CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #12941 from Security-Onion-Solutions/dougburks-patch-1

Browse Source 
FEATURE: Add Events table columns for stun logs #12940
This commit is contained in:
Doug Burks
2024-05-06 08:57:58 -04:00
committed by GitHub
parent 45c344e3fa f689cfcd0a
commit e57d1a5fb5
1 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
salt/soc/defaults.yaml
View File

@@ -491,6 +491,17 @@ soc:
- ssl.version - ssl.version
- log.id.uid - log.id.uid
- event.dataset - event.dataset
'::stun':
- soc_timestamp
- event.dataset
- source.ip
- source.port
- destination.ip
- destination.port
- stun.class
- stun.method
- stun.attribute.types
- log.id.uid
':zeek:syslog': ':zeek:syslog':
- soc_timestamp - soc_timestamp
- source.ip - source.ip
@@ -1841,7 +1852,7 @@ soc:
query: 'event.dataset:zeek.ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey ssl.validation_status ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' query: 'event.dataset:zeek.ssl | groupby ssl.version | groupby ssl.validation_status | groupby -sankey ssl.validation_status ssl.server_name | groupby ssl.server_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: STUN - name: STUN
description: STUN (Session Traversal Utilities for NAT) network metadata description: STUN (Session Traversal Utilities for NAT) network metadata
query: 'tags:stun* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset' query: 'tags:stun* | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby stun.class | groupby -sankey stun.class stun.method | groupby stun.method | groupby stun.attribute.types'
- name: Syslog - name: Syslog
description: Syslog logs description: Syslog logs
query: 'tags:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby event.dataset' query: 'tags:syslog | groupby syslog.severity_label | groupby syslog.facility_label | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby network.protocol | groupby event.dataset'