CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8700 from Security-Onion-Solutions/fix/soc2.4

Browse Source 
Fix/soc2.4
This commit is contained in:
Josh Patterson
2022-09-09 14:32:41 -04:00
committed by GitHub
parent ce59a8a225 5ccc103083
commit deaecad8fd
22 changed files with 1637 additions and 2136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

893
salt/soc/defaults.yaml
View File

@@ -1,5 +1,52 @@
soc: soc:
logFilename: /opt/sensoroni/logs/sensoroni-server.log logFilename: /opt/sensoroni/logs/sensoroni-server.log
actions:
- name: actionHunt
description: actionHuntHelp
icon: fa-crosshairs
target:
links:
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
- name: actionCorrelate
description: actionCorrelateHelp
icon: fab fa-searchengin
target:
links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
- name: actionPcap
description: actionPcapHelp
icon: fa-stream
target:
links:
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
categories:
- hunt
- alerts
- name: actionCyberChef
description: actionCyberChefHelp
icon: fas fa-bread-slice
target: _blank
links:
- '/cyberchef/#input={value|base64}'
- name: actionGoogle
description: actionGoogleHelp
icon: fab fa-google
target: _blank
links:
- 'https://www.google.com/search?q={value}'
- name: actionVirusTotal
description: actionVirusTotalHelp
icon: fa-external-link-alt
target: _blank
links:
- 'https://www.virustotal.com/gui/search/{value}'
server: server:
bindAddress: 0.0.0.0:9822 bindAddress: 0.0.0.0:9822
baseUrl: / baseUrl: /
@@ -17,7 +64,7 @@ soc:
remoteHostUrls: [] remoteHostUrls: []
username: username:
password: password:
index: '*:so-*' index: '*:so-*,*:endgame-*'
cacheMs: 300000 cacheMs: 300000
verifyCert: false verifyCert: false
casesEnabled: true casesEnabled: true
@@ -28,6 +75,7 @@ soc:
org: '' org: ''
bucket: telegraf bucket: telegraf
verifyCert: false verifyCert: false
salt: {}
sostatus: sostatus:
refreshIntervalMs: 30000 refreshIntervalMs: 30000
offlineThresholdMs: 900000 offlineThresholdMs: 900000
@@ -799,101 +847,661 @@ soc:
- name: Firewall - name: Firewall
description: Firewall events grouped by action description: Firewall events grouped by action
query: 'event.dataset:firewall | groupby rule.action' query: 'event.dataset:firewall | groupby rule.action'
actions: dashboards:
- name: actionHunt advanced: true
description: actionHuntHelp groupItemsPerPage: 10
icon: fa-crosshairs groupFetchLimit: 10
target: eventItemsPerPage: 10
links: eventFetchLimit: 100
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' relativeTimeValue: 24
- name: actionCorrelate relativeTimeUnit: 30
description: actionCorrelateHelp mostRecentlyUsedLimit: 0
icon: fab fa-searchengin ackEnabled: false
target: escalateEnabled: true
links: escalateRelatedEventsEnabled: true
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' aggregationActionsEnabled: false
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' eventFields:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' default:
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - soc_timestamp
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - source.ip
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - source.port
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' - destination.ip
- name: actionPcap - destination.port
description: actionPcapHelp - log.id.uid
icon: fa-stream - network.community_id
target: - event.dataset
links: ':kratos:audit':
- '/joblookup?esid={:soc_id}&time={:@timestamp}' - soc_timestamp
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}' - http_request.headers.x-real-ip
categories: - identity_id
- hunt - http_request.headers.user-agent
- alerts '::conn':
- name: actionCyberChef - soc_timestamp
description: actionCyberChefHelp - source.ip
icon: fas fa-bread-slice - source.port
target: _blank - destination.ip
links: - destination.port
- '/cyberchef/#input={value|base64}' - network.transport
- name: actionGoogle - network.protocol
description: actionGoogleHelp - log.id.uid
icon: fab fa-google - network.community_id
target: _blank '::dce_rpc':
links: - soc_timestamp
- 'https://www.google.com/search?q={value}' - source.ip
- name: actionVirusTotal - source.port
description: actionVirusTotalHelp - destination.ip
icon: fa-external-link-alt - destination.port
target: _blank - dce_rpc.endpoint
links: - dce_rpc.named_pipe
- 'https://www.virustotal.com/gui/search/{value}' - dce_rpc.operation
- log.id.uid
'::dhcp':
- soc_timestamp
- client.address
- server.address
- host.domain
- host.hostname
- dhcp.message_types
- log.id.uid
'::dnp3':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- dnp3.fc_reply
- log.id.uid
'::dns':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.transport
- dns.query.name
- dns.query.type_name
- dns.response.code_name
- log.id.uid
- network.community_id
'::dpd':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.protocol
- observer.analyser
- error.reason
- log.id.uid
'::file':
- soc_timestamp
- source.ip
- destination.ip
- file.name
- file.mime_type
- file.source
- file.bytes.total
- log.id.fuid
- log.id.uid
'::ftp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ftp.user
- ftp.command
- ftp.argument
- ftp.reply_code
- file.size
- log.id.uid
'::http':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- http.method
- http.virtual_host
- http.status_code
- http.status_message
- http.request.body.length
- http.response.body.length
- log.id.uid
- network.community_id
'::intel':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- intel.indicator
- intel.indicator_type
- intel.seen_where
- log.id.uid
'::irc':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- irc.username
- irc.nickname
- irc.command.type
- irc.command.value
- irc.command.info
- log.id.uid
'::kerberos':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- kerberos.client
- kerberos.service
- kerberos.request_type
- log.id.uid
'::modbus':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- modbus.function
- log.id.uid
'::mysql':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- mysql.command
- mysql.argument
- mysql.success
- mysql.response
- log.id.uid
'::notice':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- notice.note
- notice.message
- log.id.fuid
- log.id.uid
- network.community_id
'::ntlm':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ntlm.name
- ntlm.success
- ntlm.server.dns.name
- ntlm.server.nb.name
- ntlm.server.tree.name
- log.id.uid
'::pe':
- soc_timestamp
- file.is_64bit
- file.is_exe
- file.machine
- file.os
- file.subsystem
- log.id.fuid
'::radius':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.uid
- username
- radius.framed_address
- radius.reply_message
- radius.result
'::rdp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rdp.client_build
- client_name
- rdp.cookie
- rdp.encryption_level
- rdp.encryption_method
- rdp.keyboard_layout
- rdp.result
- rdp.security_protocol
- log.id.uid
'::rfb':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rfb.authentication.method
- rfb.authentication.success
- rfb.share_flag
- rfb.desktop.name
- log.id.uid
'::signatures':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- note
- signature_id
- event_message
- sub_message
- signature_count
- host.count
- log.id.uid
'::sip':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- sip.method
- sip.uri
- sip.request.from
- sip.request.to
- sip.response.from
- sip.response.to
- sip.call_id
- sip.subject
- sip.user_agent
- sip.status_code
- log.id.uid
'::smb_files':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- log.id.fuid
- file.action
- file.path
- file.name
- file.size
- file.prev_name
- log.id.uid
'::smb_mapping':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- smb.path
- smb.service
- smb.share_type
- log.id.uid
'::smtp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- smtp.from
- smtp.recipient_to
- smtp.subject
- smtp.useragent
- log.id.uid
- network.community_id
'::snmp':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- snmp.community
- snmp.version
- log.id.uid
'::socks':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- socks.name
- socks.request.host
- socks.request.port
- socks.status
- log.id.uid
'::software':
- soc_timestamp
- source.ip
- software.name
- software.type
'::ssh':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ssh.version
- ssh.hassh_version
- ssh.direction
- ssh.client
- ssh.server
- log.id.uid
'::ssl':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- ssl.server_name
- ssl.certificate.subject
- ssl.validation_status
- ssl.version
- log.id.uid
':zeek:syslog':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- syslog.facility
- network.protocol
- syslog.severity
- log.id.uid
'::tunnels':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- tunnel_type
- action
- log.id.uid
'::weird':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- weird.name
- log.id.uid
'::x509':
- soc_timestamp
- x509.certificate.subject
- x509.certificate.key.type
- x509.certificate.key.length
- x509.certificate.issuer
- log.id.fuid
'::firewall':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- network.transport
- network.direction
- interface.name
- rule.action
- rule.reason
- network.community_id
':osquery:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- source.hostname
- event.dataset
- process.executable
- user.name
':ossec:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rule.name
- rule.level
- rule.category
- process.name
- user.name
- user.escalated
- location
':strelka:file':
- soc_timestamp
- file.name
- file.size
- hash.md5
- file.source
- file.mime_type
- log.id.fuid
':suricata:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- rule.name
- rule.category
- event.severity_label
- log.id.uid
- network.community_id
':sysmon:':
- soc_timestamp
- source.ip
- source.port
- destination.ip
- destination.port
- source.hostname
- event.dataset
- process.executable
- user.name
':windows_eventlog:':
- soc_timestamp
- user.name
':elasticsearch:':
- soc_timestamp
- agent.name
- message
- log.level
- metadata.version
- metadata.pipeline
- event.dataset
':kibana:':
- soc_timestamp
- host.name
- message
- kibana.log.meta.req.headers.x-real-ip
- event.dataset
'::rootcheck':
- soc_timestamp
- host.name
- metadata.ip_address
- log.full
- event.dataset
- event.module
'::ossec':
- soc_timestamp
- host.name
- metadata.ip_address
- log.full
- event.dataset
- event.module
'::syscollector':
- soc_timestamp
- host.name
- metadata.ip_address
- wazuh.data.type
- log.full
- event.dataset
- event.module
':syslog:syslog':
- soc_timestamp
- host.name
- metadata.ip_address
- real_message
- syslog.priority
- syslog.application
':aws:':
- soc_timestamp
- aws.cloudtrail.event_category
- aws.cloudtrail.event_type
- event.provider
- event.action
- event.outcome
- cloud.region
- user.name
- source.ip
- source.geo.region_iso_code
':squid:':
- soc_timestamp
- url.original
- destination.ip
- destination.geo.country_iso_code
- user.name
- source.ip
queryBaseFilter:
queryToggleFilters:
- name: caseExcludeToggle,
filter: 'NOT _index:"*:so-case*"'
enabled: true
queries:
- name: Overview
description: Overview of all events
query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SOC Auth
description: Show all SOC authentication logs
query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
- name: Elastalerts
description: Elastalert logs
query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'
- name: Alerts
description: Show all alerts
query: 'event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: NIDS Alerts
description: NIDS alerts
query: 'event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Wazuh/OSSEC
description: Wazuh/OSSEC HIDS alerts and logs
query: 'event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full'
- name: Sysmon
description: Sysmon logs
query: 'event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line'
- name: Strelka
description: Strelka logs
query: 'event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source'
- name: Zeek Notice
description: Zeek Notice logs
query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Connections
description: Connection logs
query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes'
- name: DCE_RPC
description: DCE_RPC logs
query: 'event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: DHCP
description: Dynamic Host Configuration Protocol leases
query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address'
- name: DNP3
description: DNP3 logs
query: 'event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: DNS
description: Domain Name System queries
query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: DPD
description: Dynamic Protocol Detection errors
query: 'event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol'
- name: Files
description: Files seen in network traffic
query: 'event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip'
- name: FTP
description: File Transfer Protocol logs
query: 'event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: HTTP
description: Hyper Text Transport Protocol logs
query: 'event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Intel
description: Zeek Intel framework hits
query: 'event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: IRC
description: Internet Relay Chat logs
query: 'event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Kerberos
description: Kerberos logs
query: 'event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: MODBUS
description: MODBUS logs
query: 'event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: MYSQL
description: MYSQL logs
query: 'event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: NOTICE
description: Zeek notice logs
query: 'event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: NTLM
description: NTLM logs
query: 'event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Osquery Live Queries
description: Osquery Live Query results
query: 'event.dataset:live_query | groupby host.hostname'
- name: PE
description: PE files list
query: 'event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit'
- name: RADIUS
description: RADIUS logs
query: 'event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: RDP
description: RDP logs
query: 'event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: RFB
description: RFB logs
query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Signatures
description: Zeek signatures
query: 'event.dataset:signatures | groupby signature_id'
- name: SIP
description: SIP logs
query: 'event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SMB_Files
description: SMB files
query: 'event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SMB_Mapping
description: SMB mapping logs
query: 'event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SMTP
description: SMTP logs
query: 'event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SNMP
description: SNMP logs
query: 'event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Software
description: List of software seen on the network by Zeek
query: 'event.dataset:software | groupby software.type | groupby software.name | groupby source.ip'
- name: SSH
description: SSH connections seen by Zeek
query: 'event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SSL
description: SSL logs
query: 'event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: SYSLOG
description: SYSLOG logs
query: 'event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Tunnel
description: Tunnels seen by Zeek
query: 'event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port'
- name: Weird
description: Weird network traffic seen by Zeek
query: 'event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port '
- name: x509
description: x.509 certificates seen by Zeek
query: 'event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer'
- name: Firewall
description: Firewall logs
query: 'event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port'
job: job:
actions:
- name: actionHunt
description: actionHuntHelp
icon: fa-crosshairs
target:
links:
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
- name: actionCorrelate
description: actionCorrelateHelp
icon: fab fa-searchengin
target:
links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
- name: actionPcap
description: actionPcapHelp
icon: fa-stream
target:
links:
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
categories:
- hunt
- alerts
- name: actionCyberChef
description: actionCyberChefHelp
icon: fas fa-bread-slice
target: _blank
links:
- '/cyberchef/#input={value|base64}'
- name: actionGoogle
description: actionGoogleHelp
icon: fab fa-google
target: _blank
links:
- 'https://www.google.com/search?q={value}'
- name: actionVirusTotal
description: actionVirusTotalHelp
icon: fa-external-link-alt
target: _blank
links:
- 'https://www.virustotal.com/gui/search/{value}'
alerts: alerts:
advanced: false advanced: false
groupItemsPerPage: 50 groupItemsPerPage: 50
@@ -961,54 +1569,6 @@ soc:
query: '* | groupby destination.port rule.name event.severity_label' query: '* | groupby destination.port rule.name event.severity_label'
- name: Ungroup - name: Ungroup
query: '*' query: '*'
actions:
- name: actionHunt
description: actionHuntHelp
icon: fa-crosshairs
target:
links:
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
- name: actionCorrelate
description: actionCorrelateHelp
icon: fab fa-searchengin
target:
links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
- name: actionPcap
description: actionPcapHelp
icon: fa-stream
target:
links:
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
categories:
- hunt
- alerts
- name: actionCyberChef
description: actionCyberChefHelp
icon: fas fa-bread-slice
target: _blank
links:
- '/cyberchef/#input={value|base64}'
- name: actionGoogle
description: actionGoogleHelp
icon: fab fa-google
target: _blank
links:
- 'https://www.google.com/search?q={value}'
- name: actionVirusTotal
description: actionVirusTotalHelp
icon: fa-external-link-alt
target: _blank
links:
- 'https://www.virustotal.com/gui/search/{value}'
cases: cases:
advanced: false advanced: false
groupItemsPerPage: 50 groupItemsPerPage: 50
@@ -1044,53 +1604,6 @@ soc:
query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}'
- name: Templates - name: Templates
query: 'so_case.category:template' query: 'so_case.category:template'
actions:
- name: actionHunt
description: actionHuntHelp
icon: fa-crosshairs
target:
links:
- '/#/hunt?q="{value|escape}" | groupby event.module event.dataset'
- name: actionCorrelate
description: actionCorrelateHelp
icon: fab fa-searchengin
target:
links:
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset'
- '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset'
- name: actionPcap
description: actionPcapHelp
icon: fa-stream
target:
links:
- '/joblookup?esid={:soc_id}&time={:@timestamp}'
- '/joblookup?ncid={:network.community_id}&time={:@timestamp}'
categories:
- hunt
- alerts
- name: actionCyberChef
description: actionCyberChefHelp
icon: fas fa-bread-slice
target: _blank
links:
- '/cyberchef/#input={value|base64}'
- name: actionGoogle
description: actionGoogleHelp
icon: fab fa-google
target: _blank
links:
- 'https://www.google.com/search?q={value}'
- name: actionVirusTotal
description: actionVirusTotalHelp
icon: fa-external-link-alt
target: _blank
links:
- 'https://www.virustotal.com/gui/search/{value}'
case: case:
mostRecentlyUsedLimit: 5 mostRecentlyUsedLimit: 5
renderAbbreviatedCount: 30 renderAbbreviatedCount: 30

1
salt/soc/files/soc/alerts.actions.json
View File

@@ -1 +0,0 @@
This file is no longer used. Please use menu.actions.json instead.

4
salt/soc/files/soc/alerts.eventfields.json
View File

@@ -1,4 +0,0 @@
{
"default": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.gid", "rule.uuid", "rule.category", "rule.rev"],
":ossec:": ["soc_timestamp", "rule.name", "event.severity_label", "source.ip", "source.port", "destination.ip", "destination.port", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location", "process.name" ]
}

9
salt/soc/files/soc/alerts.queries.json
View File

@@ -1,9 +0,0 @@
[
{ "name": "Group By Name, Module", "query": "* | groupby rule.name event.module event.severity_label" },
{ "name": "Group By Sensor, Source IP/Port, Destination IP/Port, Name", "query": "* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label" },
{ "name": "Group By Source IP, Name", "query": "* | groupby source.ip rule.name event.severity_label" },
{ "name": "Group By Source Port, Name", "query": "* | groupby source.port rule.name event.severity_label" },
{ "name": "Group By Destination IP, Name", "query": "* | groupby destination.ip rule.name event.severity_label" },
{ "name": "Group By Destination Port, Name", "query": "* | groupby destination.port rule.name event.severity_label" },
{ "name": "Ungroup", "query": "*" }
]

3
salt/soc/files/soc/cases.eventfields.json
View File

@@ -1,3 +0,0 @@
{
"default": ["soc_timestamp", "so_case.title", "so_case.status", "so_case.severity", "so_case.assigneeId", "so_case.createTime"]
}

7
salt/soc/files/soc/cases.queries.json
View File

@@ -1,7 +0,0 @@
[
{ "name": "Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template" },
{ "name": "Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template" },
{ "name": "My Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" },
{ "name": "My Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" },
{ "name": "Templates", "query": "so_case.category:template" }
]

46
salt/soc/files/soc/dashboards.queries.json
View File

@@ -1,46 +0,0 @@
[
{ "name": "Overview", "description": "Overview of all events", "query": "* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SOC Auth", "description": "Show all SOC authentication logs", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent"},
{ "name": "Elastalerts", "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name | groupby alert_info.type"},
{ "name": "Alerts", "description": "Show all alerts", "query": "event.dataset: alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "NIDS Alerts", "description": "NIDS alerts", "query": "event.category: network AND event.dataset: alert | groupby rule.category | groupby rule.gid | groupby rule.uuid | groupby rule.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Wazuh/OSSEC", "description": "Wazuh/OSSEC HIDS alerts and logs", "query": "event.module:ossec | groupby rule.category | groupby rule.uuid | groupby rule.name | groupby agent.id | groupby agent.name | groupby log.full"},
{ "name": "Sysmon", "description": "Sysmon logs", "query": "event.module:sysmon | groupby event.dataset | groupby user.name | groupby process.executable | groupby process.command_line | groupby process.parent.command_line"},
{ "name": "Strelka", "description": "Strelka logs", "query": "event.module:strelka | groupby file.mime_type | groupby file.name | groupby file.source"},
{ "name": "Zeek Notice", "description": "Zeek Notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Connections", "description": "Connection logs", "query": "event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes"},
{ "name": "DCE_RPC", "description": "DCE_RPC logs", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "DHCP", "description": "Dynamic Host Configuration Protocol leases", "query": "event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby client.address | groupby server.address"},
{ "name": "DNP3", "description": "DNP3 logs", "query": "event.dataset:dnp3 | groupby dnp3.fc_request | groupby dnp3.fc_reply | groupby dnp3.iin | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "DNS", "description": "Domain Name System queries", "query": "event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "DPD", "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason | groupby source.ip | groupby destination.ip | groupby destination.port | groupby network.protocol"},
{ "name": "Files", "description": "Files seen in network traffic", "query": "event.dataset:file | groupby file.mime_type | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip"},
{ "name": "FTP", "description": "File Transfer Protocol logs", "query": "event.dataset:ftp | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "HTTP", "description": "Hyper Text Transport Protocol logs", "query": "event.dataset:http | groupby http.method | groupby http.virtual_host | groupby http.uri | groupby http.useragent | groupby http.status_code | groupby http.status_message | groupby file.resp_mime_types | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Intel", "description": "Zeek Intel framework hits", "query": "event.dataset:intel | groupby intel.indicator | groupby intel.indicator_type | groupby intel.seen_where | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "IRC", "description": "Internet Relay Chat logs", "query": "event.dataset:irc | groupby irc.command.type | groupby irc.username | groupby irc.nickname | groupby irc.command.value | groupby irc.command.info | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Kerberos", "description": "Kerberos logs", "query": "event.dataset:kerberos | groupby kerberos.service | groupby kerberos.client | groupby kerberos.request_type | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "MODBUS", "description": "MODBUS logs", "query": "event.dataset:modbus | groupby modbus.function | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "MYSQL", "description": "MYSQL logs", "query": "event.dataset:mysql | groupby mysql.command | groupby mysql.argument | groupby mysql.success | groupby mysql.response | groupby mysql.rows | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "NOTICE", "description": "Zeek notice logs", "query": "event.dataset:notice | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "NTLM", "description": "NTLM logs", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name | groupby ntlm.server.nb.name | groupby ntlm.server.tree.name | groupby ntlm.success | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Osquery Live Queries", "description": "Osquery Live Query results", "query": "event.dataset:live_query | groupby host.hostname"},
{ "name": "PE", "description": "PE files list", "query": "event.dataset:pe | groupby file.machine | groupby file.os | groupby file.subsystem | groupby file.section_names | groupby file.is_exe | groupby file.is_64bit"},
{ "name": "RADIUS", "description": "RADIUS logs", "query": "event.dataset:radius | groupby user.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "RDP", "description": "RDP logs", "query": "event.dataset:rdp | groupby client.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "RFB", "description": "RFB logs", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Signatures", "description": "Zeek signatures", "query": "event.dataset:signatures | groupby signature_id"},
{ "name": "SIP", "description": "SIP logs", "query": "event.dataset:sip | groupby client.user_agent | groupby sip.method | groupby sip.uri | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SMB_Files", "description": "SMB files", "query": "event.dataset:smb_files | groupby file.action | groupby file.path | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SMB_Mapping", "description": "SMB mapping logs", "query": "event.dataset:smb_mapping | groupby smb.share_type | groupby smb.path | groupby smb.service | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SMTP", "description": "SMTP logs", "query": "event.dataset:smtp | groupby smtp.from | groupby smtp.recipient_to | groupby smtp.subject | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SNMP", "description": "SNMP logs", "query": "event.dataset:snmp | groupby snmp.community | groupby snmp.version | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Software", "description": "List of software seen on the network by Zeek", "query": "event.dataset:software | groupby software.type | groupby software.name | groupby source.ip"},
{ "name": "SSH", "description": "SSH connections seen by Zeek", "query": "event.dataset:ssh | groupby ssh.client | groupby ssh.server | groupby ssh.direction | groupby ssh.version | groupby ssh.hassh_version | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SSL", "description": "SSL logs", "query": "event.dataset:ssl | groupby ssl.version | groupby ssl.validation_status | groupby ssl.server_name | groupby ssl.certificate.issuer | groupby ssl.certificate.subject | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "SYSLOG", "description": "SYSLOG logs", "query": "event.dataset:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby network.protocol | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Tunnel", "description": "Tunnels seen by Zeek", "query": "event.dataset:tunnel | groupby tunnel.type | groupby event.action | groupby source.ip | groupby destination.ip | groupby destination.port"},
{ "name": "Weird", "description": "Weird network traffic seen by Zeek", "query": "event.dataset:weird | groupby weird.name | groupby weird.additional_info | groupby source.ip | groupby destination.ip | groupby destination.port "},
{ "name": "x509", "description": "x.509 certificates seen by Zeek", "query": "event.dataset:x509 | groupby x509.certificate.key.length | groupby x509.san_dns | groupby x509.certificate.key.type | groupby x509.certificate.subject | groupby x509.certificate.issuer"},
{ "name": "Firewall", "description": "Firewall logs", "query": "event.dataset:firewall | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port"}
]

712
salt/soc/files/soc/default.annotation.yaml
View File

@@ -1,712 +0,0 @@
### Elasticsearch Nodes ###
elasticsearch.esheap:
default: 4192
global: false
type: int
nodes:
- manager
- searchnode
elasticsearch.config.node.attr.box_type:
default: hot
global: false
type: bool
options:
- hot
- warm
nodes:
- manager
- searchnode
## Elasticsearch Global ##
elasticsearch.config.cluster.name:
default: securityonion
global: true
type: string
elasticsearch.config.cluster.routing.allocation.disk.threshold_enabled:
default: true
global: true
type: bool
options:
- true
- false
elasticsearch.config.cluster.routing.allocation.disk.watermark.low:
elasticsearch.config.cluster.routing.allocation.disk.watermark.high:
elasticsearch.config.cluster.routing.allocation.disk.watermark.flood_stage:
elasticsearch:"\
config:"\
cluster:"\
name: $ESCLUSTERNAME"\
routing:"\
allocation:"\
" disk:"\
" threshold_enabled: true"\
" watermark:"\
" low: 80%"\
" high: 85%"\
" flood_stage: 90%"\
" script:"\
" max_compilations_rate: 20000/1m"\
" indices:"\
" query:"\
" bool:"\
" max_clause_count: 3500"\
" index_settings:"\
" so-aws:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-azure:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-barracuda:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-beats:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-bluecoat:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cef:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-checkpoint:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cisco:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cyberark:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-cylance:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-elasticsearch:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-endgame:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-f5:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-firewall:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-fortinet:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-gcp:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-google_workspace:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-ids:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-imperva:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-import:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-infoblox:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-juniper:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-kibana:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-logstash:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-microsoft:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-misp:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-netflow:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-netscout:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-o365:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-okta:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-osquery:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-proofpoint:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-radware:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-redis:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-snort:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-snyk:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-sonicwall:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-sophos:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-strelka:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-syslog:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-tomcat:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-zeek:"\
" warm: 7"\
" close: 30"\
" delete: 365"\
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\
" so-zscaler:"\
" warm: 7"\
" close: 30"\
" delete: 365"
" index_sorting: True"\
" index_template:"\
" template:"\
" settings:"\
" index:"\
" mapping:"\
" total_fields:"\
" limit: 5000"\
" refresh_interval: 30s"\
" number_of_shards: 1"\
" number_of_replicas: 0"\

1
salt/soc/files/soc/hunt.actions.json
View File

@@ -1 +0,0 @@
This file is no longer used. Please use menu.actions.json instead.

53
salt/soc/files/soc/hunt.eventfields.json
View File

@@ -1,53 +0,0 @@
{
"default": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "network.community_id", "event.dataset" ],
":kratos:audit": ["soc_timestamp", "http_request.headers.x-real-ip", "identity_id", "http_request.headers.user-agent" ],
"::conn": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.protocol", "log.id.uid", "network.community_id" ],
"::dce_rpc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dce_rpc.endpoint", "dce_rpc.named_pipe", "dce_rpc.operation", "log.id.uid" ],
"::dhcp": ["soc_timestamp", "client.address", "server.address", "host.domain", "host.hostname", "dhcp.message_types", "log.id.uid" ],
"::dnp3": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "dnp3.fc_reply", "log.id.uid" ],
"::dns": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "dns.query.name", "dns.query.type_name", "dns.response.code_name", "log.id.uid", "network.community_id" ],
"::dpd": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.protocol", "observer.analyser", "error.reason", "log.id.uid" ],
"::file": ["soc_timestamp", "source.ip", "destination.ip", "file.name", "file.mime_type", "file.source", "file.bytes.total", "log.id.fuid", "log.id.uid" ],
"::ftp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ftp.user", "ftp.command", "ftp.argument", "ftp.reply_code", "file.size", "log.id.uid" ],
"::http": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "http.method", "http.virtual_host", "http.status_code", "http.status_message", "http.request.body.length", "http.response.body.length", "log.id.uid", "network.community_id" ],
"::intel": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "intel.indicator", "intel.indicator_type", "intel.seen_where", "log.id.uid" ],
"::irc": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "irc.username", "irc.nickname", "irc.command.type", "irc.command.value", "irc.command.info", "log.id.uid" ],
"::kerberos": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "kerberos.client", "kerberos.service", "kerberos.request_type", "log.id.uid" ],
"::modbus": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "modbus.function", "log.id.uid" ],
"::mysql": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "mysql.command", "mysql.argument", "mysql.success", "mysql.response", "log.id.uid" ],
"::notice": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "notice.note", "notice.message", "log.id.fuid", "log.id.uid", "network.community_id" ],
"::ntlm": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ntlm.name", "ntlm.success", "ntlm.server.dns.name", "ntlm.server.nb.name", "ntlm.server.tree.name", "log.id.uid" ],
"::pe": ["soc_timestamp", "file.is_64bit", "file.is_exe", "file.machine", "file.os", "file.subsystem", "log.id.fuid" ],
"::radius": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "username", "radius.framed_address", "radius.reply_message", "radius.result" ],
"::rdp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rdp.client_build", "client_name", "rdp.cookie", "rdp.encryption_level", "rdp.encryption_method", "rdp.keyboard_layout", "rdp.result", "rdp.security_protocol", "log.id.uid" ],
"::rfb": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rfb.authentication.method", "rfb.authentication.success", "rfb.share_flag", "rfb.desktop.name", "log.id.uid" ],
"::signatures" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "note", "signature_id", "event_message", "sub_message", "signature_count", "host.count", "log.id.uid" ],
"::sip": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "sip.method", "sip.uri", "sip.request.from", "sip.request.to", "sip.response.from", "sip.response.to", "sip.call_id", "sip.subject", "sip.user_agent", "sip.status_code", "log.id.uid" ],
"::smb_files" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "log.id.fuid", "file.action", "file.path", "file.name", "file.size", "file.prev_name", "log.id.uid" ],
"::smb_mapping" : ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "smb.path", "smb.service", "smb.share_type", "log.id.uid" ],
"::smtp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "smtp.from", "smtp.recipient_to", "smtp.subject", "smtp.useragent", "log.id.uid", "network.community_id" ],
"::snmp": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "snmp.community", "snmp.version", "log.id.uid" ],
"::socks": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "socks.name", "socks.request.host", "socks.request.port", "socks.status", "log.id.uid" ],
"::software": ["soc_timestamp", "source.ip", "software.name", "software.type" ],
"::ssh": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssh.version", "ssh.hassh_version", "ssh.direction", "ssh.client", "ssh.server", "log.id.uid" ],
"::ssl": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "ssl.server_name", "ssl.certificate.subject", "ssl.validation_status", "ssl.version", "log.id.uid" ],
":zeek:syslog": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "syslog.facility", "network.protocol", "syslog.severity", "log.id.uid" ],
"::tunnels": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "tunnel_type", "action", "log.id.uid" ],
"::weird": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "weird.name", "log.id.uid" ],
"::x509": ["soc_timestamp", "x509.certificate.subject", "x509.certificate.key.type", "x509.certificate.key.length", "x509.certificate.issuer", "log.id.fuid" ],
"::firewall": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "network.transport", "network.direction", "interface.name", "rule.action", "rule.reason", "network.community_id" ],
":osquery:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ],
":ossec:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.level", "rule.category", "process.name", "user.name", "user.escalated", "location" ],
":strelka:file": ["soc_timestamp", "file.name", "file.size", "hash.md5", "file.source", "file.mime_type", "log.id.fuid" ],
":suricata:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "rule.name", "rule.category", "event.severity_label", "log.id.uid", "network.community_id" ],
":sysmon:": ["soc_timestamp", "source.ip", "source.port", "destination.ip", "destination.port", "source.hostname", "event.dataset", "process.executable", "user.name" ],
":windows_eventlog:": ["soc_timestamp", "user.name" ],
":elasticsearch:": ["soc_timestamp", "agent.name", "message", "log.level", "metadata.version", "metadata.pipeline", "event.dataset" ],
":kibana:": ["soc_timestamp", "host.name", "message", "kibana.log.meta.req.headers.x-real-ip", "event.dataset" ],
"::rootcheck": ["soc_timestamp", "host.name", "metadata.ip_address", "log.full", "event.dataset", "event.module" ],
"::ossec": ["soc_timestamp", "host.name", "metadata.ip_address", "log.full", "event.dataset", "event.module" ],
"::syscollector": ["soc_timestamp", "host.name", "metadata.ip_address", "wazuh.data.type", "log.full", "event.dataset", "event.module" ],
":syslog:syslog": ["soc_timestamp", "host.name", "metadata.ip_address", "real_message", "syslog.priority", "syslog.application" ],
":aws:": ["soc_timestamp", "aws.cloudtrail.event_category", "aws.cloudtrail.event_type", "event.provider", "event.action", "event.outcome", "cloud.region", "user.name", "source.ip", "source.geo.region_iso_code" ],
":squid:": ["soc_timestamp", "url.original", "destination.ip", "destination.geo.country_iso_code", "user.name", "source.ip" ]
}

67
salt/soc/files/soc/hunt.queries.json
View File

@@ -1,67 +0,0 @@
[
{ "name": "Default Query", "showSubtitle": true, "description": "Show all events grouped by the origin host", "query": "* | groupby observer.name"},
{ "name": "Log Type", "showSubtitle": true, "description": "Show all events grouped by module and dataset", "query": "* | groupby event.module event.dataset"},
{ "name": "SOC Auth", "showSubtitle": true, "description": "Users authenticated to SOC grouped by IP address and identity", "query": "event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id"},
{ "name": "Elastalerts", "showSubtitle": true, "description": "Elastalert logs", "query": "_index: \"*:elastalert*\" | groupby rule_name alert_info.type"},
{ "name": "Alerts", "showSubtitle": true, "description": "Show all alerts grouped by alert source", "query": "event.dataset: alert | groupby event.module"},
{ "name": "NIDS Alerts", "showSubtitle": true, "description": "Show all NIDS alerts grouped by alert", "query": "event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name"},
{ "name": "Wazuh/OSSEC Alerts", "showSubtitle": true, "description": "Show all Wazuh alerts at Level 5 or higher grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name"},
{ "name": "Wazuh/OSSEC Alerts", "showSubtitle": true, "description": "Show all Wazuh alerts at Level 4 or lower grouped by category", "query": "event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name"},
{ "name": "Wazuh/OSSEC Users and Commands", "showSubtitle": true, "description": "Show all Wazuh alerts grouped by username and command line", "query": "event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line"},
{ "name": "Wazuh/OSSEC Processes", "showSubtitle": true, "description": "Show all Wazuh alerts grouped by process name", "query": "event.module:ossec AND event.dataset:alert | groupby process.name"},
{ "name": "Sysmon Events", "showSubtitle": true, "description": "Show all Sysmon logs grouped by event type", "query": "event.module:sysmon | groupby event.dataset"},
{ "name": "Sysmon Usernames", "showSubtitle": true, "description": "Show all Sysmon logs grouped by username", "query": "event.module:sysmon | groupby event.dataset, user.name.keyword"},
{ "name": "Strelka", "showSubtitle": true, "description": "Show all Strelka logs grouped by file type", "query": "event.module:strelka | groupby file.mime_type"},
{ "name": "Zeek Notice", "showSubtitle": true, "description": "Show notices from Zeek", "query": "event.dataset:notice | groupby notice.note notice.message"},
{ "name": "Connections", "showSubtitle": true, "description": "Connections grouped by IP and Port", "query": "event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port"},
{ "name": "Connections", "showSubtitle": true, "description": "Connections grouped by Service", "query": "event.dataset:conn | groupby network.protocol destination.port"},
{ "name": "Connections", "showSubtitle": true, "description": "Connections grouped by destination country", "query": "event.dataset:conn | groupby destination.geo.country_name"},
{ "name": "Connections", "showSubtitle": true, "description": "Connections grouped by source country", "query": "event.dataset:conn | groupby source.geo.country_name"},
{ "name": "DCE_RPC", "showSubtitle": true, "description": "DCE_RPC grouped by operation", "query": "event.dataset:dce_rpc | groupby dce_rpc.operation"},
{ "name": "DHCP", "showSubtitle": true, "description": "DHCP leases", "query": "event.dataset:dhcp | groupby host.hostname client.address"},
{ "name": "DHCP", "showSubtitle": true, "description": "DHCP grouped by message type", "query": "event.dataset:dhcp | groupby dhcp.message_types"},
{ "name": "DNP3", "showSubtitle": true, "description": "DNP3 grouped by reply", "query": "event.dataset:dnp3 | groupby dnp3.fc_reply"},
{ "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by port", "query": "event.dataset:dns | groupby dns.query.name destination.port"},
{ "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by type", "query": "event.dataset:dns | groupby dns.query.type_name destination.port"},
{ "name": "DNS", "showSubtitle": true, "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"},
{ "name": "DNS", "showSubtitle": true, "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"},
{ "name": "DNS", "showSubtitle": true, "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"},
{ "name": "DPD", "showSubtitle": true, "description": "Dynamic Protocol Detection errors", "query": "event.dataset:dpd | groupby error.reason"},
{ "name": "Files", "showSubtitle": true, "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"},
{ "name": "Files", "showSubtitle": true, "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"},
{ "name": "FTP", "showSubtitle": true, "description": "FTP grouped by command and argument", "query": "event.dataset:ftp | groupby ftp.command ftp.argument"},
{ "name": "FTP", "showSubtitle": true, "description": "FTP grouped by username and argument", "query": "event.dataset:ftp | groupby ftp.user ftp.argument"},
{ "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by destination port", "query": "event.dataset:http | groupby destination.port"},
{ "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by status code and message", "query": "event.dataset:http | groupby http.status_code http.status_message"},
{ "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by method and user agent", "query": "event.dataset:http | groupby http.method http.useragent"},
{ "name": "HTTP", "showSubtitle": true, "description": "HTTP grouped by virtual host", "query": "event.dataset:http | groupby http.virtual_host"},
{ "name": "HTTP", "showSubtitle": true, "description": "HTTP with exe downloads", "query": "event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host"},
{ "name": "Intel", "showSubtitle": true, "description": "Intel framework hits grouped by indicator", "query": "event.dataset:intel | groupby intel.indicator.keyword"},
{ "name": "IRC", "showSubtitle": true, "description": "IRC grouped by command", "query": "event.dataset:irc | groupby irc.command.type"},
{ "name": "Kerberos", "showSubtitle": true, "description": "Kerberos grouped by service", "query": "event.dataset:kerberos | groupby kerberos.service"},
{ "name": "MODBUS", "showSubtitle": true, "description": "MODBUS grouped by function", "query": "event.dataset:modbus | groupby modbus.function"},
{ "name": "MYSQL", "showSubtitle": true, "description": "MYSQL grouped by command", "query": "event.dataset:mysql | groupby mysql.command"},
{ "name": "NOTICE", "showSubtitle": true, "description": "Zeek notice logs grouped by note and message", "query": "event.dataset:notice | groupby notice.note notice.message"},
{ "name": "NTLM", "showSubtitle": true, "description": "NTLM grouped by computer name", "query": "event.dataset:ntlm | groupby ntlm.server.dns.name"},
{ "name": "Osquery Live Queries", "showSubtitle": true, "description": "Osquery Live Query results grouped by computer name", "query": "event.dataset:live_query | groupby host.hostname"},
{ "name": "PE", "showSubtitle": true, "description": "PE files list", "query": "event.dataset:pe | groupby file.machine file.os file.subsystem"},
{ "name": "RADIUS", "showSubtitle": true, "description": "RADIUS grouped by username", "query": "event.dataset:radius | groupby user.name.keyword"},
{ "name": "RDP", "showSubtitle": true, "description": "RDP grouped by client name", "query": "event.dataset:rdp | groupby client.name"},
{ "name": "RFB", "showSubtitle": true, "description": "RFB grouped by desktop name", "query": "event.dataset:rfb | groupby rfb.desktop.name.keyword"},
{ "name": "Signatures", "showSubtitle": true, "description": "Zeek signatures grouped by signature id", "query": "event.dataset:signatures | groupby signature_id"},
{ "name": "SIP", "showSubtitle": true, "description": "SIP grouped by user agent", "query": "event.dataset:sip | groupby client.user_agent"},
{ "name": "SMB_Files", "showSubtitle": true, "description": "SMB files grouped by action", "query": "event.dataset:smb_files | groupby file.action"},
{ "name": "SMB_Mapping", "showSubtitle": true, "description": "SMB mapping grouped by path", "query": "event.dataset:smb_mapping | groupby smb.path"},
{ "name": "SMTP", "showSubtitle": true, "description": "SMTP grouped by subject", "query": "event.dataset:smtp | groupby smtp.subject"},
{ "name": "SNMP", "showSubtitle": true, "description": "SNMP grouped by version and string", "query": "event.dataset:snmp | groupby snmp.community snmp.version"},
{ "name": "Software", "showSubtitle": true, "description": "List of software seen on the network", "query": "event.dataset:software | groupby software.type software.name"},
{ "name": "SSH", "showSubtitle": true, "description": "SSH grouped by version and client", "query": "event.dataset:ssh | groupby ssh.version ssh.client"},
{ "name": "SSL", "showSubtitle": true, "description": "SSL grouped by version and server name", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"},
{ "name": "SYSLOG", "showSubtitle": true, "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity_label syslog.facility_label"},
{ "name": "Tunnel", "showSubtitle": true, "description": "Tunnels grouped by type and action", "query": "event.dataset:tunnel | groupby tunnel.type event.action"},
{ "name": "Weird", "showSubtitle": true, "description": "Zeek weird log grouped by name", "query": "event.dataset:weird | groupby weird.name"},
{ "name": "x509", "showSubtitle": true, "description": "x.509 grouped by key length and name", "query": "event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns"},
{ "name": "x509", "showSubtitle": true, "description": "x.509 grouped by name and issuer", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer"},
{ "name": "x509", "showSubtitle": true, "description": "x.509 grouped by name and subject", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.subject"},
{ "name": "Firewall", "showSubtitle": true, "description": "Firewall events grouped by action", "query": "event.dataset:firewall | groupby rule.action"}
]

41
salt/soc/files/soc/menu.actions.json
View File

@@ -1,41 +0,0 @@
{%- set ENDGAMEHOST = salt['pillar.get']('soc:endgamehost', False) %}
[
{ "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "",
"links": [
"/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset"
]},
{ "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "",
"links": [
"/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
"/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset",
"/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
"/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
"/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset",
"/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset",
"/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset"
]},
{ "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "",
"links": [
"/joblookup?esid={:soc_id}&time={:@timestamp}",
"/joblookup?ncid={:network.community_id}&time={:@timestamp}"
],
"categories": ["hunt", "alerts"]},
{ "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank",
"links": [
"/cyberchef/#input={value|base64}"
]},
{ "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank",
"links": [
"https://www.google.com/search?q={value}"
]},
{ "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank",
"links": [
"https://www.virustotal.com/gui/search/{value}"
]}
{%- if ENDGAMEHOST %}
,{ "name": "Endgame", "description": "Endgame Endpoint Investigation and Response", "icon": "fa-external-link-alt", "target": "_blank",
"links": [
"https://{{ ENDGAMEHOST }}/endpoints/{:agent.id}"
]}
{% endif %}
]

20
salt/soc/files/soc/presets.artifacttype.json
View File

@@ -1,20 +0,0 @@
{
"labels": [
"autonomous-system",
"domain",
"file",
"filename",
"fqdn",
"hash",
"ip",
"mail",
"mail_subject",
"other",
"regexp",
"registry",
"uri_path",
"url",
"user-agent"
],
"customEnabled": true
}

7
salt/soc/files/soc/presets.category.json
View File

@@ -1,7 +0,0 @@
{
"labels": [
"general",
"template"
],
"customEnabled": true
}

9
salt/soc/files/soc/presets.pap.json
View File

@@ -1,9 +0,0 @@
{
"labels": [
"white",
"green",
"amber",
"red"
],
"customEnabled": false
}

9
salt/soc/files/soc/presets.severity.json
View File

@@ -1,9 +0,0 @@
{
"labels": [
"low",
"medium",
"high",
"critical"
],
"customEnabled": false
}

8
salt/soc/files/soc/presets.status.json
View File

@@ -1,8 +0,0 @@
{
"labels": [
"new",
"in progress",
"closed"
],
"customEnabled": false
}

8
salt/soc/files/soc/presets.tag.json
View File

@@ -1,8 +0,0 @@
{
"labels": [
"false-positive",
"confirmed",
"pending"
],
"customEnabled": true
}

9
salt/soc/files/soc/presets.tlp.json
View File

@@ -1,9 +0,0 @@
{
"labels": [
"white",
"green",
"amber",
"red"
],
"customEnabled": false
}

8
salt/soc/files/soc/tools.json
View File

@@ -1,8 +0,0 @@
[
{ "name": "toolKibana", "description": "toolKibanaHelp", "icon": "fa-external-link-alt", "target": "so-kibana", "link": "/kibana/" },
{ "name": "toolGrafana", "description": "toolGrafanaHelp", "icon": "fa-external-link-alt", "target": "so-grafana", "link": "/grafana/d/so_overview" },
{ "name": "toolCyberchef", "description": "toolCyberchefHelp", "icon": "fa-external-link-alt", "target": "so-cyberchef", "link": "/cyberchef/" },
{ "name": "toolPlaybook", "description": "toolPlaybookHelp", "icon": "fa-external-link-alt", "target": "so-playbook", "link": "/playbook/projects/detection-playbooks/issues/" },
{ "name": "toolFleet", "description": "toolFleetHelp", "icon": "fa-external-link-alt", "target": "so-fleet", "link": "/fleet/" },
{ "name": "toolNavigator", "description": "toolNavigatorHelp", "icon": "fa-external-link-alt", "target": "so-navigator", "link": "/navigator/" }
]

10
salt/soc/init.sls
View File

@@ -30,16 +30,6 @@ soclogdir:
- makedirs: True - makedirs: True
socactions:
file.managed:
- name: /opt/so/conf/soc/menu.actions.json
- source: salt://soc/files/soc/menu.actions.json
- user: 939
- group: 939
- mode: 600
- template: jinja
socconfig: socconfig:
file.managed: file.managed:
- name: /opt/so/conf/soc/soc.json - name: /opt/so/conf/soc/soc.json

34
salt/soc/merged.map.jinja
View File

@@ -5,9 +5,9 @@
{# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #} {# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #}
{% if SOCMERGED.server.modules.cases != 'soc' %} {% if SOCMERGED.server.modules.cases != 'soc' %}
{% do SOCMERGED.server.modules.elastic.update({'casesEnabled': false}) %} {% do SOCMERGED.server.modules.elastic.update({'casesEnabled': false}) %}
{% do SOCMERGED.client.update({'casesEnabled': false}) %} {% do SOCMERGED.server.client.update({'casesEnabled': false}) %}
{% do SOCMERGED.client.hunt.update({'escalateRelatedEventsEnabled': false}) %} {% do SOCMERGED.server.client.hunt.update({'escalateRelatedEventsEnabled': false}) %}
{% do SOCMERGED.client.alerts.update({'escalateRelatedEventsEnabled': false}) %} {% do SOCMERGED.server.client.alerts.update({'escalateRelatedEventsEnabled': false}) %}
{% if SOCMERGED.server.modules.cases == 'elasticcases' %} {% if SOCMERGED.server.modules.cases == 'elasticcases' %}
{% do SOCMERGED.server.modules.update({ {% do SOCMERGED.server.modules.update({
'elasticcases': { 'elasticcases': {
@@ -23,7 +23,7 @@
{# change some options if this is airgap #} {# change some options if this is airgap #}
{% if GLOBALS.airgap %} {% if GLOBALS.airgap %}
{% do SOCMERGED.client.update({ {% do SOCMERGED.server.client.update({
'docsUrl': '/docs/', 'docsUrl': '/docs/',
'cheatsheetUrl': '/docs/cheatsheet.pdf', 'cheatsheetUrl': '/docs/cheatsheet.pdf',
'releaseNotesUrl': '/docs/#release-notes' 'releaseNotesUrl': '/docs/#release-notes'
@@ -32,11 +32,31 @@
{% endif %} {% endif %}
{% if pillar.manager.playbook == 0 %} {% if pillar.manager.playbook == 0 %}
{% do SOCMERGED.client.inactiveTools.append('toolPlaybook') %} {% do SOCMERGED.server.client.inactiveTools.append('toolPlaybook') %}
{% endif %} {% endif %}
{% do SOCMERGED.client.inactiveTools.append('toolFleet') %} {% do SOCMERGED.server.client.inactiveTools.append('toolFleet') %}
{% if pillar.manager.grafana == 0 %} {% if pillar.manager.grafana == 0 %}
{% do SOCMERGED.client.inactiveTools.append('toolGrafana') %} {% do SOCMERGED.server.client.inactiveTools.append('toolGrafana') %}
{% endif %} {% endif %}
{% set standard_actions = SOCMERGED.pop('actions') %}
{% if pillar.global.endgamehost is defined %}
{% set endgame_dict = {
"name": "Endgame",
"description": "Endgame Endpoint Investigation and Response",
"icon": "fa-external-link-alt",
"target": "_blank",
"links": ["https://" ~ pillar.global.endgamehost ~ "/endpoints/{:agent.id}"]
}
%}
{% do standard_actions.append(endgame_dict) %}
{% endif %}
{% do SOCMERGED.server.client.hunt.update({'actions': standard_actions}) %}
{% do SOCMERGED.server.client.dashboards.update({'actions': standard_actions}) %}
{% do SOCMERGED.server.client.update({'job': {'actions': standard_actions}}) %}
{% do SOCMERGED.server.client.alerts.update({'actions': standard_actions}) %}
{% do SOCMERGED.server.client.cases.update({'actions': standard_actions}) %}