diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9dce3fd8e..aefe6d00f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1,5 +1,52 @@ soc: logFilename: /opt/sensoroni/logs/sensoroni-server.log + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' server: bindAddress: 0.0.0.0:9822 baseUrl: / @@ -17,7 +64,7 @@ soc: remoteHostUrls: [] username: password: - index: '*:so-*' + index: '*:so-*,*:endgame-*' cacheMs: 300000 verifyCert: false casesEnabled: true @@ -28,6 +75,7 @@ soc: org: '' bucket: telegraf verifyCert: false + salt: {} sostatus: refreshIntervalMs: 30000 offlineThresholdMs: 900000 @@ -42,898 +90,1458 @@ soc: - rbac/custom_roles userFiles: - rbac/users_roles - client: - docsUrl: https://docs.securityonion.net/en/2.3/ - cheatsheetUrl: https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf - releaseNotesUrl: https://docs.securityonion.net/en/2.3/release-notes - apiTimeoutMs: 0 - webSocketTimeoutMs: 0 - tipTimeoutMs: 0 - cacheExpirationMs: 0 - casesEnabled: true - inactiveTools: ['toolUnused'] - tools: - - name: toolKibana - description: toolKibanaHelp - icon: fa-external-link-alt - target: so-kibana - link: /kibana/ - - name: toolGrafana - description: toolGrafanaHelp - icon: fa-external-link-alt - target: so-grafana - link: /grafana/d/so_overview - - name: toolCyberchef - description: toolCyberchefHelp - icon: fa-external-link-alt - target: so-cyberchef - link: /cyberchef/ - - name: toolPlaybook - description: toolPlaybookHelp - icon: fa-external-link-alt - target: so-playbook - link: /playbook/projects/detection-playbooks/issues/ - - name: toolFleet - description: toolFleetHelp - icon: fa-external-link-alt - target: so-fleet - link: /fleet/ - - name: toolNavigator - description: toolNavigatorHelp - icon: fa-external-link-alt - target: so-navigator - link: /navigator/ - hunt: - advanced: true - groupItemsPerPage: 10 - groupFetchLimit: 10 - eventItemsPerPage: 10 - eventFetchLimit: 100 - relativeTimeValue: 24 - relativeTimeUnit: 30 - mostRecentlyUsedLimit: 5 - ackEnabled: false - escalateEnabled: true - escalateRelatedEventsEnabled: true - eventFields: - default: - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - - network.community_id - - event.dataset - ':kratos:audit': - - soc_timestamp - - http_request.headers.x-real-ip - - identity_id - - http_request.headers.user-agent - '::conn': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - network.protocol - - log.id.uid - - network.community_id - '::dce_rpc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dce_rpc.endpoint - - dce_rpc.named_pipe - - dce_rpc.operation - - log.id.uid - '::dhcp': - - soc_timestamp - - client.address - - server.address - - host.domain - - host.hostname - - dhcp.message_types - - log.id.uid - '::dnp3': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - dnp3.fc_reply - - log.id.uid - '::dns': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - dns.query.name - - dns.query.type_name - - dns.response.code_name - - log.id.uid - - network.community_id - '::dpd': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.protocol - - observer.analyser - - error.reason - - log.id.uid - '::file': - - soc_timestamp - - source.ip - - destination.ip - - file.name - - file.mime_type - - file.source - - file.bytes.total - - log.id.fuid - - log.id.uid - '::ftp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ftp.user - - ftp.command - - ftp.argument - - ftp.reply_code - - file.size - - log.id.uid - '::http': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - http.method - - http.virtual_host - - http.status_code - - http.status_message - - http.request.body.length - - http.response.body.length - - log.id.uid - - network.community_id - '::intel': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - intel.indicator - - intel.indicator_type - - intel.seen_where - - log.id.uid - '::irc': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - irc.username - - irc.nickname - - irc.command.type - - irc.command.value - - irc.command.info - - log.id.uid - '::kerberos': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - kerberos.client - - kerberos.service - - kerberos.request_type - - log.id.uid - '::modbus': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - modbus.function - - log.id.uid - '::mysql': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - mysql.command - - mysql.argument - - mysql.success - - mysql.response - - log.id.uid - '::notice': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - notice.note - - notice.message - - log.id.fuid - - log.id.uid - - network.community_id - '::ntlm': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ntlm.name - - ntlm.success - - ntlm.server.dns.name - - ntlm.server.nb.name - - ntlm.server.tree.name - - log.id.uid - '::pe': - - soc_timestamp - - file.is_64bit - - file.is_exe - - file.machine - - file.os - - file.subsystem - - log.id.fuid - '::radius': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.uid - - username - - radius.framed_address - - radius.reply_message - - radius.result - '::rdp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rdp.client_build - - client_name - - rdp.cookie - - rdp.encryption_level - - rdp.encryption_method - - rdp.keyboard_layout - - rdp.result - - rdp.security_protocol - - log.id.uid - '::rfb': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rfb.authentication.method - - rfb.authentication.success - - rfb.share_flag - - rfb.desktop.name - - log.id.uid - '::signatures': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - note - - signature_id - - event_message - - sub_message - - signature_count - - host.count - - log.id.uid - '::sip': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - sip.method - - sip.uri - - sip.request.from - - sip.request.to - - sip.response.from - - sip.response.to - - sip.call_id - - sip.subject - - sip.user_agent - - sip.status_code - - log.id.uid - '::smb_files': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - log.id.fuid - - file.action - - file.path - - file.name - - file.size - - file.prev_name - - log.id.uid - '::smb_mapping': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - smb.path - - smb.service - - smb.share_type - - log.id.uid - '::smtp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - smtp.from - - smtp.recipient_to - - smtp.subject - - smtp.useragent - - log.id.uid - - network.community_id - '::snmp': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - snmp.community - - snmp.version - - log.id.uid - '::socks': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - socks.name - - socks.request.host - - socks.request.port - - socks.status - - log.id.uid - '::software': - - soc_timestamp - - source.ip - - software.name - - software.type - '::ssh': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ssh.version - - ssh.hassh_version - - ssh.direction - - ssh.client - - ssh.server - - log.id.uid - '::ssl': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - ssl.server_name - - ssl.certificate.subject - - ssl.validation_status - - ssl.version - - log.id.uid - ':zeek:syslog': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - syslog.facility - - network.protocol - - syslog.severity - - log.id.uid - '::tunnels': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - tunnel_type - - action - - log.id.uid - '::weird': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - weird.name - - log.id.uid - '::x509': - - soc_timestamp - - x509.certificate.subject - - x509.certificate.key.type - - x509.certificate.key.length - - x509.certificate.issuer - - log.id.fuid - '::firewall': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - network.transport - - network.direction - - interface.name - - rule.action - - rule.reason - - network.community_id - ':osquery:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - source.hostname - - event.dataset - - process.executable - - user.name - ':ossec:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location - ':strelka:file': - - soc_timestamp - - file.name - - file.size - - hash.md5 - - file.source - - file.mime_type - - log.id.fuid - ':suricata:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - rule.name - - rule.category - - event.severity_label - - log.id.uid - - network.community_id - ':sysmon:': - - soc_timestamp - - source.ip - - source.port - - destination.ip - - destination.port - - source.hostname - - event.dataset - - process.executable - - user.name - ':windows_eventlog:': - - soc_timestamp - - user.name - ':elasticsearch:': - - soc_timestamp - - agent.name - - message - - log.level - - metadata.version - - metadata.pipeline - - event.dataset - ':kibana:': - - soc_timestamp - - host.name - - message - - kibana.log.meta.req.headers.x-real-ip - - event.dataset - '::rootcheck': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::ossec': - - soc_timestamp - - host.name - - metadata.ip_address - - log.full - - event.dataset - - event.module - '::syscollector': - - soc_timestamp - - host.name - - metadata.ip_address - - wazuh.data.type - - log.full - - event.dataset - - event.module - ':syslog:syslog': - - soc_timestamp - - host.name - - metadata.ip_address - - real_message - - syslog.priority - - syslog.application - ':aws:': - - soc_timestamp - - aws.cloudtrail.event_category - - aws.cloudtrail.event_type - - event.provider - - event.action - - event.outcome - - cloud.region - - user.name - - source.ip - - source.geo.region_iso_code - ':squid:': - - soc_timestamp - - url.original - - destination.ip - - destination.geo.country_iso_code - - user.name - - source.ip - queryBaseFilter: - queryToggleFilters: - - name: caseExcludeToggle - filter: NOT _index:\"*:so-case*\" - enabled: true - queries: - - name: Default Query - description: Show all events grouped by the origin host - query: '* | groupby observer.name' - - name: Log Type - description: Show all events grouped by module and dataset - query: '* | groupby event.module event.dataset' - - name: SOC Auth - description: Users authenticated to SOC grouped by IP address and identity - query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' - - name: Elastalerts - description: '' - query: '_type:elastalert | groupby rule.name' - - name: Alerts - description: Show all alerts grouped by alert source - query: 'event.dataset: alert | groupby event.module' - - name: NIDS Alerts - description: Show all NIDS alerts grouped by alert - query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' - - name: Wazuh/OSSEC Alerts - description: Show all Wazuh alerts at Level 5 or higher grouped by category - query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name' - - name: Wazuh/OSSEC Alerts - description: Show all Wazuh alerts at Level 4 or lower grouped by category - query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name' - - name: Wazuh/OSSEC Users and Commands - description: Show all Wazuh alerts grouped by username and command line - query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line' - - name: Wazuh/OSSEC Processes - description: Show all Wazuh alerts grouped by process name - query: 'event.module:ossec AND event.dataset:alert | groupby process.name' - - name: Sysmon Events - description: Show all Sysmon logs grouped by event type - query: 'event.module:sysmon | groupby event.dataset' - - name: Sysmon Usernames - description: Show all Sysmon logs grouped by username - query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' - - name: Strelka - description: Show all Strelka logs grouped by file type - query: 'event.module:strelka | groupby file.mime_type' - - name: Zeek Notice - description: Show notices from Zeek - query: 'event.dataset:notice | groupby notice.note notice.message' - - name: Connections - description: Connections grouped by IP and Port - query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port' - - name: Connections - description: Connections grouped by Service - query: 'event.dataset:conn | groupby network.protocol destination.port' - - name: Connections - description: Connections grouped by destination country - query: 'event.dataset:conn | groupby destination.geo.country_name' - - name: Connections - description: Connections grouped by source country - query: 'event.dataset:conn | groupby source.geo.country_name' - - name: DCE_RPC - description: DCE_RPC grouped by operation - query: 'event.dataset:dce_rpc | groupby dce_rpc.operation' - - name: DHCP - description: DHCP leases - query: 'event.dataset:dhcp | groupby host.hostname client.address' - - name: DHCP - description: DHCP grouped by message type - query: 'event.dataset:dhcp | groupby dhcp.message_types' - - name: DNP3 - description: DNP3 grouped by reply - query: 'event.dataset:dnp3 | groupby dnp3.fc_reply' - - name: DNS - description: DNS queries grouped by port - query: 'event.dataset:dns | groupby dns.query.name destination.port' - - name: DNS - description: DNS queries grouped by type - query: 'event.dataset:dns | groupby dns.query.type_name destination.port' - - name: DNS - description: DNS queries grouped by response code - query: 'event.dataset:dns | groupby dns.response.code_name destination.port' - - name: DNS - description: DNS highest registered domain - query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port' - - name: DNS - description: DNS grouped by parent domain - query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port' - - name: DPD - description: Dynamic Protocol Detection errors - query: 'event.dataset:dpd | groupby error.reason' - - name: Files - description: Files grouped by mimetype - query: 'event.dataset:file | groupby file.mime_type source.ip' - - name: Files - description: Files grouped by source - query: 'event.dataset:file | groupby file.source source.ip' - - name: FTP - description: FTP grouped by command and argument - query: 'event.dataset:ftp | groupby ftp.command ftp.argument' - - name: FTP - description: FTP grouped by username and argument - query: 'event.dataset:ftp | groupby ftp.user ftp.argument' - - name: HTTP - description: HTTP grouped by destination port - query: 'event.dataset:http | groupby destination.port' - - name: HTTP - description: HTTP grouped by status code and message - query: 'event.dataset:http | groupby http.status_code http.status_message' - - name: HTTP - description: HTTP grouped by method and user agent - query: 'event.dataset:http | groupby http.method http.useragent' - - name: HTTP - description: HTTP grouped by virtual host - query: 'event.dataset:http | groupby http.virtual_host' - - name: HTTP - description: HTTP with exe downloads - query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' - - name: Intel - description: Intel framework hits grouped by indicator - query: 'event.dataset:intel | groupby intel.indicator.keyword' - - name: IRC - description: IRC grouped by command - query: 'event.dataset:irc | groupby irc.command.type' - - name: KERBEROS - description: KERBEROS grouped by service - query: 'event.dataset:kerberos | groupby kerberos.service' - - name: MODBUS - description: MODBUS grouped by function - query: 'event.dataset:modbus | groupby modbus.function' - - name: MYSQL - description: MYSQL grouped by command - query: 'event.dataset:mysql | groupby mysql.command' - - name: NOTICE - description: Zeek notice logs grouped by note and message - query: 'event.dataset:notice | groupby notice.note notice.message' - - name: NTLM - description: NTLM grouped by computer name - query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' - - name: Osquery Live Queries - description: Osquery Live Query results grouped by computer name - query: 'event.dataset:live_query | groupby host.hostname' - - name: PE - description: PE files list - query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' - - name: RADIUS - description: RADIUS grouped by username - query: 'event.dataset:radius | groupby user.name.keyword' - - name: RDP - description: RDP grouped by client name - query: 'event.dataset:rdp | groupby client.name' - - name: RFB - description: RFB grouped by desktop name - query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword' - - name: Signatures - description: Zeek signatures grouped by signature id - query: 'event.dataset:signatures | groupby signature_id' - - name: SIP - description: SIP grouped by user agent - query: 'event.dataset:sip | groupby client.user_agent' - - name: SMB_Files - description: SMB files grouped by action - query: 'event.dataset:smb_files | groupby file.action' - - name: SMB_Mapping - description: SMB mapping grouped by path - query: 'event.dataset:smb_mapping | groupby smb.path' - - name: SMTP - description: SMTP grouped by subject - query: 'event.dataset:smtp | groupby smtp.subject' - - name: SNMP - description: SNMP grouped by version and string - query: 'event.dataset:snmp | groupby snmp.community snmp.version' - - name: Software - description: List of software seen on the network - query: 'event.dataset:software | groupby software.type software.name' - - name: SSH - description: SSH grouped by version and client - query: 'event.dataset:ssh | groupby ssh.version ssh.client' - - name: SSL - description: SSL grouped by version and server name - query: 'event.dataset:ssl | groupby ssl.version ssl.server_name' - - name: SYSLOG - description: 'SYSLOG grouped by severity and facility ' - query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label' - - name: Tunnel - description: Tunnels grouped by type and action - query: 'event.dataset:tunnel | groupby tunnel.type event.action' - - name: Weird - description: Zeek weird log grouped by name - query: 'event.dataset:weird | groupby weird.name' - - name: x509 - description: x.509 grouped by key length and name - query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns' - - name: x509 - description: x.509 grouped by name and issuer - query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer' - - name: x509 - description: x.509 grouped by name and subject - query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject' - - name: Firewall - description: Firewall events grouped by action - query: 'event.dataset:firewall | groupby rule.action' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp + client: + docsUrl: https://docs.securityonion.net/en/2.3/ + cheatsheetUrl: https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf + releaseNotesUrl: https://docs.securityonion.net/en/2.3/release-notes + apiTimeoutMs: 0 + webSocketTimeoutMs: 0 + tipTimeoutMs: 0 + cacheExpirationMs: 0 + casesEnabled: true + inactiveTools: ['toolUnused'] + tools: + - name: toolKibana + description: toolKibanaHelp icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' - job: - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp + target: so-kibana + link: /kibana/ + - name: toolGrafana + description: toolGrafanaHelp icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' - alerts: - advanced: false - groupItemsPerPage: 50 - groupFetchLimit: 500 - eventItemsPerPage: 50 - eventFetchLimit: 500 - relativeTimeValue: 24 - relativeTimeUnit: 30 - mostRecentlyUsedLimit: 5 - ackEnabled: true - escalateEnabled: true - escalateRelatedEventsEnabled: true - eventfields: - default: - - soc_timestamp - - rule.name - - event.severity_label - - source.ip - - source.port - - destination.ip - - destination.port - - rule.gid - - rule.uuid - - rule.category - - rule.rev - ':ossec:': - - soc_timestamp - - rule.name - - event.severity_label - - source.ip - - source.port - - destination.ip - - destination.port - - rule.level - - rule.category - - process.name - - user.name - - user.escalated - - location - - process.name + target: so-grafana + link: /grafana/d/so_overview + - name: toolCyberchef + description: toolCyberchefHelp + icon: fa-external-link-alt + target: so-cyberchef + link: /cyberchef/ + - name: toolPlaybook + description: toolPlaybookHelp + icon: fa-external-link-alt + target: so-playbook + link: /playbook/projects/detection-playbooks/issues/ + - name: toolFleet + description: toolFleetHelp + icon: fa-external-link-alt + target: so-fleet + link: /fleet/ + - name: toolNavigator + description: toolNavigatorHelp + icon: fa-external-link-alt + target: so-navigator + link: /navigator/ + hunt: + advanced: true + groupItemsPerPage: 10 + groupFetchLimit: 10 + eventItemsPerPage: 10 + eventFetchLimit: 100 + relativeTimeValue: 24 + relativeTimeUnit: 30 + mostRecentlyUsedLimit: 5 + ackEnabled: false + escalateEnabled: true + escalateRelatedEventsEnabled: true + eventFields: + default: + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - network.community_id + - event.dataset + ':kratos:audit': + - soc_timestamp + - http_request.headers.x-real-ip + - identity_id + - http_request.headers.user-agent + '::conn': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.protocol + - log.id.uid + - network.community_id + '::dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dce_rpc.endpoint + - dce_rpc.named_pipe + - dce_rpc.operation + - log.id.uid + '::dhcp': + - soc_timestamp + - client.address + - server.address + - host.domain + - host.hostname + - dhcp.message_types + - log.id.uid + '::dnp3': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.fc_reply + - log.id.uid + '::dns': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - dns.query.name + - dns.query.type_name + - dns.response.code_name + - log.id.uid + - network.community_id + '::dpd': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.protocol + - observer.analyser + - error.reason + - log.id.uid + '::file': + - soc_timestamp + - source.ip + - destination.ip + - file.name + - file.mime_type + - file.source + - file.bytes.total + - log.id.fuid + - log.id.uid + '::ftp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ftp.user + - ftp.command + - ftp.argument + - ftp.reply_code + - file.size + - log.id.uid + '::http': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - http.method + - http.virtual_host + - http.status_code + - http.status_message + - http.request.body.length + - http.response.body.length + - log.id.uid + - network.community_id + '::intel': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - intel.indicator + - intel.indicator_type + - intel.seen_where + - log.id.uid + '::irc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - irc.username + - irc.nickname + - irc.command.type + - irc.command.value + - irc.command.info + - log.id.uid + '::kerberos': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - kerberos.client + - kerberos.service + - kerberos.request_type + - log.id.uid + '::modbus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + '::mysql': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - mysql.command + - mysql.argument + - mysql.success + - mysql.response + - log.id.uid + '::notice': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - notice.note + - notice.message + - log.id.fuid + - log.id.uid + - network.community_id + '::ntlm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ntlm.name + - ntlm.success + - ntlm.server.dns.name + - ntlm.server.nb.name + - ntlm.server.tree.name + - log.id.uid + '::pe': + - soc_timestamp + - file.is_64bit + - file.is_exe + - file.machine + - file.os + - file.subsystem + - log.id.fuid + '::radius': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - username + - radius.framed_address + - radius.reply_message + - radius.result + '::rdp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rdp.client_build + - client_name + - rdp.cookie + - rdp.encryption_level + - rdp.encryption_method + - rdp.keyboard_layout + - rdp.result + - rdp.security_protocol + - log.id.uid + '::rfb': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rfb.authentication.method + - rfb.authentication.success + - rfb.share_flag + - rfb.desktop.name + - log.id.uid + '::signatures': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - note + - signature_id + - event_message + - sub_message + - signature_count + - host.count + - log.id.uid + '::sip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - sip.method + - sip.uri + - sip.request.from + - sip.request.to + - sip.response.from + - sip.response.to + - sip.call_id + - sip.subject + - sip.user_agent + - sip.status_code + - log.id.uid + '::smb_files': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.fuid + - file.action + - file.path + - file.name + - file.size + - file.prev_name + - log.id.uid + '::smb_mapping': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smb.path + - smb.service + - smb.share_type + - log.id.uid + '::smtp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smtp.from + - smtp.recipient_to + - smtp.subject + - smtp.useragent + - log.id.uid + - network.community_id + '::snmp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - snmp.community + - snmp.version + - log.id.uid + '::socks': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - socks.name + - socks.request.host + - socks.request.port + - socks.status + - log.id.uid + '::software': + - soc_timestamp + - source.ip + - software.name + - software.type + '::ssh': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssh.version + - ssh.hassh_version + - ssh.direction + - ssh.client + - ssh.server + - log.id.uid + '::ssl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssl.server_name + - ssl.certificate.subject + - ssl.validation_status + - ssl.version + - log.id.uid + ':zeek:syslog': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - syslog.facility + - network.protocol + - syslog.severity + - log.id.uid + '::tunnels': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tunnel_type + - action + - log.id.uid + '::weird': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - weird.name + - log.id.uid + '::x509': + - soc_timestamp + - x509.certificate.subject + - x509.certificate.key.type + - x509.certificate.key.length + - x509.certificate.issuer + - log.id.fuid + '::firewall': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.direction + - interface.name + - rule.action + - rule.reason + - network.community_id + ':osquery:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':ossec:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + ':strelka:file': + - soc_timestamp + - file.name + - file.size + - hash.md5 + - file.source + - file.mime_type + - log.id.fuid + ':suricata:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.category + - event.severity_label + - log.id.uid + - network.community_id + ':sysmon:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':windows_eventlog:': + - soc_timestamp + - user.name + ':elasticsearch:': + - soc_timestamp + - agent.name + - message + - log.level + - metadata.version + - metadata.pipeline + - event.dataset + ':kibana:': + - soc_timestamp + - host.name + - message + - kibana.log.meta.req.headers.x-real-ip + - event.dataset + '::rootcheck': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::ossec': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::syscollector': + - soc_timestamp + - host.name + - metadata.ip_address + - wazuh.data.type + - log.full + - event.dataset + - event.module + ':syslog:syslog': + - soc_timestamp + - host.name + - metadata.ip_address + - real_message + - syslog.priority + - syslog.application + ':aws:': + - soc_timestamp + - aws.cloudtrail.event_category + - aws.cloudtrail.event_type + - event.provider + - event.action + - event.outcome + - cloud.region + - user.name + - source.ip + - source.geo.region_iso_code + ':squid:': + - soc_timestamp + - url.original + - destination.ip + - destination.geo.country_iso_code + - user.name + - source.ip + queryBaseFilter: + queryToggleFilters: + - name: caseExcludeToggle + filter: NOT _index:\"*:so-case*\" + enabled: true + queries: + - name: Default Query + description: Show all events grouped by the origin host + query: '* | groupby observer.name' + - name: Log Type + description: Show all events grouped by module and dataset + query: '* | groupby event.module event.dataset' + - name: SOC Auth + description: Users authenticated to SOC grouped by IP address and identity + query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' + - name: Elastalerts + description: '' + query: '_type:elastalert | groupby rule.name' + - name: Alerts + description: Show all alerts grouped by alert source + query: 'event.dataset: alert | groupby event.module' + - name: NIDS Alerts + description: Show all NIDS alerts grouped by alert + query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' + - name: Wazuh/OSSEC Alerts + description: Show all Wazuh alerts at Level 5 or higher grouped by category + query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name' + - name: Wazuh/OSSEC Alerts + description: Show all Wazuh alerts at Level 4 or lower grouped by category + query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name' + - name: Wazuh/OSSEC Users and Commands + description: Show all Wazuh alerts grouped by username and command line + query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line' + - name: Wazuh/OSSEC Processes + description: Show all Wazuh alerts grouped by process name + query: 'event.module:ossec AND event.dataset:alert | groupby process.name' + - name: Sysmon Events + description: Show all Sysmon logs grouped by event type + query: 'event.module:sysmon | groupby event.dataset' + - name: Sysmon Usernames + description: Show all Sysmon logs grouped by username + query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' + - name: Strelka + description: Show all Strelka logs grouped by file type + query: 'event.module:strelka | groupby file.mime_type' + - name: Zeek Notice + description: Show notices from Zeek + query: 'event.dataset:notice | groupby notice.note notice.message' + - name: Connections + description: Connections grouped by IP and Port + query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port' + - name: Connections + description: Connections grouped by Service + query: 'event.dataset:conn | groupby network.protocol destination.port' + - name: Connections + description: Connections grouped by destination country + query: 'event.dataset:conn | groupby destination.geo.country_name' + - name: Connections + description: Connections grouped by source country + query: 'event.dataset:conn | groupby source.geo.country_name' + - name: DCE_RPC + description: DCE_RPC grouped by operation + query: 'event.dataset:dce_rpc | groupby dce_rpc.operation' + - name: DHCP + description: DHCP leases + query: 'event.dataset:dhcp | groupby host.hostname client.address' + - name: DHCP + description: DHCP grouped by message type + query: 'event.dataset:dhcp | groupby dhcp.message_types' + - name: DNP3 + description: DNP3 grouped by reply + query: 'event.dataset:dnp3 | groupby dnp3.fc_reply' + - name: DNS + description: DNS queries grouped by port + query: 'event.dataset:dns | groupby dns.query.name destination.port' + - name: DNS + description: DNS queries grouped by type + query: 'event.dataset:dns | groupby dns.query.type_name destination.port' + - name: DNS + description: DNS queries grouped by response code + query: 'event.dataset:dns | groupby dns.response.code_name destination.port' + - name: DNS + description: DNS highest registered domain + query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port' + - name: DNS + description: DNS grouped by parent domain + query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port' + - name: DPD + description: Dynamic Protocol Detection errors + query: 'event.dataset:dpd | groupby error.reason' + - name: Files + description: Files grouped by mimetype + query: 'event.dataset:file | groupby file.mime_type source.ip' + - name: Files + description: Files grouped by source + query: 'event.dataset:file | groupby file.source source.ip' + - name: FTP + description: FTP grouped by command and argument + query: 'event.dataset:ftp | groupby ftp.command ftp.argument' + - name: FTP + description: FTP grouped by username and argument + query: 'event.dataset:ftp | groupby ftp.user ftp.argument' + - name: HTTP + description: HTTP grouped by destination port + query: 'event.dataset:http | groupby destination.port' + - name: HTTP + description: HTTP grouped by status code and message + query: 'event.dataset:http | groupby http.status_code http.status_message' + - name: HTTP + description: HTTP grouped by method and user agent + query: 'event.dataset:http | groupby http.method http.useragent' + - name: HTTP + description: HTTP grouped by virtual host + query: 'event.dataset:http | groupby http.virtual_host' + - name: HTTP + description: HTTP with exe downloads + query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' + - name: Intel + description: Intel framework hits grouped by indicator + query: 'event.dataset:intel | groupby intel.indicator.keyword' + - name: IRC + description: IRC grouped by command + query: 'event.dataset:irc | groupby irc.command.type' + - name: KERBEROS + description: KERBEROS grouped by service + query: 'event.dataset:kerberos | groupby kerberos.service' + - name: MODBUS + description: MODBUS grouped by function + query: 'event.dataset:modbus | groupby modbus.function' + - name: MYSQL + description: MYSQL grouped by command + query: 'event.dataset:mysql | groupby mysql.command' + - name: NOTICE + description: Zeek notice logs grouped by note and message + query: 'event.dataset:notice | groupby notice.note notice.message' + - name: NTLM + description: NTLM grouped by computer name + query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' + - name: Osquery Live Queries + description: Osquery Live Query results grouped by computer name + query: 'event.dataset:live_query | groupby host.hostname' + - name: PE + description: PE files list + query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' + - name: RADIUS + description: RADIUS grouped by username + query: 'event.dataset:radius | groupby user.name.keyword' + - name: RDP + description: RDP grouped by client name + query: 'event.dataset:rdp | groupby client.name' + - name: RFB + description: RFB grouped by desktop name + query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword' + - name: Signatures + description: Zeek signatures grouped by signature id + query: 'event.dataset:signatures | groupby signature_id' + - name: SIP + description: SIP grouped by user agent + query: 'event.dataset:sip | groupby client.user_agent' + - name: SMB_Files + description: SMB files grouped by action + query: 'event.dataset:smb_files | groupby file.action' + - name: SMB_Mapping + description: SMB mapping grouped by path + query: 'event.dataset:smb_mapping | groupby smb.path' + - name: SMTP + description: SMTP grouped by subject + query: 'event.dataset:smtp | groupby smtp.subject' + - name: SNMP + description: SNMP grouped by version and string + query: 'event.dataset:snmp | groupby snmp.community snmp.version' + - name: Software + description: List of software seen on the network + query: 'event.dataset:software | groupby software.type software.name' + - name: SSH + description: SSH grouped by version and client + query: 'event.dataset:ssh | groupby ssh.version ssh.client' + - name: SSL + description: SSL grouped by version and server name + query: 'event.dataset:ssl | groupby ssl.version ssl.server_name' + - name: SYSLOG + description: 'SYSLOG grouped by severity and facility ' + query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label' + - name: Tunnel + description: Tunnels grouped by type and action + query: 'event.dataset:tunnel | groupby tunnel.type event.action' + - name: Weird + description: Zeek weird log grouped by name + query: 'event.dataset:weird | groupby weird.name' + - name: x509 + description: x.509 grouped by key length and name + query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns' + - name: x509 + description: x.509 grouped by name and issuer + query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer' + - name: x509 + description: x.509 grouped by name and subject + query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject' + - name: Firewall + description: Firewall events grouped by action + query: 'event.dataset:firewall | groupby rule.action' + dashboards: + advanced: true + groupItemsPerPage: 10 + groupFetchLimit: 10 + eventItemsPerPage: 10 + eventFetchLimit: 100 + relativeTimeValue: 24 + relativeTimeUnit: 30 + mostRecentlyUsedLimit: 0 + ackEnabled: false + escalateEnabled: true + escalateRelatedEventsEnabled: true + aggregationActionsEnabled: false + eventFields: + default: + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - network.community_id + - event.dataset + ':kratos:audit': + - soc_timestamp + - http_request.headers.x-real-ip + - identity_id + - http_request.headers.user-agent + '::conn': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.protocol + - log.id.uid + - network.community_id + '::dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dce_rpc.endpoint + - dce_rpc.named_pipe + - dce_rpc.operation + - log.id.uid + '::dhcp': + - soc_timestamp + - client.address + - server.address + - host.domain + - host.hostname + - dhcp.message_types + - log.id.uid + '::dnp3': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.fc_reply + - log.id.uid + '::dns': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - dns.query.name + - dns.query.type_name + - dns.response.code_name + - log.id.uid + - network.community_id + '::dpd': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.protocol + - observer.analyser + - error.reason + - log.id.uid + '::file': + - soc_timestamp + - source.ip + - destination.ip + - file.name + - file.mime_type + - file.source + - file.bytes.total + - log.id.fuid + - log.id.uid + '::ftp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ftp.user + - ftp.command + - ftp.argument + - ftp.reply_code + - file.size + - log.id.uid + '::http': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - http.method + - http.virtual_host + - http.status_code + - http.status_message + - http.request.body.length + - http.response.body.length + - log.id.uid + - network.community_id + '::intel': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - intel.indicator + - intel.indicator_type + - intel.seen_where + - log.id.uid + '::irc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - irc.username + - irc.nickname + - irc.command.type + - irc.command.value + - irc.command.info + - log.id.uid + '::kerberos': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - kerberos.client + - kerberos.service + - kerberos.request_type + - log.id.uid + '::modbus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + '::mysql': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - mysql.command + - mysql.argument + - mysql.success + - mysql.response + - log.id.uid + '::notice': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - notice.note + - notice.message + - log.id.fuid + - log.id.uid + - network.community_id + '::ntlm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ntlm.name + - ntlm.success + - ntlm.server.dns.name + - ntlm.server.nb.name + - ntlm.server.tree.name + - log.id.uid + '::pe': + - soc_timestamp + - file.is_64bit + - file.is_exe + - file.machine + - file.os + - file.subsystem + - log.id.fuid + '::radius': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - username + - radius.framed_address + - radius.reply_message + - radius.result + '::rdp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rdp.client_build + - client_name + - rdp.cookie + - rdp.encryption_level + - rdp.encryption_method + - rdp.keyboard_layout + - rdp.result + - rdp.security_protocol + - log.id.uid + '::rfb': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rfb.authentication.method + - rfb.authentication.success + - rfb.share_flag + - rfb.desktop.name + - log.id.uid + '::signatures': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - note + - signature_id + - event_message + - sub_message + - signature_count + - host.count + - log.id.uid + '::sip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - sip.method + - sip.uri + - sip.request.from + - sip.request.to + - sip.response.from + - sip.response.to + - sip.call_id + - sip.subject + - sip.user_agent + - sip.status_code + - log.id.uid + '::smb_files': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.fuid + - file.action + - file.path + - file.name + - file.size + - file.prev_name + - log.id.uid + '::smb_mapping': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smb.path + - smb.service + - smb.share_type + - log.id.uid + '::smtp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smtp.from + - smtp.recipient_to + - smtp.subject + - smtp.useragent + - log.id.uid + - network.community_id + '::snmp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - snmp.community + - snmp.version + - log.id.uid + '::socks': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - socks.name + - socks.request.host + - socks.request.port + - socks.status + - log.id.uid + '::software': + - soc_timestamp + - source.ip + - software.name + - software.type + '::ssh': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssh.version + - ssh.hassh_version + - ssh.direction + - ssh.client + - ssh.server + - log.id.uid + '::ssl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssl.server_name + - ssl.certificate.subject + - ssl.validation_status + - ssl.version + - log.id.uid + ':zeek:syslog': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - syslog.facility + - network.protocol + - syslog.severity + - log.id.uid + '::tunnels': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tunnel_type + - action + - log.id.uid + '::weird': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - weird.name + - log.id.uid + '::x509': + - soc_timestamp + - x509.certificate.subject + - x509.certificate.key.type + - x509.certificate.key.length + - x509.certificate.issuer + - log.id.fuid + '::firewall': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.direction + - interface.name + - rule.action + - rule.reason + - network.community_id + ':osquery:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':ossec:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + ':strelka:file': + - soc_timestamp + - file.name + - file.size + - hash.md5 + - file.source + - file.mime_type + - log.id.fuid + ':suricata:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.category + - event.severity_label + - log.id.uid + - network.community_id + ':sysmon:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':windows_eventlog:': + - soc_timestamp + - user.name + ':elasticsearch:': + - soc_timestamp + - agent.name + - message + - log.level + - metadata.version + - metadata.pipeline + - event.dataset + ':kibana:': + - soc_timestamp + - host.name + - message + - kibana.log.meta.req.headers.x-real-ip + - event.dataset + '::rootcheck': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::ossec': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::syscollector': + - soc_timestamp + - host.name + - metadata.ip_address + - wazuh.data.type + - log.full + - event.dataset + - event.module + ':syslog:syslog': + - soc_timestamp + - host.name + - metadata.ip_address + - real_message + - syslog.priority + - syslog.application + ':aws:': + - soc_timestamp + - aws.cloudtrail.event_category + - aws.cloudtrail.event_type + - event.provider + - event.action + - event.outcome + - cloud.region + - user.name + - source.ip + - source.geo.region_iso_code + ':squid:': + - soc_timestamp + - url.original + - destination.ip + - destination.geo.country_iso_code + - user.name + - source.ip + queryBaseFilter: + queryToggleFilters: + - name: caseExcludeToggle, + filter: 'NOT _index:"*:so-case*"' + enabled: true + queries: + - name: Overview + description: Overview of all events + query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SOC Auth + description: Show all SOC authentication logs + query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' + - name: Elastalerts + description: Elastalert logs + query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' + - name: Alerts + description: Show all alerts + query: 'event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: NIDS Alerts + description: NIDS alerts + query: 'event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Wazuh/OSSEC + description: Wazuh/OSSEC HIDS alerts and logs + query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full' + - name: Sysmon + description: Sysmon logs + query: 'event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line' + - name: Strelka + description: Strelka logs + query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source' + - name: Zeek Notice + description: Zeek Notice logs + query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Connections + description: Connection logs + query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes' + - name: DCE_RPC + description: DCE_RPC logs + query: 'event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: DHCP + description: Dynamic Host Configuration Protocol leases + query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address' + - name: DNP3 + description: DNP3 logs + query: 'event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: DNS + description: Domain Name System queries + query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: DPD + description: Dynamic Protocol Detection errors + query: 'event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol' + - name: Files + description: Files seen in network traffic + query: 'event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip' + - name: FTP + description: File Transfer Protocol logs + query: 'event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: HTTP + description: Hyper Text Transport Protocol logs + query: 'event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Intel + description: Zeek Intel framework hits + query: 'event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: IRC + description: Internet Relay Chat logs + query: 'event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Kerberos + description: Kerberos logs + query: 'event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: MODBUS + description: MODBUS logs + query: 'event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: MYSQL + description: MYSQL logs + query: 'event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: NOTICE + description: Zeek notice logs + query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: NTLM + description: NTLM logs + query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Osquery Live Queries + description: Osquery Live Query results + query: 'event.dataset:live_query | groupby host.hostname' + - name: PE + description: PE files list + query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit' + - name: RADIUS + description: RADIUS logs + query: 'event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: RDP + description: RDP logs + query: 'event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: RFB + description: RFB logs + query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Signatures + description: Zeek signatures + query: 'event.dataset:signatures | groupby signature_id' + - name: SIP + description: SIP logs + query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SMB_Files + description: SMB files + query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SMB_Mapping + description: SMB mapping logs + query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SMTP + description: SMTP logs + query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SNMP + description: SNMP logs + query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Software + description: List of software seen on the network by Zeek + query: 'event.dataset:software | groupby software.type | groupby software.name | groupby source.ip' + - name: SSH + description: SSH connections seen by Zeek + query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SSL + description: SSL logs + query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: SYSLOG + description: SYSLOG logs + query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Tunnel + description: Tunnels seen by Zeek + query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Weird + description: Weird network traffic seen by Zeek + query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port ' + - name: x509 + description: x.509 certificates seen by Zeek + query: 'event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer' + - name: Firewall + description: Firewall logs + query: 'event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port' + job: + alerts: + advanced: false + groupItemsPerPage: 50 + groupFetchLimit: 500 + eventItemsPerPage: 50 + eventFetchLimit: 500 + relativeTimeValue: 24 + relativeTimeUnit: 30 + mostRecentlyUsedLimit: 5 + ackEnabled: true + escalateEnabled: true + escalateRelatedEventsEnabled: true + eventfields: + default: + - soc_timestamp + - rule.name + - event.severity_label + - source.ip + - source.port + - destination.ip + - destination.port + - rule.gid + - rule.uuid + - rule.category + - rule.rev + ':ossec:': + - soc_timestamp + - rule.name + - event.severity_label + - source.ip + - source.port + - destination.ip + - destination.port + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + - process.name queryBaseFilter: event.dataset:alert queryToggleFilters: - name: acknowledged @@ -946,208 +1554,113 @@ soc: exclusive: true enablesToggles: - acknowledged - queries: - - name: 'Group By Name, Module' - query: '* | groupby rule.name event.module event.severity_label' - - name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name' - query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label' - - name: 'Group By Source IP, Name' - query: '* | groupby source.ip rule.name event.severity_label' - - name: 'Group By Source Port, Name' - query: '* | groupby source.port rule.name event.severity_label' - - name: 'Group By Destination IP, Name' - query: '* | groupby destination.ip rule.name event.severity_label' - - name: 'Group By Destination Port, Name' - query: '* | groupby destination.port rule.name event.severity_label' - - name: Ungroup - query: '*' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' - - cases: - advanced: false - groupItemsPerPage: 50 - groupFetchLimit: 100 - eventItemsPerPage: 50 - eventFetchLimit: 500 - relativeTimeValue: 12 - relativeTimeUnit: 60 - mostRecentlyUsedLimit: 5 - ackEnabled: false - escalateEnabled: false - escalateRelatedEventsEnabled: false - viewEnabled: true - createLink: /case/create - eventFields: - default: - - soc_timestamp - - so_case.title - - so_case.status - - so_case.severity - - so_case.assigneeId - - so_case.createTime - queryBaseFilter: '_index:\"*:so-case\" AND so_kind:case' - queryToggleFilters: [] - queries: - - name: Open Cases - query: 'NOT so_case.status:closed AND NOT so_case.category:template' - - name: Closed Cases - query: 'so_case.status:closed AND NOT so_case.category:template' - - name: My Open Cases - query: 'NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' - - name: My Closed Cases - query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' - - name: Templates - query: 'so_case.category:template' - actions: - - name: actionHunt - description: actionHuntHelp - icon: fa-crosshairs - target: - links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' - - name: actionCorrelate - description: actionCorrelateHelp - icon: fab fa-searchengin - target: - links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - - name: actionPcap - description: actionPcapHelp - icon: fa-stream - target: - links: - - '/joblookup?esid={:soc_id}&time={:@timestamp}' - - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - categories: - - hunt - - alerts - - name: actionCyberChef - description: actionCyberChefHelp - icon: fas fa-bread-slice - target: _blank - links: - - '/cyberchef/#input={value|base64}' - - name: actionGoogle - description: actionGoogleHelp - icon: fab fa-google - target: _blank - links: - - 'https://www.google.com/search?q={value}' - - name: actionVirusTotal - description: actionVirusTotalHelp - icon: fa-external-link-alt - target: _blank - links: - - 'https://www.virustotal.com/gui/search/{value}' - case: - mostRecentlyUsedLimit: 5 - renderAbbreviatedCount: 30 - presets: - artifactType: - labels: - - autonomous-system - - domain - - file - - filename - - fqdn - - hash - - ip - - mail - - mail_subject - - other - - regexp - - registry - - uri_path - - url - - user-agent - customEnabled: true - category: - labels: - - general - - template - customEnabled: true - pap: - labels: - - white - - green - - amber - - red - customEnabled: false - severity: - labels: - - low - - medium - - high - - critical - customEnabled: false - status: - labels: - - new - - in progress - - closed - customEnabled: false - tags: - labels: - - false-positive - - confirmed - - pending - customEnabled: true - tlp: - labels: - - white - - green - - amber - - red - customEnabled: false + queries: + - name: 'Group By Name, Module' + query: '* | groupby rule.name event.module event.severity_label' + - name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name' + query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label' + - name: 'Group By Source IP, Name' + query: '* | groupby source.ip rule.name event.severity_label' + - name: 'Group By Source Port, Name' + query: '* | groupby source.port rule.name event.severity_label' + - name: 'Group By Destination IP, Name' + query: '* | groupby destination.ip rule.name event.severity_label' + - name: 'Group By Destination Port, Name' + query: '* | groupby destination.port rule.name event.severity_label' + - name: Ungroup + query: '*' + cases: + advanced: false + groupItemsPerPage: 50 + groupFetchLimit: 100 + eventItemsPerPage: 50 + eventFetchLimit: 500 + relativeTimeValue: 12 + relativeTimeUnit: 60 + mostRecentlyUsedLimit: 5 + ackEnabled: false + escalateEnabled: false + escalateRelatedEventsEnabled: false + viewEnabled: true + createLink: /case/create + eventFields: + default: + - soc_timestamp + - so_case.title + - so_case.status + - so_case.severity + - so_case.assigneeId + - so_case.createTime + queryBaseFilter: '_index:\"*:so-case\" AND so_kind:case' + queryToggleFilters: [] + queries: + - name: Open Cases + query: 'NOT so_case.status:closed AND NOT so_case.category:template' + - name: Closed Cases + query: 'so_case.status:closed AND NOT so_case.category:template' + - name: My Open Cases + query: 'NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' + - name: My Closed Cases + query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' + - name: Templates + query: 'so_case.category:template' + case: + mostRecentlyUsedLimit: 5 + renderAbbreviatedCount: 30 + presets: + artifactType: + labels: + - autonomous-system + - domain + - file + - filename + - fqdn + - hash + - ip + - mail + - mail_subject + - other + - regexp + - registry + - uri_path + - url + - user-agent + customEnabled: true + category: + labels: + - general + - template + customEnabled: true + pap: + labels: + - white + - green + - amber + - red + customEnabled: false + severity: + labels: + - low + - medium + - high + - critical + customEnabled: false + status: + labels: + - new + - in progress + - closed + customEnabled: false + tags: + labels: + - false-positive + - confirmed + - pending + customEnabled: true + tlp: + labels: + - white + - green + - amber + - red + customEnabled: false diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json deleted file mode 100644 index 1addf23c6..000000000 --- a/salt/soc/files/soc/alerts.actions.json +++ /dev/null @@ -1 +0,0 @@ -This file is no longer used. Please use menu.actions.json instead. diff --git a/salt/soc/files/soc/alerts.eventfields.json b/salt/soc/files/soc/alerts.eventfields.json deleted file mode 100644 index 36fb15afe..000000000 --- a/salt/soc/files/soc/alerts.eventfields.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "default": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.gid", "rule.uuid", "rule.category", "rule.rev"], - ":ossec:": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location", "process.name" ] -} \ No newline at end of file diff --git a/salt/soc/files/soc/alerts.queries.json b/salt/soc/files/soc/alerts.queries.json deleted file mode 100644 index 0e74adad8..000000000 --- a/salt/soc/files/soc/alerts.queries.json +++ /dev/null @@ -1,9 +0,0 @@ -[ - { "name": "Group By Name, Module", "query": "* | groupby rule.name event.module event.severity_label" }, - { "name": "Group By Sensor, Source IP/Port, Destination IP/Port, Name", "query": "* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label" }, - { "name": "Group By Source IP, Name", "query": "* | groupby source.ip rule.name event.severity_label" }, - { "name": "Group By Source Port, Name", "query": "* | groupby source.port rule.name event.severity_label" }, - { "name": "Group By Destination IP, Name", "query": "* | groupby destination.ip rule.name event.severity_label" }, - { "name": "Group By Destination Port, Name", "query": "* | groupby destination.port rule.name event.severity_label" }, - { "name": "Ungroup", "query": "*" } -] diff --git a/salt/soc/files/soc/cases.eventfields.json b/salt/soc/files/soc/cases.eventfields.json deleted file mode 100644 index f04c50b94..000000000 --- a/salt/soc/files/soc/cases.eventfields.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "default": ["soc_timestamp", "so_case.title", "so_case.status", "so_case.severity", "so_case.assigneeId", "so_case.createTime"] -} \ No newline at end of file diff --git a/salt/soc/files/soc/cases.queries.json b/salt/soc/files/soc/cases.queries.json deleted file mode 100644 index 59bd2672f..000000000 --- a/salt/soc/files/soc/cases.queries.json +++ /dev/null @@ -1,7 +0,0 @@ -[ - { "name": "Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template" }, - { "name": "Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template" }, - { "name": "My Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" }, - { "name": "My Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" }, - { "name": "Templates", "query": "so_case.category:template" } -] \ No newline at end of file diff --git a/salt/soc/files/soc/dashboards.queries.json b/salt/soc/files/soc/dashboards.queries.json deleted file mode 100644 index 7169fd472..000000000 --- a/salt/soc/files/soc/dashboards.queries.json +++ /dev/null @@ -1,46 +0,0 @@ -[ - { "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"}, - { "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"}, - { "name": "Alerts", "description": "Show all alerts", "query": "event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"}, - { "name": "Sysmon", "description": "Sysmon logs", "query": "event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line"}, - { "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"}, - { "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"}, - { "name": "DCE_RPC", "description": "DCE_RPC logs", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DHCP", "description": "Dynamic Host Configuration Protocol leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"}, - { "name": "DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DNS", "description": "Domain Name System queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"}, - { "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"}, - { "name": "FTP", "description": "File Transfer Protocol logs", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "HTTP", "description": "Hyper Text Transport Protocol logs", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MODBUS", "description": "MODBUS logs", "query": "event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "MYSQL", "description": "MYSQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NOTICE", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "NTLM", "description": "NTLM logs", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Osquery Live Queries", "description": "Osquery Live Query results", "query": "event.dataset:live_query | groupby host.hostname"}, - { "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"}, - { "name": "RADIUS", "description": "RADIUS logs", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "RDP", "description": "RDP logs", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "RFB", "description": "RFB logs", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Signatures", "description": "Zeek signatures", "query": "event.dataset:signatures | groupby signature_id"}, - { "name": "SIP", "description": "SIP logs", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMB_Files", "description": "SMB files", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMB_Mapping", "description": "SMB mapping logs", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SMTP", "description": "SMTP logs", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SNMP", "description": "SNMP logs", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Software", "description": "List of software seen on the network by Zeek", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"}, - { "name": "SSH", "description": "SSH connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SSL", "description": "SSL logs", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "SYSLOG", "description": "SYSLOG logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"}, - { "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "}, - { "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"}, - { "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"} -] diff --git a/salt/soc/files/soc/default.annotation.yaml b/salt/soc/files/soc/default.annotation.yaml deleted file mode 100644 index f78488035..000000000 --- a/salt/soc/files/soc/default.annotation.yaml +++ /dev/null @@ -1,712 +0,0 @@ -### Elasticsearch Nodes ### -elasticsearch.esheap: - default: 4192 - global: false - type: int - nodes: - - manager - - searchnode - -elasticsearch.config.node.attr.box_type: - default: hot - global: false - type: bool - options: - - hot - - warm - nodes: - - manager - - searchnode - -## Elasticsearch Global ## -elasticsearch.config.cluster.name: - default: securityonion - global: true - type: string - -elasticsearch.config.cluster.routing.allocation.disk.threshold_enabled: - default: true - global: true - type: bool - options: - - true - - false - -elasticsearch.config.cluster.routing.allocation.disk.watermark.low: -elasticsearch.config.cluster.routing.allocation.disk.watermark.high: -elasticsearch.config.cluster.routing.allocation.disk.watermark.flood_stage: - - - - - - - - - -elasticsearch:"\ - config:"\ - cluster:"\ - name: $ESCLUSTERNAME"\ - routing:"\ - allocation:"\ - " disk:"\ - " threshold_enabled: true"\ - " watermark:"\ - " low: 80%"\ - " high: 85%"\ - " flood_stage: 90%"\ - " script:"\ - " max_compilations_rate: 20000/1m"\ - " indices:"\ - " query:"\ - " bool:"\ - " max_clause_count: 3500"\ - " index_settings:"\ - " so-aws:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-azure:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-barracuda:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-beats:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-bluecoat:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-cef:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-checkpoint:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-cisco:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-cyberark:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-cylance:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-elasticsearch:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-endgame:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-f5:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-firewall:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-fortinet:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-gcp:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-google_workspace:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-ids:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-imperva:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-import:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-infoblox:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-juniper:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-kibana:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-logstash:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-microsoft:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-misp:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - - " so-netflow:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-netscout:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-o365:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-okta:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-osquery:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-proofpoint:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-radware:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-redis:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-snort:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-snyk:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-sonicwall:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-sophos:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-strelka:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-syslog:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-tomcat:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-zeek:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ - " so-zscaler:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365" - " index_sorting: True"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0"\ \ No newline at end of file diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json deleted file mode 100644 index 1addf23c6..000000000 --- a/salt/soc/files/soc/hunt.actions.json +++ /dev/null @@ -1 +0,0 @@ -This file is no longer used. Please use menu.actions.json instead. diff --git a/salt/soc/files/soc/hunt.eventfields.json b/salt/soc/files/soc/hunt.eventfields.json deleted file mode 100644 index 418cd4d87..000000000 --- a/salt/soc/files/soc/hunt.eventfields.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "default": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "network.community_id", "event.dataset" ], - ":kratos:audit": ["soc_timestamp", "http_request.headers.x-real-ip", "identity_id", "http_request.headers.user-agent" ], - "::conn": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.protocol", "log.id.uid", "network.community_id" ], - "::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid" ], - "::dhcp": ["soc_timestamp", "client.address", "server.address", "host.domain", "host.hostname", "dhcp.message_types", "log.id.uid" ], - "::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_reply", "log.id.uid" ], - "::dns": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "dns.query.name", "dns.query.type_name", "dns.response.code_name", "log.id.uid", "network.community_id" ], - "::dpd": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.protocol", "observer.analyser", "error.reason", "log.id.uid" ], - "::file": ["soc_timestamp", "source.ip", "destination.ip", "file.name", "file.mime_type", "file.source", "file.bytes.total", "log.id.fuid", "log.id.uid" ], - "::ftp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ftp.user", "ftp.command", "ftp.argument", "ftp.reply_code", "file.size", "log.id.uid" ], - "::http": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "http.method", "http.virtual_host", "http.status_code", "http.status_message", "http.request.body.length", "http.response.body.length", "log.id.uid", "network.community_id" ], - "::intel": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "intel.indicator", "intel.indicator_type", "intel.seen_where", "log.id.uid" ], - "::irc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "irc.username", "irc.nickname", "irc.command.type", "irc.command.value", "irc.command.info", "log.id.uid" ], - "::kerberos": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "kerberos.client", "kerberos.service", "kerberos.request_type", "log.id.uid" ], - "::modbus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ], - "::mysql": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "mysql.command", "mysql.argument", "mysql.success", "mysql.response", "log.id.uid" ], - "::notice": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "notice.note", "notice.message", "log.id.fuid", "log.id.uid", "network.community_id" ], - "::ntlm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ntlm.name", "ntlm.success", "ntlm.server.dns.name", "ntlm.server.nb.name", "ntlm.server.tree.name", "log.id.uid" ], - "::pe": ["soc_timestamp", "file.is_64bit", "file.is_exe", "file.machine", "file.os", "file.subsystem", "log.id.fuid" ], - "::radius": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "username", "radius.framed_address", "radius.reply_message", "radius.result" ], - "::rdp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rdp.client_build", "client_name", "rdp.cookie", "rdp.encryption_level", "rdp.encryption_method", "rdp.keyboard_layout", "rdp.result", "rdp.security_protocol", "log.id.uid" ], - "::rfb": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rfb.authentication.method", "rfb.authentication.success", "rfb.share_flag", "rfb.desktop.name", "log.id.uid" ], - "::signatures" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "note", "signature_id", "event_message", "sub_message", "signature_count", "host.count", "log.id.uid" ], - "::sip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "sip.method", "sip.uri", "sip.request.from", "sip.request.to", "sip.response.from", "sip.response.to", "sip.call_id", "sip.subject", "sip.user_agent", "sip.status_code", "log.id.uid" ], - "::smb_files" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.fuid", "file.action", "file.path", "file.name", "file.size", "file.prev_name", "log.id.uid" ], - "::smb_mapping" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "smb.path", "smb.service", "smb.share_type", "log.id.uid" ], - "::smtp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "smtp.from", "smtp.recipient_to", "smtp.subject", "smtp.useragent", "log.id.uid", "network.community_id" ], - "::snmp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "snmp.community", "snmp.version", "log.id.uid" ], - "::socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "socks.name", "socks.request.host", "socks.request.port", "socks.status", "log.id.uid" ], - "::software": ["soc_timestamp", "source.ip", "software.name", "software.type" ], - "::ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssh.version", "ssh.hassh_version", "ssh.direction", "ssh.client", "ssh.server", "log.id.uid" ], - "::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.server_name", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ], - ":zeek:syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "syslog.facility", "network.protocol", "syslog.severity", "log.id.uid" ], - "::tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid" ], - "::weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "weird.name", "log.id.uid" ], - "::x509": ["soc_timestamp", "x509.certificate.subject", "x509.certificate.key.type", "x509.certificate.key.length", "x509.certificate.issuer", "log.id.fuid" ], - "::firewall": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.direction", "interface.name", "rule.action", "rule.reason", "network.community_id" ], - ":osquery:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ], - ":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location" ], - ":strelka:file": ["soc_timestamp", "file.name", "file.size", "hash.md5", "file.source", "file.mime_type", "log.id.fuid" ], - ":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.category", "event.severity_label", "log.id.uid", "network.community_id" ], - ":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ], - ":windows_eventlog:": ["soc_timestamp", "user.name" ], - ":elasticsearch:": ["soc_timestamp", "agent.name", "message", "log.level", "metadata.version", "metadata.pipeline", "event.dataset" ], - ":kibana:": ["soc_timestamp", "host.name", "message", "kibana.log.meta.req.headers.x-real-ip", "event.dataset" ], - "::rootcheck": ["soc_timestamp", "host.name", "metadata.ip_address", "log.full", "event.dataset", "event.module" ], - "::ossec": ["soc_timestamp", "host.name", "metadata.ip_address", "log.full", "event.dataset", "event.module" ], - "::syscollector": ["soc_timestamp", "host.name", "metadata.ip_address", "wazuh.data.type", "log.full", "event.dataset", "event.module" ], - ":syslog:syslog": ["soc_timestamp", "host.name", "metadata.ip_address", "real_message", "syslog.priority", "syslog.application" ], - ":aws:": ["soc_timestamp", "aws.cloudtrail.event_category", "aws.cloudtrail.event_type", "event.provider", "event.action", "event.outcome", "cloud.region", "user.name", "source.ip", "source.geo.region_iso_code" ], - ":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ] - } diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json deleted file mode 100644 index ed82c10a4..000000000 --- a/salt/soc/files/soc/hunt.queries.json +++ /dev/null @@ -1,67 +0,0 @@ -[ - { "name": "Default Query", "showSubtitle": true, "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"}, - { "name": "Log Type", "showSubtitle": true, "description": "Show all events grouped by module and dataset", "query": "* | groupby event.module event.dataset"}, - { "name": "SOC Auth", "showSubtitle": true, "description": "Users authenticated to SOC grouped by IP address and identity", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id"}, - { "name": "Elastalerts", "showSubtitle": true, "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name alert_info.type"}, - { "name": "Alerts", "showSubtitle": true, "description": "Show all alerts grouped by alert source", "query": "event.dataset: alert | groupby event.module"}, - { "name": "NIDS Alerts", "showSubtitle": true, "description": "Show all NIDS alerts grouped by alert", "query": "event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name"}, - { "name": "Wazuh/OSSEC Alerts", "showSubtitle": true, "description": "Show all Wazuh alerts at Level 5 or higher grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name"}, - { "name": "Wazuh/OSSEC Alerts", "showSubtitle": true, "description": "Show all Wazuh alerts at Level 4 or lower grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name"}, - { "name": "Wazuh/OSSEC Users and Commands", "showSubtitle": true, "description": "Show all Wazuh alerts grouped by username and command line", "query": "event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line"}, - { "name": "Wazuh/OSSEC Processes", "showSubtitle": true, "description": "Show all Wazuh alerts grouped by process name", "query": "event.module:ossec AND event.dataset:alert | groupby process.name"}, - { "name": "Sysmon Events", "showSubtitle": true, "description": "Show all Sysmon logs grouped by event type", "query": "event.module:sysmon | groupby event.dataset"}, - { "name": "Sysmon Usernames", "showSubtitle": true, "description": "Show all Sysmon logs grouped by username", "query": "event.module:sysmon | groupby event.dataset, user.name.keyword"}, - { "name": "Strelka", "showSubtitle": true, "description": "Show all Strelka logs grouped by file type", "query": "event.module:strelka | groupby file.mime_type"}, - { "name": "Zeek Notice", "showSubtitle": true, "description": "Show notices from Zeek", "query": "event.dataset:notice | groupby notice.note notice.message"}, - { "name": "Connections", "showSubtitle": true, "description": "Connections grouped by IP and Port", "query": "event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port"}, - { "name": "Connections", "showSubtitle": true, "description": "Connections grouped by Service", "query": "event.dataset:conn | groupby network.protocol destination.port"}, - { "name": "Connections", "showSubtitle": true, "description": "Connections grouped by destination country", "query": "event.dataset:conn | groupby destination.geo.country_name"}, - { "name": "Connections", "showSubtitle": true, "description": "Connections grouped by source country", "query": "event.dataset:conn | groupby source.geo.country_name"}, - { "name": "DCE_RPC", "showSubtitle": true, "description": "DCE_RPC grouped by operation", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation"}, - { "name": "DHCP", "showSubtitle": true, "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"}, - { "name": "DHCP", "showSubtitle": true, "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"}, - { "name": "DNP3", "showSubtitle": true, "description": "DNP3 grouped by reply", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"}, - { "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by port", "query": "event.dataset:dns | groupby dns.query.name destination.port"}, - { "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by type", "query": "event.dataset:dns | groupby dns.query.type_name destination.port"}, - { "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"}, - { "name": "DNS", "showSubtitle": true, "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"}, - { "name": "DNS", "showSubtitle": true, "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"}, - { "name": "DPD", "showSubtitle": true, "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason"}, - { "name": "Files", "showSubtitle": true, "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"}, - { "name": "Files", "showSubtitle": true, "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"}, - { "name": "FTP", "showSubtitle": true, "description": "FTP grouped by command and argument", "query": "event.dataset:ftp | groupby ftp.command ftp.argument"}, - { "name": "FTP", "showSubtitle": true, "description": "FTP grouped by username and argument", "query": "event.dataset:ftp | groupby ftp.user ftp.argument"}, - { "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by destination port", "query": "event.dataset:http | groupby destination.port"}, - { "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by status code and message", "query": "event.dataset:http | groupby http.status_code http.status_message"}, - { "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by method and user agent", "query": "event.dataset:http | groupby http.method http.useragent"}, - { "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by virtual host", "query": "event.dataset:http | groupby http.virtual_host"}, - { "name": "HTTP", "showSubtitle": true, "description": "HTTP with exe downloads", "query": "event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host"}, - { "name": "Intel", "showSubtitle": true, "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator.keyword"}, - { "name": "IRC", "showSubtitle": true, "description": "IRC grouped by command", "query": "event.dataset:irc | groupby irc.command.type"}, - { "name": "Kerberos", "showSubtitle": true, "description": "Kerberos grouped by service", "query": "event.dataset:kerberos | groupby kerberos.service"}, - { "name": "MODBUS", "showSubtitle": true, "description": "MODBUS grouped by function", "query": "event.dataset:modbus | groupby modbus.function"}, - { "name": "MYSQL", "showSubtitle": true, "description": "MYSQL grouped by command", "query": "event.dataset:mysql | groupby mysql.command"}, - { "name": "NOTICE", "showSubtitle": true, "description": "Zeek notice logs grouped by note and message", "query": "event.dataset:notice | groupby notice.note notice.message"}, - { "name": "NTLM", "showSubtitle": true, "description": "NTLM grouped by computer name", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name"}, - { "name": "Osquery Live Queries", "showSubtitle": true, "description": "Osquery Live Query results grouped by computer name", "query": "event.dataset:live_query | groupby host.hostname"}, - { "name": "PE", "showSubtitle": true, "description": "PE files list", "query": "event.dataset:pe | groupby file.machine file.os file.subsystem"}, - { "name": "RADIUS", "showSubtitle": true, "description": "RADIUS grouped by username", "query": "event.dataset:radius | groupby user.name.keyword"}, - { "name": "RDP", "showSubtitle": true, "description": "RDP grouped by client name", "query": "event.dataset:rdp | groupby client.name"}, - { "name": "RFB", "showSubtitle": true, "description": "RFB grouped by desktop name", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword"}, - { "name": "Signatures", "showSubtitle": true, "description": "Zeek signatures grouped by signature id", "query": "event.dataset:signatures | groupby signature_id"}, - { "name": "SIP", "showSubtitle": true, "description": "SIP grouped by user agent", "query": "event.dataset:sip | groupby client.user_agent"}, - { "name": "SMB_Files", "showSubtitle": true, "description": "SMB files grouped by action", "query": "event.dataset:smb_files | groupby file.action"}, - { "name": "SMB_Mapping", "showSubtitle": true, "description": "SMB mapping grouped by path", "query": "event.dataset:smb_mapping | groupby smb.path"}, - { "name": "SMTP", "showSubtitle": true, "description": "SMTP grouped by subject", "query": "event.dataset:smtp | groupby smtp.subject"}, - { "name": "SNMP", "showSubtitle": true, "description": "SNMP grouped by version and string", "query": "event.dataset:snmp | groupby snmp.community snmp.version"}, - { "name": "Software", "showSubtitle": true, "description": "List of software seen on the network", "query": "event.dataset:software | groupby software.type software.name"}, - { "name": "SSH", "showSubtitle": true, "description": "SSH grouped by version and client", "query": "event.dataset:ssh | groupby ssh.version ssh.client"}, - { "name": "SSL", "showSubtitle": true, "description": "SSL grouped by version and server name", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"}, - { "name": "SYSLOG", "showSubtitle": true, "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity_label syslog.facility_label"}, - { "name": "Tunnel", "showSubtitle": true, "description": "Tunnels grouped by type and action", "query": "event.dataset:tunnel | groupby tunnel.type event.action"}, - { "name": "Weird", "showSubtitle": true, "description": "Zeek weird log grouped by name", "query": "event.dataset:weird | groupby weird.name"}, - { "name": "x509", "showSubtitle": true, "description": "x.509 grouped by key length and name", "query": "event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns"}, - { "name": "x509", "showSubtitle": true, "description": "x.509 grouped by name and issuer", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer"}, - { "name": "x509", "showSubtitle": true, "description": "x.509 grouped by name and subject", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.subject"}, - { "name": "Firewall", "showSubtitle": true, "description": "Firewall events grouped by action", "query": "event.dataset:firewall | groupby rule.action"} - ] diff --git a/salt/soc/files/soc/menu.actions.json b/salt/soc/files/soc/menu.actions.json deleted file mode 100644 index 8af63f2a8..000000000 --- a/salt/soc/files/soc/menu.actions.json +++ /dev/null @@ -1,41 +0,0 @@ -{%- set ENDGAMEHOST = salt['pillar.get']('soc:endgamehost', False) %} -[ - { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", - "links": [ - "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset" - ]}, - { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", - "links": [ - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" - ]}, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "", - "links": [ - "/joblookup?esid={:soc_id}&time={:@timestamp}", - "/joblookup?ncid={:network.community_id}&time={:@timestamp}" - ], - "categories": ["hunt", "alerts"]}, - { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank", - "links": [ - "/cyberchef/#input={value|base64}" - ]}, - { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank", - "links": [ - "https://www.google.com/search?q={value}" - ]}, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank", - "links": [ - "https://www.virustotal.com/gui/search/{value}" - ]} - {%- if ENDGAMEHOST %} - ,{ "name": "Endgame", "description": "Endgame Endpoint Investigation and Response", "icon": "fa-external-link-alt", "target": "_blank", - "links": [ - "https://{{ ENDGAMEHOST }}/endpoints/{:agent.id}" - ]} - {% endif %} -] diff --git a/salt/soc/files/soc/presets.artifacttype.json b/salt/soc/files/soc/presets.artifacttype.json deleted file mode 100644 index 4afa16c28..000000000 --- a/salt/soc/files/soc/presets.artifacttype.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "labels": [ - "autonomous-system", - "domain", - "file", - "filename", - "fqdn", - "hash", - "ip", - "mail", - "mail_subject", - "other", - "regexp", - "registry", - "uri_path", - "url", - "user-agent" - ], - "customEnabled": true -} diff --git a/salt/soc/files/soc/presets.category.json b/salt/soc/files/soc/presets.category.json deleted file mode 100644 index 191be77f5..000000000 --- a/salt/soc/files/soc/presets.category.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "labels": [ - "general", - "template" - ], - "customEnabled": true -} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.pap.json b/salt/soc/files/soc/presets.pap.json deleted file mode 100644 index 6ef37164d..000000000 --- a/salt/soc/files/soc/presets.pap.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "labels": [ - "white", - "green", - "amber", - "red" - ], - "customEnabled": false -} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.severity.json b/salt/soc/files/soc/presets.severity.json deleted file mode 100644 index 516d07bd3..000000000 --- a/salt/soc/files/soc/presets.severity.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "labels": [ - "low", - "medium", - "high", - "critical" - ], - "customEnabled": false -} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.status.json b/salt/soc/files/soc/presets.status.json deleted file mode 100644 index 239d14901..000000000 --- a/salt/soc/files/soc/presets.status.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "labels": [ - "new", - "in progress", - "closed" - ], - "customEnabled": false -} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.tag.json b/salt/soc/files/soc/presets.tag.json deleted file mode 100644 index 545b513f8..000000000 --- a/salt/soc/files/soc/presets.tag.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "labels": [ - "false-positive", - "confirmed", - "pending" - ], - "customEnabled": true -} \ No newline at end of file diff --git a/salt/soc/files/soc/presets.tlp.json b/salt/soc/files/soc/presets.tlp.json deleted file mode 100644 index 6ef37164d..000000000 --- a/salt/soc/files/soc/presets.tlp.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "labels": [ - "white", - "green", - "amber", - "red" - ], - "customEnabled": false -} \ No newline at end of file diff --git a/salt/soc/files/soc/tools.json b/salt/soc/files/soc/tools.json deleted file mode 100644 index b53f112e5..000000000 --- a/salt/soc/files/soc/tools.json +++ /dev/null @@ -1,8 +0,0 @@ -[ - { "name": "toolKibana", "description": "toolKibanaHelp", "icon": "fa-external-link-alt", "target": "so-kibana", "link": "/kibana/" }, - { "name": "toolGrafana", "description": "toolGrafanaHelp", "icon": "fa-external-link-alt", "target": "so-grafana", "link": "/grafana/d/so_overview" }, - { "name": "toolCyberchef", "description": "toolCyberchefHelp", "icon": "fa-external-link-alt", "target": "so-cyberchef", "link": "/cyberchef/" }, - { "name": "toolPlaybook", "description": "toolPlaybookHelp", "icon": "fa-external-link-alt", "target": "so-playbook", "link": "/playbook/projects/detection-playbooks/issues/" }, - { "name": "toolFleet", "description": "toolFleetHelp", "icon": "fa-external-link-alt", "target": "so-fleet", "link": "/fleet/" }, - { "name": "toolNavigator", "description": "toolNavigatorHelp", "icon": "fa-external-link-alt", "target": "so-navigator", "link": "/navigator/" } -] \ No newline at end of file diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 0b9f0a2e1..55bb70f21 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -30,16 +30,6 @@ soclogdir: - makedirs: True -socactions: - file.managed: - - name: /opt/so/conf/soc/menu.actions.json - - source: salt://soc/files/soc/menu.actions.json - - user: 939 - - group: 939 - - mode: 600 - - template: jinja - - socconfig: file.managed: - name: /opt/so/conf/soc/soc.json diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 7a6754f11..878ea72e6 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -5,9 +5,9 @@ {# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #} {% if SOCMERGED.server.modules.cases != 'soc' %} {% do SOCMERGED.server.modules.elastic.update({'casesEnabled': false}) %} -{% do SOCMERGED.client.update({'casesEnabled': false}) %} -{% do SOCMERGED.client.hunt.update({'escalateRelatedEventsEnabled': false}) %} -{% do SOCMERGED.client.alerts.update({'escalateRelatedEventsEnabled': false}) %} +{% do SOCMERGED.server.client.update({'casesEnabled': false}) %} +{% do SOCMERGED.server.client.hunt.update({'escalateRelatedEventsEnabled': false}) %} +{% do SOCMERGED.server.client.alerts.update({'escalateRelatedEventsEnabled': false}) %} {% if SOCMERGED.server.modules.cases == 'elasticcases' %} {% do SOCMERGED.server.modules.update({ 'elasticcases': { @@ -23,20 +23,40 @@ {# change some options if this is airgap #} {% if GLOBALS.airgap %} -{% do SOCMERGED.client.update({ +{% do SOCMERGED.server.client.update({ 'docsUrl': '/docs/', 'cheatsheetUrl': '/docs/cheatsheet.pdf', 'releaseNotesUrl': '/docs/#release-notes' - }) + }) %} {% endif %} {% if pillar.manager.playbook == 0 %} -{% do SOCMERGED.client.inactiveTools.append('toolPlaybook') %} +{% do SOCMERGED.server.client.inactiveTools.append('toolPlaybook') %} {% endif %} -{% do SOCMERGED.client.inactiveTools.append('toolFleet') %} +{% do SOCMERGED.server.client.inactiveTools.append('toolFleet') %} {% if pillar.manager.grafana == 0 %} -{% do SOCMERGED.client.inactiveTools.append('toolGrafana') %} +{% do SOCMERGED.server.client.inactiveTools.append('toolGrafana') %} {% endif %} + + +{% set standard_actions = SOCMERGED.pop('actions') %} +{% if pillar.global.endgamehost is defined %} +{% set endgame_dict = { + "name": "Endgame", + "description": "Endgame Endpoint Investigation and Response", + "icon": "fa-external-link-alt", + "target": "_blank", + "links": ["https://" ~ pillar.global.endgamehost ~ "/endpoints/{:agent.id}"] + } +%} +{% do standard_actions.append(endgame_dict) %} +{% endif %} + +{% do SOCMERGED.server.client.hunt.update({'actions': standard_actions}) %} +{% do SOCMERGED.server.client.dashboards.update({'actions': standard_actions}) %} +{% do SOCMERGED.server.client.update({'job': {'actions': standard_actions}}) %} +{% do SOCMERGED.server.client.alerts.update({'actions': standard_actions}) %} +{% do SOCMERGED.server.client.cases.update({'actions': standard_actions}) %}