improve sysmon dashboards

2025-12-06 09:12:45 +01:00 · 2022-10-07 12:23:40 -04:00
parent 8437592bb5
commit d65fde9536
1 changed files with 18 additions and 3 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1556,9 +1556,24 @@ soc:
          - name: Wazuh/OSSEC
            description: Wazuh/OSSEC HIDS alerts and logs
            query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full'
-          - name: Sysmon
-            description: Sysmon logs
-            query: 'event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line'
+          - name: Sysmon Overview
+            description: Overview of all Sysmon data types
+            query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port'
+          - name: Sysmon Registry
+            description: Registry changes captured by Sysmon
+            query: '(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject'
+          - name: Sysmon DNS
+            description: DNS queries captured by Sysmon
+            query: 'event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name'
+          - name: Sysmon Process
+            description: Process activity captured by Sysmon
+            query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable'
+          - name: Sysmon File
+            description: File activity captured by Sysmon
+            query: '(event.dataset:file_create OR event.dataset:file_create_stream_hash OR event.dataset:process_changed_file) | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable'
+          - name: Sysmon Network
+            description: Network activity captured by Sysmon
+            query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port destination_geo.organization_name | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
          - name: Strelka
            description: Strelka logs
            query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source'