From ea80469c2db1bc690e26e4a7e5cf5c1afd44bc3d Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@DefensiveDepth.com>
Date: Mon, 12 Feb 2024 19:39:55 -0500
Subject: [PATCH] Detection Default queries

---
 salt/soc/defaults.yaml | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml
index fd2eaf8c0..29cd7e1ac 100644
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1770,21 +1770,23 @@ soc:
               - so_detection.title
               - so_detection.isEnabled
               - so_detection.language
-              - "@timestamp"
+              - so_detection.severity
           queries:
             - name: "All Detections"
               query: "_id:*"
-            - name: "Local Rules"
+            - name: "Custom Detections"
               query: "so_detection.isCommunity:false"
-            - name: "Enabled"
+            - name: "All Detections - Enabled"
               query: "so_detection.isEnabled:true"
-            - name: "Disabled"
+            - name: "All Detections - Disabled"
               query: "so_detection.isEnabled:false"
-            - name: "Suricata"
+            - name: "Detection Type - Suricata (NIDS)"
               query: "so_detection.language:suricata"
-            - name: "Sigma"
+            - name: "Detection Type - Sigma - All"
               query: "so_detection.language:sigma"
-            - name: "Yara"
+            - name: "Detection Type - Sigma - Windows"
+              query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"'
+            - name: "Detection Type - Yara (Strelka)"
               query: "so_detection.language:yara"
         detection:
           presets: