From aa9d44ab0953f9195baa9a22894a6ac67ee39b06 Mon Sep 17 00:00:00 2001
From: Doug Burks <doug.burks@securityonionsolutions.com>
Date: Fri, 24 Mar 2023 13:51:13 -0400
Subject: [PATCH] Add four new GeoIP dashboards

---
 salt/soc/defaults.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index 8d846a84d..502a83fad 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1565,6 +1565,18 @@ soc:
           - name: VLAN
             description: VLAN (Virtual Local Area Network) tagged logs
             query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name'
+          - name: GeoIP - Destination Countries
+            description: GeoIP tagged logs visualized by destination countries
+            query: '* AND _exists_:destination.geo.country_name | groupby destination.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset | groupby event.module'
+          - name: GeoIP - Destination Organizations
+            description: GeoIP tagged logs visualized by destination organizations
+            query: '* AND _exists_:destination_geo.organization_name | groupby destination_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset | groupby event.module'
+          - name: GeoIP - Source Countries
+            description: GeoIP tagged logs visualized by source countries
+            query: '* AND _exists_:source.geo.country_name | groupby source.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.country_name | groupby event.dataset | groupby event.module'
+          - name: GeoIP - Source Organizations
+            description: GeoIP tagged logs visualized by source organizations
+            query: '* AND _exists_:source_geo.organization_name | groupby source_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.country_name | groupby event.dataset | groupby event.module'
       job:
       alerts:
         advanced: false