CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

make sure that ICS dashboards with sankey also have separate event.dataset table

Browse Source
This commit is contained in:
Doug Burks
2022-11-28 12:09:57 -05:00
committed by GitHub
parent 268253ce14
commit a796fa2ff7
1 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
salt/soc/files/soc/dashboards.queries.json
View File

@@ -49,15 +49,15 @@
{ "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "WireGuard", "description": "WireGuard VPN", "query": "event.dataset:wireguard | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"},
{ "name": "ICS Overview", "description": "Industrial Control Systems overview", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"}, { "name": "ICS Overview", "description": "Industrial Control Systems overview", "query": "tags:ics | groupby event.dataset | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby source.mac | groupby destination.mac"},
{ "name": "ICS BACnet", "description": "BACnet logs", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS BACnet", "description": "BACnet logs", "query": "event.dataset:bacnet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS BSAP", "description": "Bristol Standard Asynchronous Protocol logs", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS BSAP", "description": "Bristol Standard Asynchronous Protocol logs", "query": "event.dataset:bsap* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS CIP", "description": "Common Industrial Protocol logs", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS CIP", "description": "Common Industrial Protocol logs", "query": "event.dataset:cip* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby dnp3.function_code | groupby dnp3.object_type | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"}, { "name": "ICS ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.mac destination.mac | groupby event.dataset | groupby source.mac | groupby destination.mac | groupby ecat.command | groupby ecat.register.type"},
{ "name": "ICS ENIP", "description": "ENIP logs", "query": "event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS ENIP", "description": "ENIP logs", "query": "event.dataset:enip* | groupby -sankey source.ip destination.ip | groupby enip.command | groupby enip.status_code | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS S7", "description": "S7 logs", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"}, { "name": "ICS S7", "description": "S7 logs", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby event.dataset | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}
] ]