From ad05e75ce77dfe5db71ebb472ecbdcf2e3e8be3c Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 9 Sep 2020 00:46:18 -0400
Subject: [PATCH] Add new quick actions to SOC config template

---
 salt/soc/files/soc/soc.json | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json
index f4a817ff3..81efcb447 100644
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -141,6 +141,11 @@
           { "name": "x509", "description": "x.509 grouped by issuer", "query": "event.dataset:x509 | groupby x509.certificate.issuer"},
           { "name": "x509", "description": "x.509 grouped by subject", "query": "event.dataset:x509 | groupby x509.certificate.subject"},
           { "name": "Firewall", "description": "Firewall events grouped by action", "query": "event_type:firewall | groupby action"}
+        ],
+        "actions": [
+          { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}" },
+          { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}" },
+          { "name": "", "description": "actionVirtusTotalHelp", "icon": "fa-globe", "link": "https://www.virustotal.com/gui/ip-address/{value}/detection", "fields": [ "source.ip", "destination.ip" ] }
         ]
       }
     }