Detection Default queries

2025-12-06 17:22:49 +01:00 · 2024-02-12 19:39:55 -05:00
parent 5102269440
commit ea80469c2d
1 changed files with 9 additions and 7 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1770,21 +1770,23 @@ soc:
              - so_detection.title
              - so_detection.isEnabled
              - so_detection.language
-              - "@timestamp"
+              - so_detection.severity
          queries:
            - name: "All Detections"
              query: "_id:*"
-            - name: "Local Rules"
+            - name: "Custom Detections"
              query: "so_detection.isCommunity:false"
-            - name: "Enabled"
+            - name: "All Detections - Enabled"
              query: "so_detection.isEnabled:true"
-            - name: "Disabled"
+            - name: "All Detections - Disabled"
              query: "so_detection.isEnabled:false"
-            - name: "Suricata"
+            - name: "Detection Type - Suricata (NIDS)"
              query: "so_detection.language:suricata"
-            - name: "Sigma"
+            - name: "Detection Type - Sigma - All"
              query: "so_detection.language:sigma"
-            - name: "Yara"
+            - name: "Detection Type - Sigma - Windows"
+              query: 'so_detection.language:sigma AND so_detection.content: "*product: windows*"'
+            - name: "Detection Type - Yara (Strelka)"
              query: "so_detection.language:yara"
        detection:
          presets: