CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

more ICS dashboards

Browse Source
This commit is contained in:
Doug Burks
2022-11-28 10:06:58 -05:00
committed by GitHub
parent a4f5e7b2a6
commit ce7b16a230
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/soc/files/soc/dashboards.queries.json
View File

@@ -24,7 +24,6 @@
{ "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "MySQL", "description": "MySQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Notice", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "NTLM", "description": "NTLM logs", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"},
@@ -56,6 +55,8 @@
{ "name": "ICS - DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby -sankey dnp3.fc_request source.ip destination.ip | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS - DNP3 Objects", "description": "DNP3 objects", "query": "event.dataset:dnp3_objects | groupby -sankey dnp3.function_code dnp3.object_type | groupby dnp3.function_code | groupby dnp3.object_type | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS - ECAT", "description": "ECAT logs", "query": "event.dataset:ecat* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS - ENIP", "description": "ENIP logs", "query": "event.dataset:enip* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS - Modbus", "description": "Modbus logs", "query": "event.dataset:modbus* | groupby -sankey event.dataset modbus.function | groupby event.dataset | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS - OPC UA", "description": "OPC Unified Architecture logs", "query": "event.dataset:opcua* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS - Profinet", "description": "Profinet logs", "query": "event.dataset:profinet* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "ICS - S7", "description": "S7 logs", "query": "event.dataset:s7* | groupby -sankey event.dataset source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port"},