From 3eb4adc5c373274f1efe4ee3a6958441a29c8a9a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 19 Sep 2022 20:12:47 -0400 Subject: [PATCH] Hunt Query - Elastic Agent Live Osquery Logs --- salt/soc/defaults.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9da87a898..7ba352e34 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -680,6 +680,9 @@ soc: - name: NIDS Alerts description: Show all NIDS alerts grouped by alert query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' + - name: Osquery - Live Query + description: Show all Osquery Live Query results + query: 'event.dataset: osquery_manager.result | groupby action_data.id action_data.query | groupby host.hostname' - name: Wazuh/OSSEC Alerts description: Show all Wazuh alerts at Level 5 or higher grouped by category query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name'