From ee675546ac751615ac9fa0fac00b5540bba4aaa5 Mon Sep 17 00:00:00 2001 From: doug Date: Wed, 26 May 2021 14:09:00 -0400 Subject: [PATCH] add menu.actions.json and update soc.json --- salt/soc/files/soc/menu.actions.json | 33 ++++++++++++++++++++++++++++ salt/soc/files/soc/soc.json | 8 +++++-- 2 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 salt/soc/files/soc/menu.actions.json diff --git a/salt/soc/files/soc/menu.actions.json b/salt/soc/files/soc/menu.actions.json new file mode 100644 index 000000000..558d10a36 --- /dev/null +++ b/salt/soc/files/soc/menu.actions.json @@ -0,0 +1,33 @@ +[ + { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", + "links": [ + "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset" + ]}, + { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", + "links": [ + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" + ]}, + { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "", + "links": [ + "/joblookup?esid={:soc_id}", + "/joblookup?ncid={:network.community_id}" + ]}, + { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank", + "links": [ + "/cyberchef/#input={value|base64}" + ]}, + { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank", + "links": [ + "https://www.google.com/search?q={value}" + ]}, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank", + "links": [ + "https://www.virustotal.com/gui/search/{value}" + ]} +] diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 5dfd364d2..a3326ab4a 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -17,6 +17,7 @@ {%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %} {%- import_json "soc/files/soc/hunt.actions.json" as hunt_actions %} {%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %} +{%- import_json "soc/files/soc/menu.actions.json" as menu_actions %} {%- import_json "soc/files/soc/tools.json" as tools %} {%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} @@ -123,8 +124,11 @@ "queryBaseFilter": "", "queryToggleFilters": [], "queries": {{ hunt_queries | json }}, - "actions": {{ hunt_actions | json }} + "actions": {{ menu_actions | json }} }, + "job": { + "actions": {{ menu_actions | json }} + }, "alerts": { "advanced": false, "groupItemsPerPage": 50, @@ -143,7 +147,7 @@ { "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true, "enablesToggles":["acknowledged"] } ], "queries": {{ alerts_queries | json }}, - "actions": {{ alerts_actions | json }} + "actions": {{ menu_actions | json }} } } }