.community_id - - event.dataset '::snmp': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -427,9 +428,9 @@ soc: - snmp.community - snmp.version - log.id.uid - - event.dataset '::socks': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -439,15 +440,15 @@ soc: - socks.request.port - socks.status - log.id.uid - - event.dataset '::software': - soc_timestamp + - event.dataset - source.ip - software.name - software.type - - event.dataset '::ssh': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -458,9 +459,9 @@ soc: - ssh.client - ssh.server - log.id.uid - - event.dataset ':suricata:ssl': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -469,9 +470,9 @@ soc: - ssl.certificate.subject - ssl.version - log.id.uid - - event.dataset ':zeek:ssl': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -480,9 +481,9 @@ soc: - ssl.validation_status - ssl.version - log.id.uid - - event.dataset '::ssl': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -490,7 +491,6 @@ soc: - ssl.server_name - ssl.version - log.id.uid - - event.dataset '::stun': - soc_timestamp - event.dataset @@ -504,6 +504,7 @@ soc: - log.id.uid ':zeek:syslog': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -512,7 +513,6 @@ soc: - network.protocol - syslog.severity - log.id.uid - - event.dataset '::tunnel': - soc_timestamp - event.dataset @@ -524,23 +524,24 @@ soc: - tunnel.type '::weird': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - weird.name - log.id.uid - - event.dataset '::x509': - soc_timestamp + - event.dataset - x509.certificate.subject - x509.certificate.key.type - x509.certificate.key.length - x509.certificate.issuer - log.id.fuid - - event.dataset '::firewall': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -550,9 +551,9 @@ soc: - observer.ingress.interface.name - event.action - network.community_id - - event.dataset ':pfsense:': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -562,9 +563,9 @@ soc: - observer.ingress.interface.name - event.action - network.community_id - - event.dataset ':osquery:': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -572,27 +573,27 @@ soc: - source.hostname - process.executable - user.name - - event.dataset ':strelka:': - soc_timestamp + - event.dataset - file.name - file.size - hash.md5 - file.source - file.mime_type - log.id.fuid - - event.dataset ':strelka:file': - soc_timestamp + - event.dataset - file.name - file.size - hash.md5 - file.source - file.mime_type - log.id.fuid - - event.dataset ':suricata:': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -602,35 +603,35 @@ soc: - event.severity_label - log.id.uid - network.community_id - - event.dataset ':windows_eventlog:': - soc_timestamp - - user.name - event.dataset + - user.name ':elasticsearch:': - soc_timestamp + - event.dataset - agent.name - message - log.level - metadata.version - metadata.pipeline - - event.dataset ':kibana:': - soc_timestamp + - event.dataset - host.name - message - kibana.log.meta.req.headers.x-real-ip - - event.dataset ':syslog:syslog': - soc_timestamp + - event.dataset - host.name - metadata.ip_address - real_message - syslog.priority - syslog.application - - event.dataset ':aws:': - soc_timestamp + - event.dataset - aws.cloudtrail.event_category - aws.cloudtrail.event_type - event.provider @@ -640,25 +641,25 @@ soc: - user.name - source.ip - source.geo.region_iso_code - - event.dataset ':squid:': - soc_timestamp + - event.dataset - url.original - destination.ip - destination.geo.country_iso_code - user.name - source.ip - - event.dataset '::sysmon_operational': - soc_timestamp + - event.dataset - event.action - winlog.computer_name - user.name - process.executable - process.pid - - event.dataset '::network_connection': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -666,59 +667,59 @@ soc: - source.hostname - process.executable - user.name - - event.dataset '::process_terminated': - soc_timestamp + - event.dataset - process.executable - process.pid - winlog.computer_name - - event.dataset '::file_create': - soc_timestamp + - event.dataset - file.target - process.executable - process.pid - winlog.computer_name - - event.dataset '::registry_value_set': - soc_timestamp + - event.dataset - winlog.event_data.TargetObject - process.executable - process.pid - winlog.computer_name - - event.dataset '::process_creation': - soc_timestamp + - event.dataset - process.command_line - process.pid - process.parent.executable - process.working_directory - - event.dataset '::registry_create_delete': - soc_timestamp + - event.dataset - winlog.event_data.TargetObject - process.executable - process.pid - winlog.computer_name - - event.dataset '::dns_query': - soc_timestamp + - event.dataset - dns.query.name - dns.answers.name - process.executable - winlog.computer_name - - event.dataset '::file_create_stream_hash': - soc_timestamp + - event.dataset - file.target - hash.md5 - hash.sha256 - process.executable - process.pid - winlog.computer_name - - event.dataset '::bacnet': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -726,9 +727,9 @@ soc: - bacnet.bclv.function - bacnet.result.code - log.id.uid - - event.dataset '::bacnet_discovery': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -736,9 +737,9 @@ soc: - bacnet.vendor - bacnet.pdu.service - log.id.uid - - event.dataset '::bacnet_property': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -746,9 +747,9 @@ soc: - bacnet.property - bacnet.pdu.service - log.id.uid - - event.dataset '::bsap_ip_header': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -756,16 +757,16 @@ soc: - bsap.message.type - bsap.number.messages - log.id.uid - - event.dataset '::bsap_ip_rdb': - soc_timestamp + - event.dataset - bsap.application.function - bsap.application.sub.function - bsap.vector.variables - log.id.uid - - event.dataset '::bsap_serial_header': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -774,15 +775,15 @@ soc: - bsap.destination.function - bsap.message.type - log.id.uid - - event.dataset '::bsap_serial_rdb': - soc_timestamp + - event.dataset - bsap.rdb.function - bsap.vector.variables - log.id.uid - - event.dataset '::cip': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -790,9 +791,9 @@ soc: - cip.service - cip.status_code - log.id.uid - - event.dataset '::cip_identity': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -800,9 +801,9 @@ soc: - cip.device.type.name - cip.vendor.name - log.id.uid - - event.dataset '::cip_io': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -810,63 +811,63 @@ soc: - cip.connection.id - cip.io.data - log.id.uid - - event.dataset '::cotp': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - cotp.pdu.name - log.id.uid - - event.dataset '::ecat_arp_info': - soc_timestamp + - event.dataset - source.ip - destination.ip - source.mac - destination.mac - ecat.arp.type - - event.dataset '::ecat_aoe_info': - soc_timestamp + - event.dataset - source.mac - source.port - destination.mac - destination.port - ecat.command - - event.dataset '::ecat_coe_info': - soc_timestamp + - event.dataset - ecat.message.number - ecat.message.type - ecat.request.response.type - ecat.index - ecat.sub.index - - event.dataset '::ecat_dev_info': - soc_timestamp + - event.dataset - ecat.device.type - ecat.features - ecat.ram.size - ecat.revision - ecat.slave.address - - event.dataset '::ecat_log_address': - soc_timestamp + - event.dataset - source.mac - destination.mac - ecat.command - - event.dataset '::ecat_registers': - soc_timestamp + - event.dataset - source.mac - destination.mac - ecat.command - ecat.register.type - - event.dataset '::enip': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -874,18 +875,18 @@ soc: - enip.command - enip.status_code - log.id.uid - - event.dataset '::modbus_detailed': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - modbus.function - log.id.uid - - event.dataset '::opcua_binary': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -893,9 +894,9 @@ soc: - opcua.identifier_string - opcua.message_type - log.id.uid - - event.dataset '::opcua_binary_activate_session': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -904,9 +905,9 @@ soc: - opcua.identifier_string - opcua.user_name - log.id.uid - - event.dataset '::opcua_binary_activate_session_diagnostic_info': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -914,9 +915,9 @@ soc: - opcua.activate_session_diag_info_link_id - opcua.diag_info_link_id - log.id.uid - - event.dataset '::opcua_binary_activate_session_locale_id': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -924,9 +925,9 @@ soc: - opcua.local_id - opcua.locale_link_id - log.id.uid - - event.dataset '::opcua_binary_browse': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -934,17 +935,17 @@ soc: - opcua.link_id - opcua.service_type - log.id.uid - - event.dataset '::opcua_binary_browse_description': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - log.id.uid - - event.dataset '::opcua_binary_browse_response_references': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -952,27 +953,27 @@ soc: - opcua.node_class - opcua.display_name_text - log.id.uid - - event.dataset '::opcua_binary_browse_result': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - opcua.response_link_id - log.id.uid - - event.dataset '::opcua_binary_create_session': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - opcua.link_id - log.id.uid - - event.dataset '::opcua_binary_create_session_endpoints': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -980,27 +981,27 @@ soc: - opcua.endpoint_link_id - opcua.endpoint_url - log.id.uid - - event.dataset '::opcua_binary_create_session_user_token': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - opcua.user_token_link_id - log.id.uid - - event.dataset '::opcua_binary_create_subscription': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - opcua.link_id - log.id.uid - - event.dataset '::opcua_binary_get_endpoints': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1008,9 +1009,9 @@ soc: - opcua.endpoint_url - opcua.link_id - log.id.uid - - event.dataset '::opcua_binary_get_endpoints_description': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1018,9 +1019,9 @@ soc: - opcua.endpoint_description_link_id - opcua.endpoint_uri - log.id.uid - - event.dataset '::opcua_binary_get_endpoints_user_token': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1028,9 +1029,9 @@ soc: - opcua.user_token_link_id - opcua.user_token_type - log.id.uid - - event.dataset '::opcua_binary_read': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1038,9 +1039,9 @@ soc: - opcua.link_id - opcua.read_results_link_id - log.id.uid - - event.dataset '::opcua_binary_status_code_detail': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1048,9 +1049,9 @@ soc: - opcua.info_type_string - opcua.source_string - log.id.uid - - event.dataset '::profinet': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1058,18 +1059,18 @@ soc: - profinet.index - profinet.operation_type - log.id.uid - - event.dataset '::profinet_dce_rpc': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - profinet.operation - log.id.uid - - event.dataset '::s7comm': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1077,9 +1078,9 @@ soc: - s7.ros.control.name - s7.function.name - log.id.uid - - event.dataset '::s7comm_plus': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1087,9 +1088,9 @@ soc: - s7.opcode.name - s7.version - log.id.uid - - event.dataset '::s7comm_read_szl': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1097,9 +1098,9 @@ soc: - s7.szl_id_name - s7.return_code_name - log.id.uid - - event.dataset '::s7comm_upload_download': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip @@ -1107,52 +1108,52 @@ soc: - s7.ros.control.name - s7.function_code - log.id.uid - - event.dataset '::tds': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - tds.command - log.id.uid - - event.dataset '::tds_rpc': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - tds.procedure_name - log.id.uid - - event.dataset '::tds_sql_batch': - soc_timestamp + - event.dataset - source.ip - source.port - destination.ip - destination.port - tds.header_type - log.id.uid - - event.dataset ':endpoint:events_x_api': - soc_timestamp + - event.dataset - host.name - user.name - process.name - process.Ext.api.name - process.thread.Ext.call_stack_final_user_module.path - - event.dataset ':endpoint:events_x_file': - soc_timestamp + - event.dataset - host.name - user.name - process.name - event.action - file.path - - event.dataset ':endpoint:events_x_library': - soc_timestamp + - event.dataset - host.name - user.name - process.name @@ -1160,9 +1161,9 @@ soc: - dll.path - dll.code_signature.status - dll.code_signature.subject_name - - event.dataset ':endpoint:events_x_network': - soc_timestamp + - event.dataset - host.name - user.name - process.name @@ -1172,43 +1173,43 @@ soc: - destination.ip - destination.port - network.community_id - - event.dataset ':endpoint:events_x_process': - soc_timestamp + - event.dataset - host.name - user.name - process.parent.name - process.name - event.action - process.working_directory - - event.dataset ':endpoint:events_x_registry': - soc_timestamp + - event.dataset - host.name - user.name - process.name - event.action - registry.path - - event.dataset ':endpoint:events_x_security': - soc_timestamp + - event.dataset - host.name - user.name - process.executable - event.action - event.outcome - - event.dataset ':system:': - soc_timestamp + - event.dataset - process.name - process.pid - user.effective.name - user.name - system.auth.sudo.command - - event.dataset - message ':opencanary:': - soc_timestamp + - event.dataset - source.ip - source.port - logdata.HOSTNAME @@ -1216,20 +1217,20 @@ soc: - logdata.PATH - logdata.USERNAME - logdata.USERAGENT - - event.dataset ':elastic_agent:': - soc_timestamp - event.dataset - message ':kismet:': - soc_timestamp + - event.dataset - device.manufacturer - client.mac - network.wireless.ssid - network.wireless.bssid - - event.dataset ':playbook:': - soc_timestamp + - event.dataset - rule.name - event.severity_label - event_data.event.dataset @@ -1241,6 +1242,7 @@ soc: - event_data.process.pid ':sigma:': - soc_timestamp + - event.dataset - rule.name - event.severity_label - event_data.event.dataset @@ -1954,6 +1956,7 @@ soc: eventFields: default: - soc_timestamp + - event.dataset - rule.name - event.severity_label - source.ip @@ -1966,6 +1969,7 @@ soc: - rule.rev ':playbook:': - soc_timestamp + - event.dataset - rule.name - event.severity_label - event_data.event.dataset @@ -1977,6 +1981,7 @@ soc: - event_data.process.pid ':sigma:': - soc_timestamp + - event.dataset - rule.name - event.severity_label - event_data.event.dataset @@ -1989,13 +1994,13 @@ soc: - event_data.process.pid ':strelka:': - soc_timestamp + - event.dataset - file.name - file.size - hash.md5 - file.source - file.mime_type - log.id.fuid - - event.dataset queryBaseFilter: tags:alert queryToggleFilters: - name: acknowledged