SOC Logs & Hunt Query

2026-02-23 23:45:39 +01:00 · 2023-03-23 16:22:59 -04:00
parent 0f66645a89
commit bad905f54c
3 changed files with 32 additions and 3 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1123,10 +1123,14 @@ soc:
            description: Show all events grouped by module and dataset
            query: '* | groupby event.module* event.dataset'
            showSubtitle: true
-          - name: SOC Auth
+          - name: SOC - Auth
            description: Users authenticated to SOC grouped by IP address and identity
            query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id'
            showSubtitle: true
+          - name: SOC - App
+            description: Logs generated by the Security Onion Console (SOC) server and modules
+            query: 'event.module: "soc" | groupby event.module* event.dataset* log.level* | groupby agent.name | groupby event.action* | groupby "http.request.method" | groupby "url.path"'
+            showSubtitle: true
          - name: Elastalerts
            description: ''
            query: '_type:elastalert | groupby rule.name'